TryHackMe - Game Zone

Learn to hack into this machine. Understand how to use SQLMap, crack some passwords, reveal services using a reverse SSH tunnel and escalate your privileges to root!


A room in TryHackMe’s OSCP path. Make sure to check out TryHackMe!

Game Zone Writeup

[Task 1] Deploy the vulnerable machine

Deploy the machine. Open the IP address in your web browser to see the Game Zone forum. The picture in the background is Agent 47, from the Hitman series. If you didn’t know that from the top of your head, you could try reverse image searching that image.

Question: What is the name of the large cartoon avatar holding a sniper on the forum?

Answer: Agent 47

[Task 2] Gain Access

For this task, you need to exploit the login field by using SQLi, or SQL injection. Input ' or 1=1 -- - as the username, and leave the password blank to bypass the login field. You’ll get navigated to portal.php.

Question: When you’ve logged in, what page do you get redirected to?

Answer: portal.php

[Task 3] Using SQLMap

Now, we will use SQLMap to exfiltrate date from the Game Zone Portal. The room suggests using Burp Suite, but it can be faster to skip using this tool.

We want to use SQLMap to bruteforce SQL injection in portal.php, but to access this file you need to be logged in. Since you are already logged in, grab your PHPSESSID cookie (either from browser info or document.cookies).

Now that we know the cookie, we need to know what field to try SQL injection on. Open the source of the page, and you’ll see <input type="text" id="searchitem" name="searchitem">. This means that there is a form field named searchitem which can be tested for SQLi.

Run the command sqlmap -u "http://<IP>/portal.php" --cookie="PHPSESSID=<COOKIE>" --data="searchitem=" --dump to scan for SQLi on portal.php with your cookie on the searchitem field. It’ll also attempt to dump the whole database to a file. Run this command, and when it asks if you want to crack password, hit yes, and point it to a password wordlist (like rockyou.txt).

Let it run, and when it’s done, you’ll have a dump of the database and the login for a user! Check out the directory where SQLMap outputted all of its data. It should be at ~/.sqlmap/output/<IP>. Here, if you check out the log file, you’ll find the other table name.


Question: In the users table, what is the hashed password?

Answer: ab5db915fc9...

Question: What was the username associated with the hashed password?

Answer: agent47

Question: What was the other table name?

Answer: post

[Task 4] Cracking a password with JohnTheRipper

Well, if you did what I did last task, you don’t need to use JohnTheRipper. You know the password, and use it to SSH into the box and read the user flag.

Question: What is the de-hashed password?

Answer: video... Question: What is the user flag?

Answer: 649ac1...

[Task 5] Exposing services with reverse SSH tunnels

Run ss -tulpn to see all of the socket connections, and you’ll see there are 5 TCP sockets running. One of the running sockets is running on the port 10000, and we can try checking out what it is using curl. Run curl localhost:10000 on the gamezone box, and you’ll see it’s a website! However, navigating to <IP>:10000 in your browser doesn’t work, which means the box is not accepting outside connections to that port.

We can bypass this by using an SSH tunnel. Run the command ssh -L 10000:localhost:10000 [email protected]<gamezone_ip> on your box. This command will use SSH to tunnel the socket on port 10000 to run on localhost:10000. Now, if you open up localhost:10000 on your browser, a login field should appear! It asks for a username and password, so plug in the login details you already know.

Question: How any TCP sockets are running?

Answer: 5 Question: What is the name of the exposed CMS?

Answer: Webmin Question: What is the CMS version?

Answer: 1.580

[Task 6] Privilege Escalation with Metasploit

Rather than using Metasploit directly, let’s see if we can use it to figure out how to exploit the box. Running msfconsole and running search webmin brings up many exploits. exploits/unix/webapp/webmin_show_cgi_exec seemed interesting to me, so I searched for it and found this link on GitHub.

Looking through the code, I see a reference to /file/show.cgi/, and a file path being placed right after. It seems to be a script that will read out the contents of any file, so let’s use it to get the flag. Navigating to localhost:10000/file/show.cgi/root/root.txt prints out the flag, all without using Metasploit.

Question: What is the root flag?

Answer: a4b9458...

comments powered by Disqus