THM - Game Zone

OK so we're supposed to hack a machine to get a better understanding of SQLMap, password cracking, service reveals using a reverse SSH tunnel and then we get to escalate our privileges to root. I was hoping this was a windows machine but looks like it's a linux box. Let's get started.

We'll start with our usual nmap, which shows we have SSH open on port 22 and also a non-secure web service on port 80.

Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-21 12:39 EDT
Nmap scan report for 10.10.36.248
Host is up (0.095s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 61ea89f1d4a7dca550f76d89c3af0b03 (RSA)
|   256 b37d72461ed341b66a911516c94aa5fa (ECDSA)
|_  256 536709dcfffb3a3efbfecfd86d4127ab (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Game Zone
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Going to the website we see a gaming site. I know from playing this game that the character shown is from the game hitman... and I also happen to know his name but you can take this image and do a reverse image search to get it too.

If we attempt to login with invalid credentials, we get an error at the top of the screen that says 'incorrect login'.

If we use burpsuite we can see the username and password being sent as variables

We're going to use admin for our username and then use ' or 1=1 -- - for our password. We can now see the URL encoded variables being used. This is a SQL query that uses the first quote to end the SQL query and add an OR operator that basically says " If the username equals admin or 1=1 then the query returns true and lets us in.

For this box, there is no admin username so it's going to fail. We'll simply just use the ' or 1=1 -- - for the username instead. Doing this lets us in.

Let's turn burpsuite back on and take a look at a query from this page.

We're going to save this query to a request.txt text file and use it as part of of SQLMap dump. We'll do this dump like this:

sqlmap -r request.txt --dbms=mysql --dump

Once you're done the dump, you'll see all the tables, as well as all the data in those tables. In fact, now we have the hash for the user of this database with their username. We'll save that to hash.txt

Next we're cracking that password with john the ripper. We can get the type of hash we're working with by using an app called hashid - here we see it's Raw-SHA256.

john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=Raw-SHA256

John quickly finds the password and let's us SSH into this server with those credentials and we get the user flag from the root.

OK, so now we're going to play with reverse SSH tunnels. This sounds fun, I've never done this before but here's a quick write up from THM about it:

Okay so on the SSH session we have open we'll see how many open sockets we have using

ss -tulpn

We see port 10000 there but it's blocked by a firewall. To bypass we're going to do the reverse ssh tunnel to get access:

ssh -L 10000:localhost:10000 <username>@<ip>

We can now visit localhost:10000 and access the web server using the same ssh credentials.

We can now open metasploit and search for an exploit to use:

msfconsole
search webmin 1.58

This gave me two options. I've decided to use the unix/webapp/webmin_show_cgi_exec exploit. We use the options command to see the options it wants filled out and then input ours. You may also have to set a payload, I chose payload/cmd/unix/reverse. No matter what I did, I kept getting authentication errors... I even tried running it through a burp proxy like someone else suggested.

What I ended up having to do is changing the RHOSTS to localhost and turn SSL off.

We can see we're now root and can capture that final flag.