Gaming Server tryhackme
difficulty = easy
os = linux
Hi guys,
let’s pwn another box named “gamingserver”
As we all know that enumeration is the key
so, let’s start our enumeration with port scanning using nmap
Nmap scan
we’re done with our scanning
As you can see there are lots of open ports
let’s start the open ports enumeration from port 80(http)
so, visiting the homepage and viewing the source code revealed a username “ john” (note it down)
so, let’s proceed to directory bruteforce using my fav tool ffuf (fuzz fast u fool)
wow, we got few directories which “secret” and “upload” seems to be the sus ones (hacker mindset yunno lol)
Navigating to the upload directory shows a password list and a manifesto file
now, let’s download the files to our attackbox using wget
Then let’s navigate to the next directory which is secret
As you can see there is an ssh key in the directory, copy the key to your attackbox.
let’s ssh into the box using the username found earlier “john” together with the ssh key
ssh -i ssh_key john@10.10.127.240
it is requesting for john’s password which we don’t have , it shows the ssh key is encrypted
let’s decrypt the key using ssh2john
then, crack the pasword using john and the password list found earlier in the upload directory “dict.lst”
as you can see we’ve gotten the passphrase for the ssh key
let’s login again and entering the passphrase gives us initial foothold on the box
so, let’s cat the user flag Hackerman :)
privilege escalation
upload les (linux exploit suggester) on the box
so, LES outputs shows that our target is vulnerable to cve-2021-3156 sudo baron sameedit
run the exploit and pop a root shell
And we are done !!
till next time, bye hackerman