GameZone - HackMD

###### tags: `TryHackMe OffensiveSecurity AdvancedExploitation` # GameZone :::info This room will cover SQLi (exploiting this vulnerability manually and via SQLMap), cracking a users hashed password, using SSH tunnels to reveal a hidden service and using a metasploit payload to gain root privileges. ::: ## Obtain access via SQLi SQL (Structured Query Language) is a standard language for storing, editing and retrieving data in databases. A query can look like so: ``` SELECT * FROM users WHERE username = :username AND password := password ``` In this GameZone machine, when you attempt to login, it will take your inputted values from your username and password, then insert them directly into the query above. If the query finds data, you'll be allowed to login otherwise it will display an error message. Here is a potential place of vulnerability, as you can input your username as another SQL query. This will take the query write, place and execute it. If we have our username as admin and our password as: `' or 1=1 -- -` it will insert this into the query and authenticate our session. The SQL query that now gets executed on the web server is as follows: ``` SELECT * FROM users WHERE username = admin AND password := ' or 1=1 -- - ``` The extra SQL we inputted as our password has changed the above query to break the initial query and proceed (with the admin user) if 1==1, then comment the rest of the query to stop it breaking. I don't know if there is an *admin* user in the database, however I can still login without knowing any credentials using the inputted password data we showed before. I then use `' or 1=1 -- -` as my username and leave the password blan : ![](https://i.imgur.com/29wtIEn.png) Doing it took me to the `portal.php` file ![](https://i.imgur.com/BCL9mZb.png) ## Using SQLMap **SQLMap** is a popular open-source, automatic SQL injection and database takeover tool. There are many different types of SQL injection (boolean/time based, etc..) and SQLMap automates the whole process trying different techniques. ![](https://i.imgur.com/cHOl7hs.png) We're going to use SQLMap to dump the entire database for GameZone. Using the page we logged into earlier, we're going point SQLMap to the game review search feature. 1. First we need to intercept a request made to the search feature using BurpSuite : ![](https://i.imgur.com/0jW2vs4.png) 2. I save this request into a text file. We can then pass this into SQLMap to use our authenticated user session. ![](https://i.imgur.com/Zt4Z8u6.png) **-r** uses the intercepted request you saved earlier; **--dbms** tells SQLMap what type of database management system it is; **--dump** attempts to outputs the entire database. SQLMap will now try different methods and identify the one thats vulnerable. Eventually, it will output the database. ![](https://i.imgur.com/K2oKtzt.png) The result of the command shows us the presence of 2 tables : - users - post In the table `users` we have one username associated to its hashed password. ## Cracking the password with JohnTheRipper **John the Ripper (JTR)** is a fast, free and open-source password cracker. This is also pre-installed on all Kali Linux machines. We will use this program to crack the hash we obtained earlier. JohnTheRipper is 15 years old and other programs such as HashCat are one of several other cracking programs out there. This program works by taking a wordlist, hashing it with the specified algorithm and then comparing it to your hashed password. If both hashed passwords are the same, it means it has found it. You cannot reverse a hash, so it needs to be done by comparing hashes. ![](https://i.imgur.com/hFkMSwr.png) To use it I first store the hashed password in a file. Then i run the following command : `john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=Raw-SHA256` - hash.txt - contains the hash - --wordlist - is the wordlist i'm using to find the dehashed value - --format - is the hashing algorithm used. In our case its hashed using **SHA256**. ![](https://i.imgur.com/9ei2BVn.png) :::success The Password is : videogamer124 The Username is : agent47 ::: Now I have a password and username, i try SSH'ing onto the machine. ![](https://i.imgur.com/wlhzymQ.png) ## Exposing services with reverse SSH tunnels ![](https://i.imgur.com/OD1v3FV.png) ![](https://i.imgur.com/BxsZE60.png) We can see that a service running on port **10000** is blocked via a firewall rule from the outside (we can see this from the IPtable list). However, Using an SSH Tunnel we can expose the port to us (locally)! From our local machine, I run `ssh -L 10000:localhost:10000 <username>@<ip>` ![](https://i.imgur.com/nTVxTKD.png) Once complete, in our browser I type `localhost:10000` to can access the newly-exposed webserver. ![](https://i.imgur.com/fLcA9US.png) The name of the server is **webmin** and its version is **1.580** ![](https://i.imgur.com/bV8jsyM.png) ## Privilege Escalation with Metasploit Using the Webmin dashboard version, let's use Metasploit to find a payload to execute against the machine. 1. I first search for any vulnerability related to this version : ![](https://i.imgur.com/JDqndUW.png) 2. I search the vulnerability on metasploit ![](https://i.imgur.com/EY30ykg.png) I found out the vulnerability in metasploit and now i will use the exploit available. Using the exploit i have to set the different required parameters like shown in the figure above. ![](https://i.imgur.com/PjskBLS.png) 3. I also have to specify the payload to use ![](https://i.imgur.com/5xK3unO.png) After that, i can run the exploit ! ![](https://i.imgur.com/Mn1w8NC.png) :::success I have a reverse shell and I AM THE ROOT USER ! :::