Scribd
Upload
20 views

Game - Zone Walkthrough

Uploaded by

sanskarkalra121
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
20 views

Game - Zone Walkthrough

Uploaded by

sanskarkalra121
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

Game Zone by Tryhackme (Walkthrough)

so lets start with initial enumeration using nmap :

so there are two open ports , one is a webserver and other is a ssh port ,

lets start by going to the website on the webserver :


so here is the website , here we can see a login box on the left , we can exploit that to
login using SQL injection ,

we can bypass login using this query in username .

We get logged in and redirected to portal.php :

so now we can be sure that website is vulnerable to SQL injection , now we will dump
the entire database of this website using SQL Map tool .

Okay so now we will use this authenticated session and use SQLMap to dump
passwords ,

so first we will capture the request of this authenticated session via burpsuite proxy :
just right click here and select copy to file and save it as request.txt

now lets use SQLMap :

so, now this has started and just wait for it to complete and at the end we will get a hash
for user agent47 :
okay so now we got a username and a password hash , so now we will use the password
cracking tool that is “John The Ripper” to crack this hash and get a clear-text password :

copy the hash from above and store it into a text file.

Now lets crack this hash , we will use the rockyou.txt word list :

now we have cracked the password for a user , let’s try logging into the open SSH port
we discovered above :
so we have successfully logged into the machine and got initial access to it

user flag :

now we will be gaining access to some services on remote machine to our machine via
ssh port forwarding .

So what does ssh port forwarding does :

there is port on the remote machine running a service which may not be accessible to
other users then the remote machine ,

ssh port forwarding allows us to forward traffic from services , to and from local and
remote machines ,

so how do we do that :

first we will discover socket or services running on remote machine :

we use ss tool to do that :


you can see above argument and description section to understand it better.

So now as we can see there is an extra port listening and which was not discovered by
nmap to us , which means it was blocked due to some firewall rule ,

now lets forward that port from remote machine to our local machine using ssh port
forwarding :

on your local machine :

ignore this terminal for a while and open your browser and visit localhost:10000

we see a new website running on this port , this means that our ssh port forwarding
worked successfully .
So now we are prompted with a new login page.

*always try previously discovered credentials in any type of penetration testing activity

now just use the previously discovered credentials for agent 47

and it will work and we will be authenticated :

so now we can see that this CMS is running on version “1.580” let’s see if this has any
exploits for it .

I will use metasploit framework to search for exploits :

so lets go and load msfconsole :

we will use this exploit to gain access and have escalated privileges.

Lets load this exploit and set our options :


now type exploit and boom :

so now our session has been backgrounded lets interact with it :


so now we have root access to the machine simply navigate to root directory and get the
flag :

DONE :-)

You might also like