EarlyAccess Write-up by evyatar9

Read my Write-up for EarlyAccess machine on:


User 1: By login to the system we found XSS on Name field on the Profile page, Using that, we steal the admin user Cookie. Using the admin Cookie we found backup.zip file which contains validate.py script which verifies the game key, Write bypass validator to generate our game key to be able to login to game subdomain, From game subdomain we found SQL Injection, Fetch from the tables the admin password to dev subdomain, From dev subdomain we found LFI, On the file hash.php we found Command Injection and we get a reverse shell as www-adm user.

User 2: By enumerating we found API run on port 5000, and on www-adm directory we found a file .wgetrc which contains the API credentials, Using the API we access to check_db endpoint and fetch the password of drew user.

Root: By reading drew mails we found a hint, Found also SSH key of game-tester@game-server on drew directory, Using the SSH key we access the container which found by enumerating as game-tester user, Inside the container we found entrypoint.sh file which runs all the scripts inside /docker-entrypoint.d/ directory as root, Using that we create a /bin/sh with SUID.