NOTICE: (SPOILER!!) If you would like to solve it by yourself, don’t read further.
Today let’s play a CTF called gamezone at
This is a fun room where we see an old but common vulnerability in untrusted user input lead to sensitive information disclosure (hashed credentials) which results in a threat actor gaining initial access. From here we then discover there is a weak security configuration (in effective network segmentation) and a vulnerable unpatched service. This chain leads to total system compromise.
Common Security Testing Approaches and Their Limitations
I wanted to point something important at this stage in this process of writing things up. What you are reading is a condensed version of events and the output you are seeing does not include anywhere near what you would want to know about the configuration and view of a system. If you will this is a view on what was used to exploit, it doesn’t go through every vulnerability. Why is this important? Well when you do security management and assurance you need to understand what activities produce which output and what you need as a business service owner or from an operational perspective. A vulnerability assessment and penetration test produce different out, they also both have limitations, so please when operating services for your business please consider that doing a single external penetration test once a year really isn’t a good acid test for your overall business security posture!
I’m going in!
That being said, let’s move onto the ‘fun’ part 😉
We begin by running common network-based (nmap) scans from an unauthenticated perspective
We identify a web service on TCP 80, so let’s grab a browser and let’s take a look around!
Let’s identify some injection points, we can do this both manually and with the aid of tools like BURP suite! Injection points include the following:
- Input fields such as login and search forms
- HTTP Request Parameters and Data
- Cookie strings
- User Agent Strings
We can see these in BURP:
Notice for this box I’ve switched to community edition. This is just to show that whilst having tools is great, it’s important to know what they do! I continue to use the site in a legitimate fashion (you don’t need to start throwing attacks at a site you don’t understand)
Now we can run nikto and I’d also suggest we run WAFW00F as a matter of practise!
We also will want to run a forced browse using Gobuster or Dirbuster
For injection testing we will want to test for:
Username: admin and injection: ‘ or 1=1 — –
SQL Injection Tests
Username: ‘ or 1=1 — –
If we search for a blank string we get the following:
We are now going to attack this search field with SQLMAP
Navigate to burp and save the item of the request we sent to the search filed (after we bypassed authentication)
We can now use this with SQLMAP (it contains the auth cookie)
(note you can add way more parameters to this). Without the additional parameters once SQLMAP finds the vulnerable parameter it will record this:
We can run this again with an additional switch:
SQLMAP is now trying to dump some hashes:
It was unable to crack the password but…
We can now try and crack this with John the Ripper or HashCat
Copy the hashes from tmp
Let’s unzip rockyou
Now let’s run John
|john –wordlist=/usr/share/wordlists/rockyou.txt hashes –format=RAW-SHA256|
Now we have a valid set of credentials we can try these with the SSH service (and other services that are exposed)
We can now obtain the user hash!
View local Services
We can also check this with:
|ssh -L 10000:localhost:10000 firstname.lastname@example.org|
We can see “Webmin” on this local port
We used the agent47 credentials.
Now we can launch the exploits!
We can now crack the HASH.
The shadow file has multiple hashes so we want to trim this to just the hash we want (root)
We can then use john or Hashcat
|.\hashcat64.exe -m 1800 -a 0 .\shadow .\rockyou.txt|
While that is running, we can try the other exploit:
We now have a root shell! Again, we might not end here, we may now install persistence and hunt for more data and additional artefacts such as hashes etc.