Game Zone

Obtain Access via SQLi

Lets visit the webpage

Lets try to login with ' or 1=1 -- - as our username and pass in our password field.

Looks like we were able to login and we have been redirected to another page.

Using Sqlmap

Lets first open burp and capture the request with a test search

Now lets save this request to a text file called request.txt (Actions > Save Item > Give name > Saved)

Lets use Sqlmap to get information.

Type Yes for all the questions

Cracking a password with John The Ripper

Lets crack the password

We have the password, lets login and read the user flag.

Exposing services with reverse SSH tunnels

Now lets visit localhost:10000

Lets login with the credentials we have.

Privilege Escalation with Metasploit

Lets start metasploit and look for the version of the CMS we just found.

We have a exploit , now we can use this module or we can try this manually, lets do it manually, lets go to the /file/show.cgi file. The exploit can be read here. After reading this, we can see that we might be able to read the root flag, lets try to do that as we know where the root flag is located on the system (in most tryhackme rooms)