SQLi, SSTI & Docker Escapes / Mounted Folders - HackTheBox University CTF "GoodGame"

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
this is an old video i will admit this dates back to 2021 and we were going through the hack the box university capture the flag and it is something that i should have released and i forgot to so here it is i hope you enjoyed i hope you have fun if you aren't already in hack the box and you aren't part of hack the box academy and you aren't rooting getting user on boxes in different machines you are missing out uh and learning how to hack and become an ethical hacker and penetration tester and bug bounty hunter and capture the flag and all of those great things you can sign up in the link below thanks so much i hope you enjoy the video hello everyone and welcome back to another youtube video my name is john hammond and in this video we're taking a look at more of the hack the box university ctf or their capture the flag that was going on this past weekend so hey i'm gonna hop over to my computer screen and we will get after it uh in this video i want to showcase one of the machines the full phone category or things that are accessible to just hey fully take advantage of and compromise a host or full computer and workstation so i'm going to get started with this good games one looks like i have a challenge information here that tells me nothing other than to get user supposedly this is a virtual machine that will be spun up and created inside of the vpn or the network accessible that they offer through an openvpn configuration file that you could simply download and then connect and we'll do that in just a moment as soon as the instance is spun up so i'll stand by pause the video and we'll get back to it once we're ready okay now the ip address is set the machine has been created i'll go ahead and download that open vpn configuration file that we could go ahead and use to go ahead and get started connecting i'll connect over in the united states here and i'll hop over to my terminal and now i am hopped over into my terminal i'll go ahead and move that downloaded vpn key and i'll go ahead and make a directory for full pwn okay now i have gone ahead and moved the configuration file into this directory and made a full pwn directory or folder for us to work in first i'm going to go ahead and connect to the vpn network i'll use sudo openvpn and the file name here for the config i'll enter my password for sudo and that will get rolling for us i'm gonna go ahead and create a new terminal window i am using terminator i'm a terminal terminator fanboy and uh then i'll move into that full pwn directory and make a directory for good games which is the name of this box that we're gonna go ahead and beat up so i'll move into that directory and i'll create a simple readme even though i probably won't use it uh it's just i don't know i try right uh and then we'll go ahead and use a simple hey export ip can equal this thing uh maybe just for some quick and easy syntax in the command line although i'll probably even not use that because i'll end up making so many different uh terminals here let's go ahead and make a directory for nmap and i'll go ahead and map scan this i'll use tac sc for default scripts tac s feed unrate versions tag o n to output in the nmap format i'll call the file initial in that directory that i just created and the ip address that we had just stored as a environment variable or variable for us to work with this is hey the host seems down okay i am connected to the vpn i thought nope guess not oh this is an issue from recording earlier when i disabled ipv6 that is necessary for our vpn connection to the hack the box environment so that's totally my bad i should have known but now we can recorrect that enable ipv6 again so pip and gem and all the other things that i try to install will fail and take a long time but now at least we can get to the vpn so that should be a little bit better there okay and we see we do have a port 80 open serving http uh with a python web server seems like i don't know if there are any other ports we might be able to take a look at so while i go explore manually i'll get started with a all port scan attack ptac there go ahead and let that run and we'll open this machine in our web browser and see really what we're up against here i have some of the tabs open still from the previous video forgive me horrible light mode things everyone's going to go blind but if we go access this this is our good games web page apparently uh as we passed i remarked okay looks like there are some games to access on a pc ps4 xbox aren't we in the ps5 era i don't know i haven't been gaming all that much i'll do i do hear the new halo's pretty cool though i don't know people are all about excited about battlefield and all the shenanigans um what can i do oh i have an account maybe or a user can i sign in use an email and password uh is this vulnerable to like sql injection maybe maybe sql light right we'll try it with these oh i need a valid email address uh at least according to the javascript though maybe i can do that with silly how about how about an a at a.com javascript is probably telling me hey the client side yeah no you can't do that but let me try to uh post naturally no that breaks weird um thanks lastpass i'm glad you got my back that i wanted to see a post request so that i could probably copy this and end up making like a little cheesy uh python requests thing to mess with it you could totally use this in burp suite which would probably be uh more approachable for some folks or they just kind of rather do that oh here it is here's post to login and we add the email and password can i do sql injection just kind of naturally let's uh fire up a script here i'll call this just a tinker dot pi uh and we'll make that url just be this fella so we'll add in log in in just a moment but let's get a shebang line started and we'll import requests i do need to add a three at the end of that python shebang line before people get mad at me and then let's go ahead and i guess create a session right let's go ahead and create a request.session object um and we'll s dot post right to our url and our login and point with data being we have an email which we could set to a at a.com for the moment uh and our password which we could totally just say password what did i even submit earlier did i say like a super sensitive password oh no i just had another sql injection attempt good enough um and black the python linter that i've been using in sublime text is probably going to want to make that a mess sublime text decided that it wanted me to buy the product silly that let's uh make this an object that we could return and display the contents from let's see if that gets anything looks like uh it will run but it gives me that 500 internal error so let's set the syntax here to html so i might be able to see that a little bit better add some colors here make this better on our eyes but it's still a 500 internal server here so let's try to do some of those sql injection shenanigans let's do an or one equals one and then a oh let's try the pound symbol there and what did this do oh login success okay easy peasy that just let it happen welcome admin i'm suddenly the admin and i am redirected around can i just totally like weaponize this with sql map is that just going to be baby cakes let's do uh let's do a sql map on that do i have sql map oh it's probably not in my uh there it is sqlmap.pi and cool that can cruise through things uh let's go to this login page and that needs a tac u to run with a url um do i want to try uri injection no i should probably add data so like email can equal anything and password can equal anything but let's add single quotes around that so the ampersand doesn't mess up the terminal there we go looks like it can uh try to hammer and cruise through this uh texting some bl time-based blind injections trying to see if it could track anything down not getting a whole lot of love on the email field even though we just had oh but it did detect that is my sequel yep we can skip testing for all the others um the remaining tests you want to include all tests that's totally fine got a refresh intent profile do you want to apply it from now on um that's a curious thing because it tells me that it succeeded but it's not going to be able to retrieve anything do you want to retry to find proper union columns sure man yeah uh yeah yes i trust you you're the professional here sql map you're smarter than me you can try union characters and null fields and shenanigans no no you literally have you it's checking if it's a false positive right now my face is probably in the way oh and it decided that it didn't need any of that um okay let's rerun this and maybe not tell it to follow the redirect to profile because that was thinking that it succeeded in authenticating but i genuinely want to be able to abuse the sql injection vulnerability uh so yes it is my sequel that's totally cool yes you can do other tests but don't follow that redirect post parameter email is vulnerable do you want to keep testing the others no all right cool so now sql map knows what uh what it can beat this up with let's try to use tactac batch so that it will not ask me anything anymore and let's try to uh i suppose numerate databases with tact dbs and then see all the dbs we find information schema and main let's try and change the syntax to now run with the main database and let's look for the tables that are present ooh okay we find user blog and blog comments um let's find out what the user might be can i just i guess suppose reach for columns in that to see if there's anything interesting email id name and password i'm going to assume there's probably only one so let's go ahead and dump that oh and it decided that it had found a password and hash so there's that can i crack that pass that that hash here um let's go ahead and just echo um that into a text and will john the ripper just kind of do it that's hash and let's use a word list to be our rocky.text i don't know if it just happens to know that off the top of its head oh lots of shenanigans didn't exactly know what it was doing it's probably like an md5 hash is it not maybe maybe something as stupid as crack station could find that super easy for us uh realistically it'd be better to be using like hash cat or something maybe but oh yeah okay crackstation just knows that that is super administrator apparently as the login so let's uh like let's actually log in to the real account now that we know that uh let's we we need what was it the account that it found was admin goodgames.htv so admin at goodgames.hackthebox slap that in hey login successful redirecting you to your profile page uh are you actually oh you are okay cool welcome to your profile page update your profile picture an email address ooh is there like an arbitrary file upload or anything or edit details repeat pass what else could i do here oh there are new buttons at the top where we what do we have here profile profile oh and there is a gear icon that will theoretically i can i don't know if you can see it down at the very very bottom left of my screen it takes me to internal administration.goodgames.htb so that is a domain name though and i will need to actually modify my etc hosts with that uh so rip address that we are currently working with is this so let's slap that in and i probably should pseudo that and i could do this with like nano or echo realistically or t or all of you folks that are telling me hey you know you could be a little bit smarter on the command line john i know it i know it you don't have to tell me internal administration dot good games dot game that is correct i believe internal administration good games at htv yeah let's do it man uh nordvpn decided it didn't want to do that internal administration.goodgames.http should work i'm going to the right link am i not http please lordvpn did not want to do it i don't care it's the same link so hey let's let's turn that off for a moment hello yeah i genuinely wanted to go there please thank you oh we have a flask vault sign in can i use the same admin and i guess he was a super administrator yeah can i log in with that yes apparently incredible okay uh oh and we have uh forms and stuff like oh the actual pages here in the demo admin can i can i modify these settings save all new tasks upload files ooh [Music] what what can i upload please add user add widget do any of these do anything oh no no no these are fake links they all go to they go to a uh um or pound symbol that said that don't actually do anything not useful page visits however we could again not do anything on the demo current user my profile this is where we were previously how about the settings no same exact thing messages nothing support nothing okay oh this brings us to legitimate support for flask bootstrap can i change my name hello oh you need a stupid date gosh safe you need a freaking phone number too hello there we go this is flask though is it not can i can i do spooky shenanigans like server side template injection let me try to do like a seven by seven in uh oh god i have to enter all this crap again oh my gosh this is gonna this is gonna kill me oh so i was trying to do server-side template injection with the mustache syntax and jinja and the jinja templating engine maybe we could do real stuff with that um we could we could run codes and command and and do evil shenanigans we did this just moments ago in a different different challenge uh what i was recording previously so let's get a flask ssti payload oh no i even have this kind of still in my search history so scrolling down here i want to grab the magic payload that will allow us to grab uh and start to climb up like hey a specific object tree or the method resolution order in python so i'm going to steal this syntax super quick uh again i haven't been taking any good notes in the readme but let's see if we have like sub process accessible and ready uh and accessible for us so here is that payload clicking around on stupid dates yep entering phone numbers you need a number oh my lord so but there we have all in a horribly displayed output of uh these libraries and functions and things that we could do within python so i'm going to take all that output and try and determine what index would help me actually execute code reduce anything a little bit more malicious so i'm going to look for sub process and i see it here looks like it is in 2 2 1 yep so with the payload that we had now we could use two two one and i'm using two two one when you might have saw that that was two two two um it is because this is zero based right and i'm using the line numbers for my text editor as kind of a guide but that starts at one that's one based so two two one will create a sub process popen or a process open kind of function or object to run and we could pass in a command that we we might want to execute uh i'll use just a super simple who am i i'll pass in some arguments like shell equals true i'll actually wrap this in python cold blocks and i'll actually specify our standard out can equal negative one so that way we'd be able to be able to see the output and i'll run communicate so that that actually executes um and it should return the standard output of the process so theoretically dumping all this in yet again uh adding numbers here i broke it i don't know if you solved my quick internal server error really quick what is that hiccup let's let's try it from two two one let's see if we have oh no no no oh that found a socket server threading mixin not helpful i'm gonna close out that sublime text window because it's been in the way did i do that wrong sub process oh i did i should have been to popen no no that should be 221 hello is it different every time because that's going to be a pain unless i unless were there values with like a oh my goodness they had a comma in them because of different types oh that's awful let me let me look for a ending code brace and a new line so that way we won't have any of those weird wacky types getting in the way of my comma separation to help me find this that's a little bit better now i could check out oh subprocess popen is actually at 208 which is 207. that's why we want to piecemeal these things as we explore them and i could automate this i really should what the heck uh oh these are being a pain no no that's well class tuple also has a problem and another class tuple so maybe i should have looked the other way trying to do that but those seems to be the problem child all of those other types that could have been used so just some quick debugging and thinking kind of on our feet there but hopefully that gets us correct now at 209 which name tuple were we like way far off it's all these typing classes there if we were at name tuple when we needed to go one two sorry one two three four five six seven eight nine more which puts us at 2016 is that right sorry a little uh just go dancing real quick there we go we have a completed process so we need to go one more that would have been 17 because we saw that completed process was just before popen in our list because we we can't access a sub process i can just call it directly because we're using the server side template injection we kind of have to climb these instances here now that we were able to actually access that object we can do those things that i wanted to do moments ago so actually try and get code execution from this uh let's run communicates let's grab the first index which is standard out and then let's go ahead uh and and decode this which would be because it's returned as bytes to begin with but i want to see the actual string value so i am going to slap that in yet again do some disk jockey here and it breaks why are we getting the communicate output at least are we are we getting this object to return for us how about this how about this how about this no it does not like this is that because i am [Music] using a command that doesn't exist or that should execute oh i'm sorry that keyword argument was wrong all along sub process is not what we should have been supplying there should have been standard out standard out is supposed to be subprocess.pipe you guys knew you guys were telling me that i'm again making idiot mistakes there we go now we have an actual object that's returned now we can communicate or honestly centered out dot read to be honest uh and then let's decode that value because it is going to be returned as bytes so we could get a simple who am i and enter a date and enter a phone number and we are root allegedly okay uh we we're supposed to be getting user did we just skip that part i don't know let's try to get a reverse shell though uh i'm gonna go to revshells.com and grab a syntax that i could use here um i guess just regular bash or their netcat maybe bash would be ideal there's a bash read line i should just straight up work should this not all right so i have my reverse cell syntax but i am in a vpn so i kind of need to kick it my uh ton zero ipa address this is not gonna be out on the interwebs uh let's try that uh again quad nine kind of as i our usual port to listen on and let's see if i can just get a simple reverse shell while listening on that i'll go ahead and slap this in give that syntax save all uh and that did not come through does that need the like bash taxi bash tax and then a guy instead let me wrap that in single quotes give that a little bit more pizzazz here uh and yet again try this save all okay that's taking a longer time to load and i have a shell all right so we are root allegedly oh but we're in a docker file so let me let me check ls tak la on the root yeah we're in a docker container that's not all that helpful okay fantastic um is there still a user flag we could get oh there's hey a user augustus let's check out what users are present here i i should really um stabilize my shell that's weird augustus is not mentioned in this like etcetera password at all though he's not a user here but he has a home directory owned by uid 1000 again not present in our etc password that's super weird can i move into augustus yeah there's a user.txt let's grab that okay cool cool one flag down allegedly i mean no we we did it so submit that but what next if if augustus is just kind of here and not in the docker container that makes me wonder how this was all put together like is this docker container what is this ip address we are here right can i explore a little bit more around that are there other ports is there like a docker port to access or something i i do we even have netcat honestly do we have no we don't okay we could use the bash thing again and like try to like connect to a specific port uh and this is just strictly rip address though but i'm more interested in like the docker gateway uh 172 1900 1. so the syntax to do that would probably be just the same hey connect to this at a given port um so we want this fella uh and port i guess we can like fan this out in a for loop for i or for port in and it's this syntax right uh one six five five let's go to just like the top a thousand ports i guess and then it's a do and then a done for a regular bash for loop and kind of doing this as a poor man's way but that will hold on and i do we have time out the time mode is a oh no we do have timeout okay cool so just like hey if we could look for one second maybe like like a nano second i don't even know one s would be fine timeout bash uh not not interactive let's just use like a command to try and read it i think yeah or read from realistically that and then we'll do like a oh i want that to be in double quotes so the bash variables maintains itself uh and let's redirect any errors of that to like devnull or something how about that does that do anything trying this syntax this is just kind of like cooked up so i don't know connection refused connection refused oh dear god oh dear god why is my port no longer included there oh oh oh capital port versus lowercase port i'm a dumbo let's slap all this in and now that's present again so this is disgusting but at least helps us kind of see what what's where are there any ports that came through realistically connection refuse connection refuse connecting refused 22 is missing ssh some crappy enumeration to be able to see what's available but if ssh is still present on what would be like the docker gateway the docker host right could we could we ssh do we have ssh we do whack uh so is ssh a thing ssh this pseudo terminal will be elected because oh god it needs the stupid shell stabilization uh i probably should uh be running in bash if i'm trying to actually stabilize the shell so let me do all that again uh let's just host this get this connection yet again computer can i come back just give me the show okay sweet uh so i'm in slash back end which is where all this was but by ssh now stty well i need to actually export the terminal first so do we have python we do so let's do the python poor man stabilization pty dot spawn and we're gonna run out of space before my face gets in the way but bin bash trust me when i say that i am invoking bin bash there we go now let's control z stty raw minus echo so that we have a little bit more of a stable shell here uh trust yourself to type in fg to foreground your shell again and i'm going to export term equal x term and that's the magic trick to be able to get a decent stable shell now we should be able to ssh and we know we want to go to the docker host here there we go um super administrator maybe will that fail no what about the augustus user super administrator oh oh that worked oh heck yeah we we and now we are on the host like on the actual machine yeah now our like our docker ip address here is fine and we have a legitimate ip address for this machine that's awesome okay cool so that was a weird docker escape but how do we priv-esque we could just like drop lin p's or anything but if if the augustus user profile is mounted in the container like we were able to access that here in slash home augustus or that user we could and were root in the container we could just very well copy bin bash into this directory right that's going to be owned by root uh can we make that a set uid binary yes so will it maintain its permissions if i now go back to the host as augustus and it still being the same oh super administrator i'm more than certainly typing that wrong there we go now we're logged in and bash still owned by root and still set uid so we could just oh no no why air while loading shared libraries lib tin come on that would have been so cool oh gosh you don't have any of this stuff because you didn't like the same director or anything how do we not have busybox seriously or maybe you don't wait wait wait wait wait wait i'm probably an idiot we can copy the real bin bash from this host into here yeah so hey exit out of this remove as root in the container our actual bash because i was putting the containers bash in there we need to toggle back in and out on the actual bash so go in as augustus on the host again and now copy the hosts bash into the directory now back in the container as root we can make this owned by root because currently it's owned by augustus but root root on on bash and then let's make oh sorry chone showing to make it owned by root and then make it a set uid binary dot slash bash so then when i ssh back to augustus now it is the actual host binary for bash and it will know where and how to find the proper libraries correct bash attack p that's it i'm an idiot i'm the fool goodness gracious wow what a wild ride of me being a dumbo but that's cool that was a super fun cheesy thing here like i like the docker escape i like the i mean the sequel map that we got started with the ssti was a lot of fun um getting uh jumping over hoops and hurdles that that was that was very slick that was a good box uh i know it's rated easy right but i had fun with that and that was a good one thanks so much for sticking with me for all of that i know that was a longer video or at least all of these have kind of been pretty lengthy but i really really liked that kind of disc jockeying in and out of the container uh because the user had the permissions and it released was mounted in the file system of the docker container and still being on the host and and doing that enumeration as like a poor man from within the container was kind of slick that was that was cool to be able to explore that a little bit more so that's it everybody i think we've done some damage here it looks like the vm just shut itself down because i submitted the flag but that was a fun one and that was your way to the user and root flags on the good games machine in the full pwn category of the hack the box university ctf and capture the flag i hope you enjoyed this video uh if you did please do all those youtube algorithm things you know i would super duper love it if you could like the video leave a comment subscribe i'd be super grateful if you have any interest and you're willing to support or offer any generous donations you know that what helps make this channel and motivates me to keep making more for you uh there's a patreon and paypal link in the description it would mean the world to me thanks so much for watching everybody thanks so much i'll see you in the next video i love you take care [Music] with [Music] you
Info
Channel: John Hammond
Views: 74,439
Rating: undefined out of 5
Keywords:
Id: 0oTuH_xY3mw
Channel Id: undefined
Length: 36min 46sec (2206 seconds)
Published: Thu Feb 03 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.