We go to the webpage and use ‘ or 1=1 — — as username and password and soon we are redirected to portal.php
SQL INJECTION- Automated and Mannual
Since this is an OSCP Path and SQL Map is not allowed in exam, i’ll cover both- SQL injection with and without SQL Map.
We’re going to use SQLMap to dump the entire database for GameZone.Using the page we logged into earlier, we’re going point SQLMap to the game review search feature.First we need to intercept a request made to the search feature using BurpSuite.
Save this request into a text file. We can then pass this into SQLMap to use our authenticated user session.
To crack the password hash, we can go to CrackStation.The password is Videogamer124
Go to the search bar on portal.php and try these union based sql queries one by one.
‘ UNION select 1,2,3 from information_schema.tables #‘ UNION select 1,table_schema, table_name from information_schema.tables #‘ UNION select 1,table_name, column_name from information._schema.columns #‘ UNION select 1,username,pwd from users #
Basically there is a table called “users” which has the columns “username” and “pwd”. In case of any doubts you can google about union based sql injection or look at the walkthrough video by Motasem Hamdan on his youtube channel.
Moving On… Since we have a username and password, we ssh into the target machine and get the user flag.
We can see that a service running on port 10000 is blocked via a firewall rule from the outside (we can see this from the IPtable list). However, Using an SSH Tunnel we can expose the port to us (locally)!
For Reverse SSH Tunnelling we run ssh -L 10000:localhost:10000 <username>@<ip> (AS SHOWN ABOVE)
Once done, just go to your browser and visit localhost:10000 and you will see something running.This is Webmin(a CMS) google for more info, try finding if it uses usernames and passwords
We see that trying default username and password of webmin doesnt work.Once we try our previous one(username-agent47 and password-videogamer124) We are in!
You can also see the version of webmin which is 1.580 and look for exploits for further exploitation
Since this is an OSCP path, i will not be covering Metasploit and will go for the mannual way.Now there are two methods.You can find this exploit on exploitdb and searchsploit which is written in ruby and is the easy way.
Offensive Security's Exploit Database Archive
Webmin 1.580 - '/file/show.cgi' Remote Command Execution (Metasploit). CVE-2012-2982CVE-85248 . remote exploit for Unix…
This exploit was a bit confusing to understand from the instructions but all you have to do is mention the directory you want to access.If you wanted to access /etc/passwd then you will have to visit:
So just visit the url given below which is the location of the root file(/root/root.txt) and we get the root flag!!!
Another Way to solve this was using a Python exploit which can be found with a google search.
GitHub - OstojaOfficial/CVE-2012-2982: Python exploit for CVE-2012-2982
This python script is written for vulnerability in Webmin 1.580, CVE-2012-2982. The vulnerability exists in the…
However you will get errors and will have to debug and fix the exploit code.This is because a lot of Libraries get Updated and change frequently.
I have tried covering all the possible ways to solve this machine.I hope you learned something from this writeup — Zeus