Tags: sqli ssti docker 

Rating: 5.0

- There is an SQL Injection in the /login endpoint
- After retrieving the database content, cracking the admin hash and logging in as the admin, a new subdomain is revealed
- The subdomain has a Server Side Template Injection, so you can get a shell
- You now have the user flag
- The home folder is mounted in the Docker, so you can write the authorized_keys file and connect as the user to the host through the Docker network
- You can use a mknod privilege escalation to be able to read the raw /dev/sda and grep for the flag
- You now have the root flag

Complete writeup: [https://radboudinstituteof.pwning.nl/posts/htbunictfquals2021/goodgames/](https://radboudinstituteof.pwning.nl/posts/htbunictfquals2021/goodgames/)

Original writeup (https://radboudinstituteof.pwning.nl/posts/htbunictfquals2021/goodgames/).