📓
Pentesting
  • Writeups
  • HackTheBox
    • Easy Machines
      • Beep Writeup
      • Shocker Writeup
      • Lame Writeup
      • Jerry Writeup
      • Legacy Writeup
      • Blue Writeup
  • TryHackMe
    • Walkthroughs: Easy
      • CC: Steganography
      • Cryptography for Dummies
      • Cross-site Scripting
      • SQL Injection Lab
      • SQL Injection
      • ZTH: Web 2
      • SSRF
      • XXE
      • Authenticate
      • Injection
      • Blaster
      • The Cod Caper
      • Hardening Basics Part 1
      • What the Shell?
      • Game Zone
      • Upload Vulnerabilities
      • Bolt
      • Erit Securus 1
      • CC: Pentesting
      • JavaScript Basics
      • OverPass 2 - Hacked
      • Linux: Local Enumeration
      • Ice
      • Linux Backdoors
      • Avengers Blog
      • DNS in Detail
      • Putting it all together
      • Kenobi
      • Common Linux Privesc
      • Network Services 2
      • Network Services
      • The Hacker Methodology
      • The Find command
      • HTTP in Detail
      • Web Fundamentals
      • How Websites Work
      • Introductory Networking
    • Challenges (CTF): Easy
      • VulNet: Roasted
      • VulNet: Internal
      • Git Happens
      • Kiba
      • VulNet: Node
      • Memory Forensics
      • Smag Grotto
      • Investigating Windows
      • Cat Pictures
      • Juicy Details
      • Anthem
      • Tony The Tiger
      • Jack-of-All-Trades
      • JPGChat
      • Blueprint
      • All in One
      • Gotta Catch'em All
      • Mustacchio
      • Break Out The Cage
      • HeartBleed
      • Poster
      • Madness
      • Source
      • Thompson
      • Library
      • Magician
      • Anonforce
      • Dav
      • GLITCH
      • Fowsniff CTF
      • Team
      • H4cked
      • Easy Peasy
      • ColddBox: Easy
      • Archangel
      • Cyborg
      • Chocolate Factory
      • Brute It
      • Year of the Rabbit
      • ChillHack
      • Gaming Server
      • Brooklyn Nine Nine
      • Wgel CTF
      • Tomghost
      • ToolsRus
      • Skynet
      • Startup
      • Agent Sudo
      • Lian-Yu
      • OhSINT
      • Overpass
      • Crack The Hash
      • Ignite
      • Inclusion
      • Bounty Hunter
      • LazyAdmin
      • RootMe
      • Pickle Rick
      • Basic Pentesting
      • Simple CTF
  • Crackmes.one
    • 1 Difficulty Rating
      • easyAF
      • Easy Keyg3nme
Powered by GitBook
On this page
  • Obtain Access via SQLi
  • Using Sqlmap
  • Cracking a password with John The Ripper
  • Exposing services with reverse SSH tunnels
  • Privilege Escalation with Metasploit

Was this helpful?

  1. TryHackMe
  2. Walkthroughs: Easy

Game Zone

PreviousWhat the Shell?NextUpload Vulnerabilities

Last updated 3 years ago

Was this helpful?

Obtain Access via SQLi

Lets visit the webpage

Lets try to login with ' or 1=1 -- - as our username and pass in our password field.

Looks like we were able to login and we have been redirected to another page.

Using Sqlmap

Lets first open burp and capture the request with a test search

Now lets save this request to a text file called request.txt (Actions > Save Item > Give name > Saved)

Lets use Sqlmap to get information.

Type Yes for all the questions

Cracking a password with John The Ripper

Lets crack the password

We have the password, lets login and read the user flag.

Exposing services with reverse SSH tunnels

Now lets visit localhost:10000

Lets login with the credentials we have.

Privilege Escalation with Metasploit

Lets start metasploit and look for the version of the CMS we just found.

We have a exploit , now we can use this module or we can try this manually, lets do it manually, lets go to the /file/show.cgi file. The exploit can be read . After reading this, we can see that we might be able to read the root flag, lets try to do that as we know where the root flag is located on the system (in most tryhackme rooms)

here