# Game Zone ![](/files/-MeCTJSRZ8wrr1kFIrdO) ## Obtain Access via SQLi ![](/files/-MeCUsvAEiCNYpDOeld6) Lets visit the webpage ![](/files/-MeCUxKZyE0Sk554Ssd_) Lets try to login with `' or 1=1 -- -` as our username and pass in our password field. ![](/files/-MeCVBePuXSxp1N-mSF-) Looks like we were able to login and we have been redirected to another page. ![](/files/-MeCVJO7gHZF69lzsGqg) ## Using Sqlmap ![](/files/-MeCVVMZke4Lj09GTQzP) Lets first open burp and capture the request with a test search ![](/files/-MeCWGsR-LzkI74J3YIk) Now lets save this request to a text file called request.txt (Actions > Save Item > Give name > Saved) ![](/files/-MeCWlZ3fS5a99Jph4XJ) ![](/files/-MeCWxvrbk4pW3LrKaxu) ![](/files/-MeCX3ol4Mwp4K_mArT_) Lets use Sqlmap to get information. ![](/files/-MeCXFxMF_OMW2XX1_Bx) Type Yes for all the questions ![](/files/-MeCYljAqkmSnT9eiFm9) ## Cracking a password with John The Ripper ![](/files/-MeCYy7qE7Vx8aCwUM85) Lets crack the password ![](/files/-MeCZJeH-a2SGdGv8zQL) We have the password, lets login and read the user flag. ![](/files/-MeCZYxc_0onVW1XHMP1) ## Exposing services with reverse SSH tunnels ![](/files/-MeCi58a6taAc-x1gy9P) ![](/files/-MeCiOjI3-i3wsIdbQ_N) ![](/files/-MeCiSOaOevBB0YR3zj1) ![](/files/-MeCildZ4kbC3Jr8_KLd) Now lets visit localhost:10000 ![](/files/-MeCitB_vxl8COzcPwQw) ![](/files/-MeCj50cE5nmh84G_rew) Lets login with the credentials we have. ![](/files/-MeCjFjJZRgw3IlX707X) ![](/files/-MeCjJ9SY6HLYT_Ugh-r) ## Privilege Escalation with Metasploit Lets start metasploit and look for the version of the CMS we just found. ![](/files/-MeCk8RwoholVTMGhaN4) We have a exploit , now we can use this module or we can try this manually, lets do it manually, lets go to the /file/show\.cgi file. The exploit can be read [here](). After reading this, we can see that we might be able to read the root flag, lets try to do that as we know where the root flag is located on the system (in most tryhackme rooms) ![](/files/-MeCl_6Bku1sIOEm9j8D) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://writeups.adityadindi.com/tryhackme/walkthroughs-easy/game-zone.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.