Gaming Server CTF (THM)

Gaming server

————————————————————————————————————————————————————————————————————————————————————————

————————————————————————————————————————————————————————————————————————————————————————

SCANNING and ENUMERATION

————————————————————————————————————————————————————————————————————————————————————————

NMAP SCAN

————————————————————————————————————————————————————————————————————————————————————————

Image

I found a http server running on port 80

And a ssh server running on port 22

————————————————————————————————————————————————————————————————————————————————————————

Gobuster Directory SCan

Image

I found a ‘’ secret ‘’ directory and a ‘’uploads’’ directory.

————————————————————————————————————————————————————————————————————————————————————————

Enumerating the Website

————————————————————————————————————————————————————————————————————————————————————————

Image

————————————————————————————————————————————————————————————————————————————————————————

I found a directory list with some common password and downloaded it.

Image

————————————————————————————————————————————————————————————————————————————————————————

I found a private key for the user ‘’John’’ that we found in the source code of the website.

Image

————————————————————————————————————————————————————————————————————————————————————————

————————————————————————————————————————————————————————————————————————————————————————

Logging in to shh

————————————————————————————————————————————————————————————————————————————————————————

The private key required a password which I found using ‘’John the Ripper’’.

Image

————————————————————————————————————————————————————————————————————————————————————————

————————————————————————————————————————————————————————————————————————————————————————

Once I got into the machine, I did the typical priv esc enumeration, but didn't find much until I ran ID, and saw we were in the lxd group

Image

From this article I found the following method for creating an alpine linux container and mounting it into the root directory.

I’ll used alpine to create a container

Image

First i downloaded alpine to my box

Next i created the container

After the command finished running it has created an alpine image in a compressed gunzip file

Next i uploaded the image to the server

Image
Image

Next i ran the image.

Image
Image

Finally we got the root flag.

Was this helpful?