# HackTheBox - Shoppy
## NMAP
```bash
Nmap scan report for 10.10.11.180
Host is up (0.12s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 9e:5e:83:51:d9:9f:89:ea:47:1a:12:eb:81:f9:22:c0 (RSA)
| 256 58:57:ee:eb:06:50:03:7c:84:63:d7:a3:41:5b:1a:d5 (ECDSA)
|_ 256 3e:9d:0a:42:90:44:38:60:b3:b6:2c:e9:bd:9a:67:54 (ED25519)
80/tcp open http nginx 1.23.1
|_http-title: Did not follow redirect to http://shoppy.htb
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.23.1
9093/tcp open copycat?
| fingerprint-strings:
| GenericLines:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest, HTTPOptions:
```
## PORT 80
Visting the website, it redirects to `shoppy.htb` so, add this in `/etc/hosts` file
The site just only shows a timer for a beta site
Fuzzing for files and directories using `gobuster`, this finds `admin` which rredirects us to `login` page also fuzzing for subdomain it finds `mattermost`
Adding the subdomain in /etc/hosts file
Visting the subdomain we'll get a login page which needs valid credentials so let's move back to the admin panel we had
Checking for sql injection, it just doesn't respond if there's a single qoute `'` in username
And just times out
So there's some filtering going on I guess as sqlmap doesn't work either
If we make an invalid request it will show a message about cannot GET the request which indicates that web application is using routes which usually how node js works
So this application is probably using node js, we can try looking for ways to bypass login on node js, for this I spent hours on search bypassing login on node and didn't find much, tried different payloads, read artices on bypassing but no dice. I found this article
https://nullsweep.com/a-nosql-injection-primer-with-mongo/
## Foothold
From this article it explained using ``' || 'a'=='a`` which will make the query return true allowing us to login so our paylodad will be
```bash
admin' || 'a'=='a
```
From the dashboard, we can search for users
Which is also vulnreable to sqli
On using the same sqli payload, we'll get `exports.json` file which has user's hashes, we can try cracking them if they are crackable
Cracksation cracked `josh`'s hash but admin's hash wasn't crackable
Now using the credentials on mattermost, we'll get logged in and we can find the credentials which we can use on SSH from `Deploy Machine` channel
## Privilege Escalation (deploy)
WIth `sudo -l` we can check what permissions we have to run something as a privileged or other user
This shows that we can run `password-manager` with `deploy` user but this binary asks for a password which we don't know
For this we need to reverse the binary through `ghidra`
This shwos us the string `Sample` which is being comapred to our input and allow us to read `/home/deploy/creds.txt` if it's the matches with it
So we can enter Sample as the password which will return the contents of creds.txt from deploy's home directory
We can use this password to switch to deploy user
## Privilege Escalation (root)
From the id ouput, this user is in `docker` group so we can abuse that by mounting `chroot (/)` of the host machine in `/mnt` and spawn an apline container executing commands so we can spawn bash
```bash
docker run -v /:/mnt --rm -it alpine chroot /mnt bash
```
## References
- https://book.hacktricks.xyz/pentesting-web/login-bypass
- https://www.stackhawk.com/blog/node-js-sql-injection-guide-examples-and-prevention/
- https://nullsweep.com/a-nosql-injection-primer-with-mongo/
- https://gtfobins.github.io/gtfobins/docker/