In this walkthrough, we will explore the compromise of the "Team" machine from TryHackMe. This lab is a masterclass in the Unified Kill Chain (UKC), demonstrating how a simple web vulnerability can lead to a full host takeover through credential leaks, lateral movement, and container abuse.

The Executive Summary

The attack surface of the target was initially limited, but a Local File Inclusion (LFI) vulnerability provided the "skeleton key" needed to peek behind the curtain. By chaining together a configuration leak, a bash script injection, and a privileged container escape, we successfully achieved root-level access.

Phase 1: Reconnaissance & The First Crack

The engagement began with standard network enumeration. An Nmap scan revealed Port 80 (HTTP), Port 21 (FTP), and Port 22 (SSH) were open. While the main site appeared static, subdomain fuzzing identified a development environment at dev.team.thm.

Upon inspecting this development subdomain, a PHP script was found: script.php?page=. Testing this parameter confirmed a Local File Inclusion (LFI) vulnerability. While sensitive files like /etc/shadow were inaccessible, the vulnerability allowed us to audit service configurations that the developers thought were hidden.

Phase 2: Exploitation (The SSH Key Leak)

While many security researchers stop at /etc/passwd, the real gold is often in service-specific configurations. By leveraging the LFI to read /etc/ssh/sshd_config, I discovered a critical administrative error.

A developer had left a backup of the user dale's private SSH key (id_rsa) directly inside the configuration file as a comment.

The Technical Move:

  1. Extracted the RSA block from the configuration text.
  2. Saved it locally as id_rsa and secured it with chmod 600.
  3. Authenticated via SSH: ssh -i id_rsa dale@team.thm.

Result: Initial foothold established. Flag user.txt retrieved.

Phase 3: Lateral Movement (Escaping Dale)

Internal enumeration is the heart of privilege escalation. Running sudo -l as Dale revealed a unique permission: he could execute a specific script as the user gyles without a password.

The script, located at /home/gyles/admin_checks, was designed to take user input for logging purposes. However, it contained a classic Command Injection flaw:

Bash

read -p "Enter 'date' to timestamp the file: " error
$error 2>/dev/null

The script assigned user input to the $error variable and then executed that variable as a command. By simply entering /bin/bash when prompted, the script spawned a shell under the context of the user gyles.

Phase 4: Privilege Escalation (The LXD "Nuclear Option")

Once active as Gyles, the final path to Root became clear. Gyles was a member of the lxd group. In the world of Linux security, LXD group membership is often considered a "feature-turned-vulnerability" that allows for a total host escape.

LXD is a container manager. Because it requires high-level system access to manage images and storage, any user in the lxd group can create a privileged container and mount the entire physical host drive into that container.

The Final Execution:

  • Initialize LXD: Set up the storage backend using lxd init (accepting defaults).
  • Import Image: Transferred a lightweight Alpine Linux image to the target.
  • The Exploit: Created a privileged container and mapped the host's root directory (/) to /mnt/root inside the container.
  • Command: lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
  • The Shell: Started the container and executed a shell: lxc exec ignite /bin/sh.

Phase 5: Action on Objectives

Inside the container, I was technically root, but I was isolated from the host. However, because the host's drive was mounted at /mnt/root, the isolation was an illusion.

By navigating to /mnt/root/root/, I bypassed all host-level permissions and successfully read the final flag: THM{fhqbznavfonq}.

Lessons for Administrators

This compromise highlights four critical security failures that are common in enterprise environments:

  • Secrets in Configs: Service configuration files are for settings, not credential storage. Comments are not a secure way to "hide" data.
  • Unsafe Input Handling: Bash scripts that execute user-provided variables are inherently dangerous. Always use absolute paths and sanitize inputs.
  • Over-Privileged Groups: Group memberships like lxd, docker, and disk provide a direct path to root. These should be audited with the same scrutiny as the Sudoers file.
  • LFI Mitigation: Modern web applications should use a whitelist approach for file inclusion or move away from dynamic file pathing entirely.

MITRE ATT&CK Matrix

  • Initial Access: Valid Accounts (T1078.001) — Leaked SSH Key in configuration.
  • Execution: Command and Scripting Interpreter (T1059.004) — Bash script injection.
  • Persistence: External Remote Services (T1133) — SSH access via stolen key.
  • Privilege Escalation: Abuse Elevation Control Mechanism (T1548.003) — Sudo and LXD group abuse.
  • Exfiltration: Exfiltration Over C2 Channel (T1041) — Retrieving flags via established shell.

Unified Kill Chain (UKC) Summary

  1. Reconnaissance: Identified dev.team.thm and the LFI vulnerability.
  2. Weaponization: Identified the SSH key leak in sshd_config.
  3. Delivery: Utilized SSH to deliver a shell session using the leaked key.
  4. Exploitation: Leveraged command injection in the admin_checks script.
  5. Installation: Established persistent access as user gyles.
  6. Lateral Movement: Pivoted from user dale to gyles.
  7. Privilege Escalation: Utilized LXD container escape to gain host-root access.
  8. Action on Objectives: Successfully retrieved user.txt and root.txt.

END OF REPORT