Gamezone (THM)
TryHackMe – Gamezone Write-Up
topics: SQL injection, hash cracking, hidden services, port forwarding, Linux privilege escalation, lateral movement, scripting, exploit development
Plan
Enumeration
Local Privilege Escalation
Root Privilege Escalation
new tools: sqlmap
tools: nmapAutomator, LinEnum, python, johntheripper, ssh
Plan
This machine is a greybox test and we are given some preliminary information. We'll have to bypass webserver authentication with an SQL injection, crack hashes, and SSH tunnel into another machine to root the box.
Enumeration
./autonmap.sh $ip Basic
We have port 22 (ssh) and 80 (http) open. We know that we'll have to obtain credentials via SQLi, lets navigate to the homepage.
SQL Injection
As this is a greybox test, we know that we'll have to achieve an initial foothold through an SQL Injection. In an effort to prepare for the OSCP Exam, I attempted this manually instead of using sqlmap. I used sqlmap following a manual analysis of the website to confirm the credentials. I used the following command for automatic exploitation
sqlmap -r post_request_headers.txt --dbms=mysql --dump >> sql.txt
We can use hydra
to brute force generic SQLi authentication bypass payloads. Examine the POST request for the parameters and response message.
hydra -L genericSQLi.txt -p test $ip http-post-form "/index.php:username=^USER^&password=^PASS^&x=0&y=0:Incorrect login"
on other boxes the login directory (index.php, login.aspx, /portal etc) might redirect to another one (/auth, /login etc) so it's always vital to check the actual POST request in dev tools
There are 10 potential payloads we can use, I used the fourth one ' OR 1 -- -
and was redirected to a new page, portal.php. We can test to see what type of SQL platform this is by using error based techniques.
We can see this is a MySQL server and it is vulnerable to an injection attack. The query capability is most likely using the user input to build a SELECT statement, meaning it is vulnerable to a union attack. The 'UNION' command permits an additional SELECT onto an existing SELECT statement. The amount of items selected has to match the original query, we can determine this by brute forcing with null values.
To determine the correct number of columns, we can input null values using ' UNION SELECT NULL,NULL -- //
until we don't receive an error. At three null values I didn't receive an error, so we can assume there are three columns.
Replacing the null values with key database terms, we can start to extract which column aligns with which process, testing ' UNION SELECT NULL,user(),database() -- //
yields
We can see we are the "root" user when making queries to the database. I found this site which lists potential payloads to return user data from the database. We can list the column name with ' union SELECT 'a',group_concat(column_name),'b' FROM information_schema.columns WHERE table_schema=database()-- //