How I Hacked GAME ZONE

GZ-Banner

*TASK 2: Obtain access via SQLi

Login-Page

Ok so on this task we need to open your browser, I am using firefox and that is because you can get ‘FoxyProxy’ which will let you change your proxy settings faster Now let move on after you get your browser open then you can go to the ip address of the deployed site it will load a site after the site is loaded your going to want to log in with an SQL INJECTION. (see code box below)

' or 1=1-- -

SQL-INJECTION

*TASK 3: Using SQLMap After you login you will be presented with this page

Search

on this page we need to intercept the search query and this is how we are going to do that

Set your browser to use burp suite as a proxy either on Chrome, Firefox, etc. (this is where ‘FoxyProxy’) will come in handy) which will allow you to intercept the ‘search’ function. From this point we will copy what was intercepted from Burp Suite to a new text document. Open Terminal. run SQLmap against the text document that was created

Burp

sqlmap -r Text-Document.txt --dbms=mysql --dump

SQL-MAP

When prompted to include all tests for ‘MySQL’ respond with ‘Y’, as well as all other prompts that follows.

SQL-MAP-OUTPUT

When asked if you want to crack the password via Dictionary-based attack respond with ‘Y’ Utilize ‘Custom Dictionary File’ by selecting option ‘2’ with rockyou.txt being the Custom Dictionary File When prompted to use Common Password Suffixes respond with ‘Y’

After running steps in SQLmap you should have all answers in this Task as well as Task 4 meaning you don’t have to mess with John The Ripper.

*Task 5: Exposing services with reverse SSH tunnels

Q-#2: We can see that a service running on port 10000 is blocked via a firewall rule from the outside (we can see this from the IPtable list). However, Using an SSH Tunnel we can expose the port to us (locally)! From our local machine, run the line in the code box below Once complete, in your browser type “localhost:10000” and you can access the newly-exposed webserver.

ssh -L 10000:localhost:10000 <username>@<ip>

SQL-MAP-OUTPUT

after you have logged in to the page in the above image you will have all the info you need to answer the questions in this task.

Reference Image logedinpage

The above image has had the info blured out so you can get the info for your self.

*Task 6

Ok so in this task we are going to use Metasploit to get the root flag. I had a bit of trouble with getting this to work but found out what the problem was so lets get started.

Frist lets go ahead and start Metasploit

sudo msfconsole

After you have Metasploit running we are going to use search to find the version of the CMS from task 5 to see if we can find an exploit for the CMS version

search *.** <--- (replace the *.** with the version you find)

search-version

after you have the exploit set next we need to set options for the exploit

set-options

Now we can just run the expoit

run-exploit

Now we can show sessions

sessions -l

show-sessions

Next choose the number of the sessions displayed on your console

sessions -i 1

After your session starts you may end up with just a blinking cursor if so just reference the image below

session

now all you have to do is read the root.txt and your all done.