Game Zone
Obtain Access via SQLi
Lets visit the webpage
Lets try to login with ' or 1=1 -- -
as our username and pass in our password field.
Looks like we were able to login and we have been redirected to another page.
Using Sqlmap
Lets first open burp and capture the request with a test search
Now lets save this request to a text file called request.txt (Actions > Save Item > Give name > Saved)
Lets use Sqlmap to get information.
Type Yes for all the questions
Cracking a password with John The Ripper
Lets crack the password
We have the password, lets login and read the user flag.
Exposing services with reverse SSH tunnels
Now lets visit localhost:10000
Lets login with the credentials we have.
Privilege Escalation with Metasploit
Lets start metasploit and look for the version of the CMS we just found.
We have a exploit , now we can use this module or we can try this manually, lets do it manually, lets go to the /file/show.cgi file. The exploit can be read here. After reading this, we can see that we might be able to read the root flag, lets try to do that as we know where the root flag is located on the system (in most tryhackme rooms)
Last updated