Open in app

Sign in

Write

Sign in

Game Zone : TryHackMe Writeup

0liverFlow
10 min readDec 17, 2023

--

Game Zone

Game Zone is an interesting and gamified TryHackMe room in which you will learn how to exploit a SQL injection vulnerability, crack a hash to get an initial access to a target system, then perform pivoting from that initial access and escalate your privileges.

Setup

[Task 1] — Deploy the vulnerable machine

What is the name of the large cartoon avatar holding a sniper on the forum?

To find the name of the cartoon avatar in question, we can perform a reverse search image using Bing visual search as follows :

Bing Reverse Image Search

[Task 2] — Obtain access via SQLi

Before directly jumping to exploit the SQLi injection, let’s follow the methodology of a real penetration testing by detecting first the open ports, then try to exploit them.

Enumeration

Nmap Scan

We have two tcp open ports : HTTP and SSH.

Service Enumeration

HTTP

Let’s take a quick look at the website using our browser :

Game Zone Website

Here, Wappalyzer provided us with some useful information such as :

  • The web server being used and its version (Apache 2.4.18)
  • The back-end programming language (PHP)
  • The Operating System used by the web server (Ubuntu)

Based on the information gathered above, we can then perform a vulnerability research to check if the version of the Apache server is either vulnerable or not.

Vulnerability Research

Here, we are going to utilize a tool called searchsploit :

Vulnerability Research — Searchsploit

Unfortunately, no exploit related to the target’s Apache version has been found.

Nevertheless, if you pay attention to the webpage above, you may have noticed a user login form.

Here is a potential place of vulnerability, as you can input your username as another SQL query. This will take the query write, place and execute it.

More specifically, this vulnerability is called a SQL injection vulnerability.

SQL injection

SQL Injection

SQL stands for Structured Query Language. Simply put, this is the language used to store and process information in a relational database. It allows us to perform various operations such as creating, adding, modifying or deleting items in the database.

SQL injection is a web vulnerability that allows an attacker to interfere with the queries that an application makes to its database.

This is due to a lack of proper user input sanitization and validation i.e. the input specified by the user is directly transmitted and executed by the Database Management System (DBMS) without any check.

The vulnerability can either be exploited manually (time-consuming) or automatically using a tool called SQLMap.

With that said, let’s use what we’ve learnt above, to manipulate the query and login without any legitimate credentials.

Here the normal SQL query that get executed on the server :

SELECT * FROM users WHERE username =: username AND password := password

In fact, when we attempt to login, it will take our inputted values from your username and password, then insert them directly into the query above. If the query finds data, you’ll be allowed to login otherwise it will display an error message.

If we have our username as admin and our password as: ' or 1=1 -- - it will insert this into the query and authenticate our session.

' or 1=1 -- - is what we call a payload. You can find more payloads here.

The SQL query that now gets executed on the web server is as follows:

SELECT * FROM users WHERE username = admin AND password :=' or 1=1 -- -

The extra SQL we inputted as our password has changed the above query to break the initial query and proceed (with the admin user) if 1==1, then comment the rest of the query to stop it breaking.

GameZone doesn’t have an admin user in the database, however you can still login without knowing any credentials using the inputted password data we used in the previous question.

Use ' or 1=1; -- as your username and leave the password blank.

Exploiting SQLi vulnerability

After successfully exploiting the SQLi vulnerability, we are redirected on the following webpage :

Redirected webpage

When you’ve logged in, what page do you get redirected to?

[Task 3] — Using SQLMap

SQLMap is a popular open-source tool aims to automate the detection and exploitation of SQL injection flaws and taking over of database servers. It comes pre-installed on all version of Kali Linux or can be manually downloaded and installed here.

There are many different types of SQL injection (error/union/boolean/time based, etc..) and SQLMap automates the whole process trying different techniques.

We’re going to use SQLMap to dump the entire database for GameZone.

Using the page we logged into earlier, we’re going point SQLMap to the game review search feature.

First we need to intercept a request made to the search feature using BurpSuite.

Making a new request
Intercepting the request with Burp Proxy
Saving the intercepted request in request.txt file
Sqlmap

-r : used to specify the text file to read

--dbms : used to specify the back-end dbms

--dump : used to dump DBMS database table entries

SQLMap will now try different methods and identify the one thats vulnerable. Eventually, it will output the database.

Injectable points
Summary of the identified injection points
db.post’s entries
db.users’ entries

In the users table, what is the hashed password?

What was the username associated with the hashed password?

What was the other table name?

[Task 4] — Cracking a password with JohnTheRipper

John the Ripper (JTR) is an fast, free and open-source offline password cracker, which supports hundreds of hash and cipher types. It is also pre-installed on all Kali Linux machines.

This program works by taking a wordlist, hashing it with the specified algorithm and then comparing it to your hashed password. If both hashed passwords are the same, it means it has found it. You cannot reverse a hash, so it needs to be done by comparing hashes.

Before cracking the hash, we firstly need to find the hashing algorithm used. To do that, we can use a program called hashidentifier.

Here is how to do it :

Identifying the hash algorithm with hash-identifier

Based on the output, it seems that the hashing algorithm used in our case is SHA-256.

Well, let’s now try to crack the hash using John :

If you come across the following error, just add the /usr/sbin to the PATH variable.

Fixing PATH issue
Cracking the hash with JTR

hash.txt : contains a list of your hashes (in our case its just 1 hash)
--wordlist : is the wordlist we’re using to find the dehashed value
--format : is the hashing algorithm used. In our case its hashed using SHA256.

What is the de-hashed password?

Now you have a password and username. Try SSH’ing onto the machine.

As a reminder, we found that the SSH port was open during the Nmap scan.

What is the user flag?

User flag

[Task 5] — Exposing services with reverse SSH tunnels

SSH Port Forwarding

Reverse SSH port forwarding specifies that the given port on the remote server host is to be forwarded to the given host and port on the local side.

-L is a local tunnel (YOU ← CLIENT). If a site was blocked, you can forward the traffic to a server you own and view it. For example, if imgur was blocked at work, you can do ssh -L 9000:imgur.com:80 user@example.com. Going to localhost:9000 on your machine, will load imgur traffic using your other server.

-R is a remote tunnel (YOU → CLIENT). You forward your traffic to the other server for others to view. Similar to the example above, but in reverse.

We will use a tool called ss to investigate sockets running on a host.

If we run ss -tulpn it will tell us what socket connections are running :

socket statistics (ss)

-t : display TCP sockets

-u : display UDP sockets

-l : display only listening sockets

-n : disable name resolution

-p : shows the process using the socket

How many TCP sockets are running?

We can see that a service running on port 10000 is blocked via a firewall rule from the outside (we can see this from the IPtable list). However, using an SSH Tunnel we can expose the port to us (locally) !

From our local machine, run ssh -L 10000:localhost:10000 <username>@<ip>

For more information regarding the ssh -L option, you can use man ssh .

SSH Local Port Forwarding

Let’s now take a look at the listening ports on our attacker machine :

Listening ports

As you can see, the port 10000 is listening.

Let’s type “localhost:10000” and see if we can access the newly-exposed webserver.

Accessing the internal webserver

Fantastic, it works!

What is the name of the exposed CMS?

What is the CMS version?

To find the version, we can either use whatweb or Nmap Script Engine (NSE).

Here is how to do that :

CMS version

Another way to find the CMS version would have consisted of logging to the CMS using the user’s credentials we found earlier :

Retrieving the CMS version from administration panel

[Task 6] — Privilege Escalation with Metasploit

Using the CMS dashboard version, use Metasploit to find a payload to execute against the machine.

To find a payload, we are going to use the msfconsole’s search command :

Msfconsole search command

When working with msfconsole, it is a good practice to thoroughly understand the details of the modules you plan to use. By reviewing this information, you can ensure that the module aligns with your objectives and that you are using it correctly.

To find the information related to a module, you can use the info command followed by the module ID or name.

Here is the output of the module we are going to use to exploit the webserver :

Msfconsole info command

Once done, we can use the use command to utilize the module, then fill the required options and finally run the exploit by using the run command :

Setting up the exploit
Target successfully exploited

Wonderful \0/, we got a command shell session in the background.

Before going further, let’s upgrade our command shell session to a meterpreter shell session using the sessions -u <SESSION_ID> command :

Upgrading the command shell session to a meterpreter session

Let’s access our meterpreter session using the sessions <SESSION_ID> command :

Meterpreter session

For your information, getuid and sysinfo are two meterpreter commands used to display respectively the current username and the system information.

As you may notice, our meterpreter session is running with root privileges.

What is the root flag?

To find out the root flag, we need to move to the /root directory :

Root flag
Mission Accomplished

Let’s recap

To sum up, this was a fantastic room in which we covered several interesting topics like :

  • Exploiting a SQLi vulnerability manually and automically using SQLMap
  • Identifying and cracking a hash using respectively hash-identifer and John the Ripper
  • Performing pivoting using SSH tunneling
  • Privilege escalation using Metasploit.

That’s it! Do not forget to click on the little clap icon below if you enjoyed the content and to subscribe to my newsletter to keep up with my latest articles.

References

https://www4.bing.com/visualsearch

https://portswigger.net/web-security/sql-injection

https://sqlmap.org/

https://hackertarget.com/sqlmap-post-request-injection/

https://medium.com/@tushar_rs_/sqlmap-a-comprehensive-guide-to-sql-injection-testing-37220e77b0ee

https://nmap.org/book/nse-usage.html

Contact

LinkedIn : https://www.linkedin.com/in/konateolivier/

GitHub : https://github.com/0liverFlow

Tryhackme Writeup
Gamezone
Ctf
Penetration Testing

--

--

0liverFlow
0liverFlow

Written by 0liverFlow

144 Followers
3 Following

Pentester | Enjoy breaking and building stuffs

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams