GamingServer Tryhackme Writeup

Thatquietkid
3 min readFeb 10, 2021

Link to this room:https://tryhackme.com/room/gamingserver

As usual i started with nmap scan and found two ports open.

Command : nmap -A -T4 machineIP

  1. ssh
  2. http

I went to the web page .

I started gobuster for finding directories .

Command : gobuster dir -u HTTP://machineIP/ -w /fullpathtowordlist/ -x PHP,txt.

I found uploads directory and on visiting it , I found 3 files.

dict.1st was a file which had a lot of passwords and I found maybe we have to bruteforce using this( i was wrong).

Now , i thought let’s see the source code and from there i found a username (john).

Now , i remember there was a directory called secret from gobuster results.

and it had a secretkey( ssh private key)

But , it was asking for a passphrase . Now, let’s convert it to a language that john the ripper understands before bruteforcing.

Command: python2 ssh2john.py > for.txt

and now let’s do the bruteforcing.

Command: john for.txt — wordlist=rockyou.txt

I found the passphrase.

Let’s ssh to this machine now(remember to change permissions of ssh private key {chmod 600}).

Command: ssh -i id_rsa john@machineip

Now , we got our user.txt and now we have to do privilege escalation to get root flag.

We can see that for privilege escalation , we have to exploit lxd.

Link to the article regarding privilege escalation using lxd:https://www.hackingarticles.in/lxd-privilege-escalation/

But, i was still getting an error ( something like /usr/share/…../MIRRORS.txt : no such file or directory).

Solution: you have to add MIRRORS.txt file( see the screenshot )

Link to the github issue:https://github.com/saghul/lxd-alpine-builder/issues/1

Link to that mirrors.txt: http://dl-cdn.alpinelinux.org/alpine/MIRRORS.txt

If after adding that MIRRORS.txt file , you still get an error . Try running it several times.

Now , just follow the steps in that article and you will be root and the root flag was not in root directory. So, i used find command for this.

Command: find / -type f -name root.txt

Now , we have found both the flags and i have also added how to fix that mirror issue.Thanks for reading my writeup and have a nice day.

--

--