In this post, I would like to share a walkthrough of the GoodGames Machine from Hack the Box

This room will be considered as an Easy machine on Hack The box

What will you gain from the GoodGames machine?

For the user flag, you will need to run some SQLi Attacks on the login page. After that, we also need to abuse the SSTI on my profile page.

As for the root flag, you need to abuse a docker escape and copy the /bin/bash into Augustus access and give the root permission inside the docker environment

Information Gathering on GoodGames Machine

Once we have started the VPN connection which requires download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

As you can see, only port 80 is open to the public

Let’s access the website interface

I notice there is two buttons such as Blog and Store at top of the website.

The screenshot above shows the Blog web interface

The screenshot above shows the Store web interface

Let’s click the people icon and they ask us to enter credentials to sign in.

Let’s enumerate the website by using gobuster while accessing the website dashboard

Sadly, there’s nothing that looks interesting

Let’s register our own account on the Registration form

We have successfully registered

Let’s access the dashboard right now using the credentials that we just created earlier.

The login is successful, and it will be redirected to a profile page.

Nice! We managed to see the dashboard but there are no vulnerabilities or places to exploit at the website dashboard.

SQL Injection Attack

Burpsuite Method

Let’s open our burpsuite tool to analyze the packet.

Let’s inspect the packet

I try to use an error SQL Injection on the website but didn’t see anything at all.

Therefore, let’s try using a very common SQL Injection and it was a success.

As a result, let’s enumerate the SQL Injection using union based

On the website interface, we got the message “Welcome 4” and it was successful.

The screenshot above shows 4’s profile.

We should be able to enumerate the SQL Database deeper by using the syntax ‘ union select 1,2,3,database()– –

It was a success and it show the main

Next, we can use the syntax ‘ union select 1,2,3,concat(schema_name, ‘:’) from information_schema.schemata– –

It also success and it show information_schema:main:

Next, we can use the syntax ‘ union select 1,2,3,concat(table_name, ‘:’) from information_schema.tables where table_schema = ‘main’– –

It also success and it show Blog:Blog_Comments:User:

Next, we can use the syntax ‘ union select 1,2,3,concat(column_name, ‘:’) from information_schema.columns where table_schema = ‘user’– –

It is also successful and it show Email:ID:Name:Password:

Next, we can use the syntax ‘ union select 1,2,3,concat(id, ‘:’, name ‘:’, email, ‘:’, password) from user– –

We obtain a password hash and let’s crack the hash using hashcat

We got superadminisitrator as our password

sqlmap method

Aside from using burpsuite method, we can also use sqlmap to enumerate SQL database

We can use the command above to verify that sqlmap can enumerate the database

The screenshot above shows the output of the attack possible.

After that, we managed to notice that there are two available databases such as information_schema and main which resulted from the command

 "sqlmap -u <target's url> --data 'email=darknite@goodgames.htb&passsword=b' --batch --dbs"

We notice that there are three available tables as the user, blog, and blog_comments which resulted from the command

 "sqlmap -u <target's url> --data 'email=darknite@goodgames.htb&passsword=b' --batch -D main --tables"

We notice that there are seven available users such as admin and darknite which resulted from the command

 "sqlmap -u <target's url> --data 'email=darknite@goodgames.htb&passsword=b' --batch -D main -T user --dump"

Admin’s Dashboard on GoodGames Machine

Let’s access the admin’s dashboard using the username and password we obtained earlier.

It was a Success that will be redirected to an admin’s profile page.

On the dashboard, there is a new function that will lead to a new domain

However, we got a 405-page status which is a method now allowed!

Hold on! I did a mistake where it should be internal-administration but I type internal.administration

It’s a flask login page that should be vulnerable to Server-Side Template Injection

Let’s do some research and I managed to found out those links for some reading:

  1. SSTI in Flask/Jinja2. What is SSTI ( Server-Side Template… | by IndominusByte | Medium
  2. A Simple Flask (Jinja2) Server-Side Template Injection (SSTI) Example (kleiber.me)
  3. PayloadsAllTheThings/README.md at master · swisskyrepo/PayloadsAllTheThings · GitHub

Come back to our flask login page, We should be able to use the previous credentials to access the Dashboard

As expected, we managed to access the Dashboard using the previous credential

There is a section for “My Profile” and let’s check out what we can do inside My Profile

Oh Wow! We can edit our profile

Let’s try a common SSTI on Full Name and see how it response

It reflected on the profile name and let’s grab a reverse shell on the machine

We can start our nc listener so that we can retrieve our reverse shell

The SSTI command that we can use here can be seen as below:

{{ self._TemplateReference__context.namespace.__init__.__globals__.os.popen('id').read() }}

We only required to change “id” to our reverse shell command

Voila! We managed to receive our reverse shell on my listener

Sadly, it’s root inside a docker environment

However, we can access the /home/augustus directory

We can read the user flag by executing the command “cat user.txt

Escalate to Root Privileges Access on GoodGames machine

Docker Escape

I notice that our connection is 172.19.0.2 which make me curious on 172.19.0.1 IP Address

Let’s grab a proper shell

I have shocked that we can access 172.19.0.1 via ssh service.

Let’s access using augustus credential and it works!

Sadly, we cannot run ifconfig using augustus credentials

However, we are able to verify the IP Address using the hostname -I command

Let’s create a new file on docker environment and see how it response

The file that we created inside docker environment have been assigned to root

Let’s copy /bin/bash into our current directory

We know that the file existed when we were inside docker environment

As a result, let give the file assigned to root privileges access

Aside from that, we need to give permission with SUID permission to the file

It look like we are ready to escalate to root

We can get root shell by running the command “./bash -p

We can read the root flag by executing the “cat /root/root.txt” command

-THE END-

Happy Learning Guys!

Extra Information on GoodGames machine

We can go to /etc/shadow so that we can unlock and read the write-up

Leave a Reply

Your email address will not be published.