GameZone- TryHackMe Room Writeup

TryHackMeAdvanced Exploitation
Written By FightTheWest
 
mario_vs__agent_47_by_sebastianvonbuchwald_dd0yrgw-fullview.jpg
 

The link for this lab is located here: https://tryhackme.com/room/gamezone

In this room, we will cover SQLi and how to exploit it both manually and via using SQLMap, cracking hashes, using SSH tunnels and Metasploit.

hitman_absolution_by_patrickbrown_d4ngayu-fullview.jpg

Full Walkthrough

First step is to run a simple port scan across all ports to identify anything that is open.

This scan shows us that two ports are open - port 22 for SSH and port 80 for HTTP. This indicates that the website is most likely the way in to the machine initially.

Running a more detailed service scan reveals some more interesting information.

This information includes an OpenSSH version of 7.2p2 running on Ubuntu most likely and an Apache web server running Apache httpd 2.4.18.

The next step is to visit the website and see what is there. There is a simple home page with a login box and a box to search the site.

Taking the image off the site and doing a reverse image search reveals the character on the home page is “Agent 47” - could be used in a password later.

Seeing that there is a login box, we could try default credentials but this looks like a custom made site so it probably won’t work. Instead, we can a very simple login bypass using SQL injection. For this, we use the syntax

  • ‘ or 1=1; -- -

sql.png

This bypasses the login and takes us to a “portal.php” page with another search box.

Knowing that the previous login box was exploitable via SQL injection, we can assume that other boxes are also vulnerable. We can do this manually or through SQLmap - we will do SQLMap first. Before we start, we can intercept a search request to the page via Burp Suite.

Then, we can save the request to a text file called “request.txt”.

We can then feed this request to SQLMap via the “-r” parameter followed by “--dbms=mysql --dump” to specify the database as MySQL and to dump everything.

After a while, SQLMap reports back that the back-end DBMS is MySQL and some other information - including the web server OS and the web application technology.

It also dumps everything including a database titled “db” with a table inside called “post” and all its content - including id, name and description.

Eventually, SQLMap will progress until it finds some password hashes. Then, it will ask if you want to store them in a temp file and to try and crack them. Say yes and specify the “rockyou.txt” wordlist and say no to using common password suffixes. After another short while, a password hash will be returned in the users table but will NOT be cracked.

I simply outputted this information to a text file on my system called hash.txt.

Using this hash and username, I tried cracking it using John the Ripper and the rockyou.txt wordlist. After a minute, the password was cracked revealing the password for the agent47 username.

If you remember from the Nmap scan, port 22 was open indicating SSH. If we try these credentials via SSH, we will get a full shell on the remote system running as agent47.

Then, we can simply grab the user.txt flag inside the /home/agent47 directory.

Next, we can use a tool called “ss”  to investigate any sockets running. The following switches were used:

Once ran, we get some results back about open ports.

We see that a service is running on port 10000 which did NOT show up in our Nmap scan. However,, by using an SSH tunnel, we can expose the port to us locally.

From our machine, we run the command “ssh -L 10000:localhost:10000 agent47@10.10.169.182”.

Now that the port is open to us, we can navigate to localhost:10000 which reveals a login page running Webmin.

What happens if we try the same credentials again (agent47:videogamer124)?

It logs us in. It seems the user has re-used credentials. Once logged in, we can get some important information including the OS running (Ubuntu 16.0.4.6) and the Webmin version (1.580).

Searching for this version in searchsploit revealed a ton of exploits available for Webmin. However, one stood out - Remote Code Execution Metasploit module for version 1.580.

We can simply hop into Metasploit and use this module and then display the options we need to provide.

In this case, we need to set a ton of options - PAYLOAD, RHOSTS, SSL, RPORT, USERNAME, PASSWORD, LHOST.

sel.png

Note that we set the RHOSTS to our local machine due to the SSH tunnel we made earlier. We also set SSL to be false as it is not running over HTTPS.

After running the exploit, we see that authentication was successful and a command shell session opens. Running a simple “whoami” command reveals it is running as the root user.

To get a better, more stable shell we can use

  • python -c ‘import pty;pty.spawn(“/bin/bash”)’

 Having this shell and root access, we can simply cat out the root.txt flag to complete this room.

roottxt.png

OPTIONAL - The Manual Method

Going back to the website, we can try searching for a game in the “Search for a game review” box in the portal.php page. We can assume Hitman will be a game in the database due to the character on the main page.

Next, we can once again intercept a test search query - in this example, I used “test”.

With this, we can start to try and enumerate the number of columns in the table being queried by default. This is achieved by the ORDER BY syntax incrementing by 1 until an error occurs. In this case, at ORDER BY 4, an error occurs meaning that there are 3 columns.

With this knowledge, we can use UNION to confirm we can inject information onto the page by using the following command:

Which, in turn, should print the numbers to the page:

Next, we can try hijacking one of them and replacing it with a nest SQL statement or to test a string. In this example, I replace the second column (title) with “ourowndata”.

This should print “ourowndata” under the Title column.

If we replace the second value with a MySQL function instead - like user() - we get the user running the database printed to the page.

This returns, showing us that the root user is running the database on the remote machine.

Now that we know we can execute other MySQL commands, we can reference the INFORMATION SCHEMA database which contains stuff that MySQL itself uses to keep things in order such as other database names.

The SCHEMATA table specifically contains the names of database MySQL knows about. To extract the names of the databases, we can use a UNION SELECT and another MySQL command to select the SCHEMA_NAME from INFORMATION_SCHEMA.SCHEMATA.

This should return all the names of the databases in the second column. As we can see, it does, revealing multiple databases such as mysql, performance_schema and most importantly “db”.

Next, we can query the names of the tables within a specific database - the “db” database seems user made and may contain important information. To do this, we simply ask for the TABLE_NAME from the INFORMATION_SCHEMA.TABLES where the TABLE_SCHEMA equals the name of “db”.

tables.png

This reveals all the tables inside the “db” database - post and users.

From here, we can start to enumerate the columns within those tables. In this case, the users table is more interesting - could contain passwords. To get the columns of the users table, we simply query for the column name from the information schema where the table name is users.

This, once again, returns the columns inside the users table - username, pwd, USER, CURRENT_CONNECTIONS, TOTAL_CONNECTIONS.

users2.png

Knowing these columns, we can now use some more useful queries such as one to grab the username by selecting the username from the “db.users”.

This returns a single username - agent47.

Now that we have a single username, we can change the query from the username to the “pwd” to possibly get a password hash.

This reveals the password hash for the agent47.

To save some time, I simply pasted the hash into the Crackstation website and it came back identifying it as a SHA-256 hash with the cleartext password.

From here, we use the SSH tunnel with the newly identified credentials.

As an extra step, after identifying the running port and creating the SSH tunnel, we can scan that specific port using Nmap to gain some more information such as the version of MiniSever (1.580).

In case nmap was not available, we could also find the version of webmin by first searching the entire filesystem for any directories that include the name “webmin”.

In the results, we see there is an /etc/webmin directory - the /etc directory commonly stores storage system configuration files, executables required to boot the system, and some log files. Navigating inside that directory we see various files that could contain important data. In this case, only the “version” file was available to access revealing the full version number.

Doing a Google search reveals the following RCE exploit with a Metasploit module for this specific version.

Looking at the exploit, we see a description of how it works. The /file/show.cgi component allows an authenticated user (which we have!) to execute arbitrary commands with root privileges. It also includes various references for more information.

Looking at one of these references reveals more detailed information of how it works. 

If we navigate to 127.0.0.1:10000/file/show.cgi/etc/passwd we get the passwd file back - as simple as that.

Using this method to read files, we can simply read the root.txt document through the web browser.

We can, obviously, also read the user file knowing the username was agent47.

I hope this room was helpful in both understanding automated and manual SQL Injection. I included the manual method as I think it is important to understand how it works under the hood rather than simply relying on automated tools. I hope this writeup was useful and good luck in your future journey!

FightTheWest
Previous

Skynet - TryHackMe Room Writeup
Next

HackPark- TryHackMe Room Writeup