Game Zone
Last updated
Last updated
This is my write-up for the TryHackMe machine at: https://tryhackme.com/room/gamezone.
The hint for the first question is Reverse Image Search. I then posted the picture in Yandex.com
and got the following:
I then clicked on an image and it led me to a title: Hitman Absolution. I then Google-d the character name, and got the answer:
What is the name of the large cartoon avatar holding a sniper on the forum? Agent 47
I then ran an nmap scan:
I got the following output:
I noticed that there were only 2 ports open: 22 and 80. I went on port 80 to see what the website is:
After entering in ' or 1=1 -- - in the username portion and left the password field empty (based on the recommendations of the THM room creator). I was in then:
When you've logged in, what page do you get redirected to? portal.php
For this one, we have to intercept the request to get the format for the SQLMap usage later. I turned on Burpsuite, and then got the request:
I then saved this to a file:
I then ran the command the room recommended:
I then got the following output:
In the users table, what is the hashed password? ab**********************************
What was the username associated with the hashed password? agent47
What was the other table name? post
For this one, I went with Hashcat, just because I am more comfortable with hashcat. I ran the following command:
The rockyou.txt file is default in Kali, and it is located at /usr/share/wordlist. I copied it to the local directory, ran gunzip on it, and got the file. As for the hashcat hash crack run, I got the following output:
What is the de-hashed password? vi**********
I ran ssh agent47@10.10.72.202
and used the password I had received before, and got into the machine:
I then got the user.txt flag:
What is the user flag? 649**********************
How many TCP sockets are running? 5
I then ran the following command, based on the recomendation from the machine:
I then posted the password that I had gotten previously into the password for the SSH, and got in again:
This time, we have the webapp running on our localhost:
What is the name of the exposed CMS? Webmin
The login credentials for the webapp were the same credentials from previously, this leads to this site:
What is the CMS version? 1.580
I searched on msfconsole for an exploit:
I then started filling in options, and ended up with this:
I realized that the RHOST was supposed to be set to 127.0.0.1, based on this writeup. When I changed that option in msfconsole, I was then able to get the exploit to work. I then got the flag:
What is the root flag? a4************************************