CTF Walkthroughs, TryHackMe

TryHackMe – Game Zone Walkthrough

Introduction

This was a fairly easy Linux machine that involved exploiting an SQL injection vulnerability and cracking a user hash found in the database in order to gain initial access and a vulnerability in the Webmin web application, through SSH tunneling, to escalate privileges to root.

Obtain Access via SQLi

The following payload can be used in the login form to bypass the authentication:

'or 1=1 -- -

This changes the query that is executed during authentication to the following:

SELECT * FROM users WHERE username = admin AND password := ' or 1=1 -- -

since 1=1 is always true, the query will allow login to the web application. Commenting the rest of the query just in case:

After logging in, the web application takes to the following page:

Using SQLMap

Doing a search and intercepting the request using Burp Suite, saving the entire request to a text file to later on use it with SQLMap:

Using SQLMap with the following flags to dump the current database:

  • -r to specify the request previously saved from Burp Suite
  • –dbms to specify the database, in this case, MySQL

SQLMap has dumped the password hash for the “agent47” user, from the users table of the “db” database:

Cracking a Password with JohnTheRipper

Using the hash-identifier tool to find out the hash type used in the database:

It seems to be SHA-256. Adding the hash to a text file:

Using John the Ripper with the following flags to crack the previously found hashes:

  • –format to specify the hash type, in this case, SHA-256
  • –wordlist to specify the wordlist to be used, in this case, rockyou
  • the text file containing the hashes, one per line

It appears the password for the agent47 user was “videogamer124”. Using the username and password found earlier to authenticate to the machine via SSH:

Exposing Services With Reverse SSH Tunnels

Running the following command to get a list of the open connections:

ss -tulpn

It appears port 10000 is listening for incoming connections, although it can only be communicated with from localhost.

Setting up an SSH tunnel to redirect all connections coming to the Kali host on port 10000 to the target host on port 10000:

ssh -f -N -L 10000:localhost:10000 agent47@10.10.131.230

Port 10000 can now be accessed through a browser through localhost:

A “Webmin” web application appears to be running on port 10000. After a little research it appears that Webmin uses the credentials for the Linux users on the box to authenticate, rather than having its own database where user information is stored:

Authenticating to Webmin using the credentials found earlier

It appears it is running version 1.5.80

Privilege Escalation with Metasploit

Looking for known exploits in this version of Webmin using the SearchSploit tool:

It appears a public remote command execution Metasploit exploit is available.

Starting MSFconsole, searching and selecting the exploit:

Setting the following options to prepare the exploit:

  • username to specify the Webmin user
  • password to specify the Webmin password
  • payload to specify the payload type, in this case, the Unix Python reverse shell
  • LHOST to specify the localhost IP address to connect to
  • LPORT to specify the local port to connect to
  • RHOST to specify the target host IP address
  • SSL to specify whether Webmin uses encryption, in this case it doesn’t

The above exploit has provided a root-level shell and full access to the machine.

Conclusion

This was a really fun box, the SQL injection part was pretty ordinary although I really enjoyed the fact that the privilege escalation phase involved port forwarding, as this is something that’s very common in real-life engagements although still quite rare when it comes to capture-the-flag challenges.