TryHackMe! Room: GamingServer CTF - walkthrough

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
it's another day another room another try happy room we're gonna do the room called gaming server so this is an easy boot to root box for beginners and i'm gonna take you through this box so i already started up the room i just had a few things to do while i was booting up so now it's ready can we get access to this gaming server built by amateurs with no experience of web development and taking advantage of the development service so yes i think we can do that so let's just open that in the wow i wasn't expecting something like this this reminds me of webpages in the in the early you know like 90s you know i mean late 90s early 2000s when you know this type of graphic you know like whoa it's it's sort of style anyways let's go ahead and start up and in maps again let me do this to root map that ip stand for versions and standard script today and we're gonna just do a standard and we're also gonna do a go poster scan since now we saw that we had a webpage so i'm going to go ahead and do that whoop so user share wordless dip i'm going to do comment today because why not alright so while this is running so we got back the ssh no particular expert for this version um yeah and we got the uh port 80 it's apache server and it's how soft dynamic yeah it is true that is the nothing crazy to see here i'm i'm thinking this is not too interesting but what i see here is stuff like robots the text and secrets and uploads that that's three interesting you know path to look so robots i cannot spill robots thank you so we kind of want us to allow uploads so let's go ahead and visit uploads for some particular reason and we got a picture [Laughter] great we have a manifesto it's the haggar manifest um it's quite cool you know um read it if you wish to i don't think this is just you know for fun then we have a dick to nary and it's just a lot of passwords basically but what i'm gonna do is just double get it down so now we have it so we also need to look at the secret so let's go ahead to secret and we have a secret key of course we have a secret private key i'm just gonna copy paste it all within something one day like copy pasting from source is better than completing the actual interpreted site so let's go ahead and to have any keys here in this i do so let's do let's just um move it and then nano into let's touch id rsa and then sudo nano id rsa and yes that's the private key at least it looks like it is encrypted in some way so it wouldn't really be useful for us right now and the reason i know that is did i just close that sorry it's because of the line here and says encrypt so yeah so we're gonna do is um ssh to john i think we have it here and then we're gonna do did i delete that crack me please i did not p text and also there we go so we're going to run ssh to john i wrote jogen so it's not gonna work and basically it's gonna convert this um into a format that john the river can understand so basically mgs can do that ssh to john is needs to be located so let's go ahead and this is the path let's say to john so you run by python3 id areas rsa i'm gonna do crack me please and there you go so it was python two so we should have now is a file called crack crack me plea please yeah and with that we can run it through john the river so john crack me please and you know i had it there already so we're gonna use rock u but no i think i'm gonna use is the dict that'll be downloaded from the webpage because i have a tent i have a great idea that that is what they wanted to do so let's just do it the stat um yeah yeah yeah it's an autocompleted old one so let me just keep it yeah so what i'm going to run again i had a an e you know in the end before didn't really work it's let me in and and base we can also do that show i think this is the command no um how is it that show no anyways doesn't really matter it is right here it's let me in let's just go and copy that yes let me in so now that we have the private key we can go ahead and we can go ahead and um ssh dash i i'm not sure this will work just try um [Music] yes let me in let me in no i need to um so where was it again the crack me please i think we still need to use a name did we get that somewhere i totally forgot that i guess let's just see okay manifesto why could that username be hidden you know that is a very interesting question all right let's go back to the web page holy moly links archives not found read more not look at the source all right so something here john please add some actual cons to the side so we have a possible username john should've done that before but i'm too eager so ssh john let me in let me in now let me in what am i doing wrong hmm [Music] i forget that a lot you know changing the the mod for the rise for the file you know i should really really not forget that you know i had this is what i anyways doesn't really matter so we in uh so let's cut out the the use of the text we get the flag let's copy that basically put it in now we get to get root flag and that's going to be very interesting just to shoot at that shell to see what we have let me let me in let me in what i'm not able to type that password or what i am not able to type john's password that is very interesting no idea what i'm doing wrong to be honest let's go into id yeah let's go to do you want to see what's inside home then we have john i can't access root it is denied so let's see what's inside of john just sometimes if the user and what is that sometimes this file here is containing interesting stuff it's commands and passwords but death null is a place of the return of of nothing you know it's just dead space so let's go to ssh just to verify yeah we have the the key and everything so now we need to get um root so what i suggest is we do our standard lin piece i'm not sure what we're going to do right now so i guess we just need the lint piece where are they lin piece there we go so we're going to go ahead and set up python server port 9000 and i'm going to wget http dash less less 110.201 slash lynn p that's sh lin peace is of um uh yeah port 9000 forgot about that you go then piece is a script that [Music] can scan this machine and basically what you're gonna what you're gonna analyze is all the path and files and what what not inside the script to try and find a way to privilege escalate and if you see something like this yellow and red as text i mean orange background it is a 95 percent sure privilege escalation if it's red we take a look at it and but i basically in these easy rooms i'm going to stick to this for now but i'm definitely going to pay attention to red too already um [Music] we got something here i'm not sure what that is but let's um [Music] yeah we are a member of it seems like a pseudo group or something no 27 i'm really sure what that is so i'm gonna take that as a note there go back and just scroll down pseudo version so there is something about privilege escalation here on the pseudo version so i'm gonna take that all right then and let's see writable path abuse yeah if we had a binary we could execute something or we had some way of executing some sort of binary we could probably um we also have kernel exploits but many things here so okay let's have a look old oh password this doesn't really matter yeah i've got the password it's true [Music] it is a virtual machine of course it's a virtual machine you want to try hack me all this doesn't really matter chrome jobs so we do have some crown jobs we could you know i'm not really sure that's the thing today can i run this again if if we got something here it's not that red wow sock is listening well i would expect this to be a gaming machine since this is a room it's called gaming something so um okay we have it again so i i'm gonna definitely take a copy of this and take a look at it so this is probably the way that we're gonna find our way to pr privilege escalate yeah we cannot i don't think we have the password so again suru jumps up as something so maybe there's something with sudo ah usual software php yeah we could try and do look for files that are like set for this sub id is uid um but definitely i'm gonna do after this um [Music] yeah we have john's private key and we already had that so yeah and we have some ssh yeah it doesn't really okay uh yeah in the realistic scenario you will probably look at many things here but honestly okay dirty sockets so we do have some private escalation here and i'm gonna have many many different ways to prevent this machine so basically um [Music] you have one more and i think i'm gonna stick to what i have because we have a lot of things to find i really think the intentional way of this machine is to this pseudo whatever what else was it this ldx this was also highlighted not sure what that is anyways oh mama yeah wow i think we're getting to the end of this now yeah we are so what i'm really gonna do now is go ahead and say linux find suv files don't i have that in my cheat by the way i should have that it's opened and i do not well okay i think it was this article i used this is gonna load and this is the command that i'm gonna use today can i please copy paste well you can also just jump to the top of the site that's a very good thing yeah yeah let's go ahead and save that you know and go back and to a shell and just execute that and see we have different things you have sudo yeah so i definitely know that some of them is possible so gtfo bins there's the add one i think that is also possible to exploit i we can try maybe just try that you know it's just you know it doesn't hurt to try things and we're still john so let's open bash yeah and what else do we have it's um [Music] yeah we can we can do this and say command so bin bash and then do this and we still john so it doesn't seem to be and i'm pretty sure we cannot use that either yeah it's original john so that is not one of those we could use let's go ahead and run it again we also had sudo was that a part of it i think that was about checking the different files with the suy flag set so we can try and escalate our privileges i really like this room actually it's there's probably an easier way but i'm just doing into just i don't want to do stuff you know why not pseudo su yeah i don't think so i don't think so yeah let me in i don't know the password for john anyways oh no um yeah few ping decrypts what is lxc again this must be something lxc that wasn't the thing that i found lxd [Music] let's go ahead to hex tricks we have this pseudo version and we can try we can try this script here and basically why is that could you please damn it so basically this is a way for me to ask for root shell and old style way so the user of -1 position is by default the root so yeah so that's not really yeah not gonna work anyways i don't think we have access to sudo anyway so yeah let's go ahead and just say this wasn't really the thing so then we have something with privileged escalation users so basically this is another way of just slowly trying things one by one and and basically yeah see what happens you know it doesn't doesn't hurt to try you know so i think yeah yeah well i'm not really to have this cv here so we could go to google and [Music] what is this the dirty socket privilege escalation so we have this script it would seem i wouldn't mind trying this so the way we're gonna use it is saying [Music] yeah i don't think this is i i really don't think this is this is our our key so i think i'm going to delete all this and go back to this lxd thing just put it into google linux containers very interesting i have no idea what that is to be honest it's just one of those things [Music] okay so getting started i'm pretty sure that if i do the id here we can see that i'm in that group i'm in this let's just do it again so we have one liner i'm in that group and it was highlighted as a higher privileged one if not mistaken i wouldn't mean we could probably use it but need to find this if i have anything lxd oh man [Music] this is the thing next not really sure lxd is this a thing mr yeah yeah what what is this it likes to whoa have anything here interests um yeah i wouldn't necessarily say middle of sense at the moment you have some in it d what is that it's definitely a thing lxc lxd what is this so um lxc gaming [Music] gaming is a lxc container wow let's do the link here see what we get i'm pretty sure this is what we're gonna do but i'm not really sure if i sort of hint because i'm not a hundred percent sure about this lxd let's just for the sake of it run lynn peace one more time i want to see did i miss did i miss something um my what um what did i download it too um okay 10 11 0201 colon 9000 slash lynn p says h s s h i said can write permission tonight so we're going to john and do that command again ch177 so we can execute and everything let's just see this again yeah so we have this we didn't get any any information about this particular thing lxd there's something about it i wouldn't need that lxd this is one of the cases where you're just going to spend a lot of time you know just looking for stuff you know what is this lxd lxc yeah i'm not really not really sure that all this is anything to do with anything so yeah what i'm gonna do is um i'm gonna go ahead and research more so what i'm gonna do now is basically say um couldn't just go to lxdx do we have something oh we have something with lxd alex some container stuff i need to install something okay yeah we have this we have that so let's see it's a command let's just okay so lxd definitely wasn't lxc it's a thing all right i see it's a thing hmm okay ready i can do this ah not found okay ah previous escalation what is this um well i don't need to download stuff does it perform download the alpine i have no idea what this is now i'm just gonna try something now start i'm gonna try stuff okay oh i see so we can use we can use it to execute is this the actual triac write-up i ended up on uh let me just see the top because it looks no it's not hacking articles i'm just trying to try okay okay let's just do what it says basically so previous relation would be downloadability through the git repo do i have access to get in this machine i do interesting so let's give it a second or two to complete this looks very interesting so we're gonna do cloning probably not the fastest machine so it's gonna take a while let's just have a look at this how big is it can i see the alpine linux image creator i would end up with the weirdest pages on the internet what no no so what i need to do here is ls build alpine oh they want me to i see i see so yeah let's not do that let's go ahead to my other machine and say this is what i'm going to do here yeah it's a lot faster so let's go ahead and enter the library and build alpine sudo yeah so i have the so next it's going to be all right then i'm gonna start my python server one to fetch is the file called something like it's later version that the one they have but i guess any of these not really sure let's does it tell me i'm just gonna you know what i'm gonna take the newest one i don't really care and let's go ahead to this machine here and say wget http this is by far actually a very interesting room sometimes they are a bit more requiring of you than easy rooms might be but yeah i don't know i need to go into temp let's run that command i guess error opening of course because that is not the correct file so i'm gonna we help fine all right then and then let's list it i guess okay so it's this stuff we saw so let's run this command let's continue executing the other commands so it's creating ignite and the second command yeah it looks fine so we're gonna start ignite we have no idea what we're doing um yeah yeah we need the typically me and this id root fantastic so we booted the box all right then um oh i wanted to [Music] do that i'm going to navigate to oh navigate to i'm going to navigate to that what that's a this is a thing so cd slash mnt ah root root root or text we have it it's very interesting i would say definitely an interesting room interesting easy room i would like to say so let's just exit everything and close down and you know so yeah very interesting you know software we didn't know exploring stuff we do not know we just need to go with what we find and basically this was a thing so i would say this is probably more like a medium room in all dynasty but yeah i loved it it's fine so please subscribe like the video leave a comment below take care [Music]
Info
Channel: Security in mind
Views: 98
Rating: undefined out of 5
Keywords: tryhackme gaming server, gamingserver ctf, tryhackme gaming server walkthrough, gaming server tryhackme, linkedin e learning, udemy wordpress, codecademy, udacity, sans institute, linkedin learning
Id: kSug7VTX5Jg
Channel Id: undefined
Length: 38min 29sec (2309 seconds)
Published: Fri Jan 21 2022
Related Videos
How to HACK your ISP router - step by step.
Tomaž Zaman
137K
PCC Load Balancing and Failover in Mikrotik ROS 7 | Mikrotik Configuration Tutorial Step by Step
Just Any Tech
59
TryHackMe! RootMe - Complete Walkthrough
Security in mind
603
Tracking Cybercrime on Telegram
John Hammond
290K
The First Open-World Ghost Recon Game is $5 Now - GR: Wildlands in 2024
OperatorDrewski
212K
3 Levels of WiFi Hacking
NetworkChuck
1.6M
TryHackMe | Airplane Room Walkthrough [Voice | Explained]
TechMafia
368
Where People Go When They Want to Hack You
CyberNews
1.2M
CTF Walkthrough with John Hammond
David Bombal
174K
Hack like Mr Robot // WiFi, Bluetooth and Scada hacking
David Bombal
2.1M
The Reports of my Death are Greatly Exaggerated - Squad 44
Nano
241K
Tactics of Physical Pen Testers
freeCodeCamp Talks
889K
How to spot a fraud? (cybersecurity edition)
Security in mind
188
DO NOT design your network like this!! // FREE CCNA // EP 6
NetworkChuck
3.1M
this Cybersecurity Platform is FREE
John Hammond
538K
Living in a Mathematically Unraidable Multi-Base...
Throat
150K
Flipper Zero Wifi Hacking has Never Been Easier! Updated for 2024!
Talking Sasquach
182K
DEF CON 31 - Infinite Money Glitch - Hacking Transit Cards - Bertocchi, Campbell, Gibson, Harris
DEFCONConference
320K
What is Networking? - Networking Basics
TryHackMe
388K
Most Dangerous Hacking Devices 2024 #hacking #dangerous #ethicalhacking
Security in mind
219
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.