6.9 KiB
HackTheBox - Shoppy
NMAP
Nmap scan report for 10.10.11.180
Host is up (0.12s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 9e:5e:83:51:d9:9f:89:ea:47:1a:12:eb:81:f9:22:c0 (RSA)
| 256 58:57:ee:eb:06:50:03:7c:84:63:d7:a3:41:5b:1a:d5 (ECDSA)
|_ 256 3e:9d:0a:42:90:44:38:60:b3:b6:2c:e9:bd:9a:67:54 (ED25519)
80/tcp open http nginx 1.23.1
|_http-title: Did not follow redirect to http://shoppy.htb
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.23.1
9093/tcp open copycat?
| fingerprint-strings:
| GenericLines:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest, HTTPOptions:
PORT 80
Visting the website, it redirects to shoppy.htb so, add this in /etc/hosts file
The site just only shows a timer for a beta site
Fuzzing for files and directories using gobuster, this finds admin which rredirects us to login page also fuzzing for subdomain it finds mattermost
Adding the subdomain in /etc/hosts file
Visting the subdomain we'll get a login page which needs valid credentials so let's move back to the admin panel we had
Checking for sql injection, it just doesn't respond if there's a single qoute ' in username
And just times out
So there's some filtering going on I guess as sqlmap doesn't work either
If we make an invalid request it will show a message about cannot GET the request which indicates that web application is using routes which usually how node js works
So this application is probably using node js, we can try looking for ways to bypass login on node js, for this I spent hours on search bypassing login on node and didn't find much, tried different payloads, read artices on bypassing but no dice. I found this article
https://nullsweep.com/a-nosql-injection-primer-with-mongo/
Foothold
From this article it explained using ' || 'a'=='a which will make the query return true allowing us to login so our paylodad will be
admin' || 'a'=='a
From the dashboard, we can search for users
Which is also vulnreable to sqli
On using the same sqli payload, we'll get exports.json file which has user's hashes, we can try cracking them if they are crackable
Cracksation cracked josh's hash but admin's hash wasn't crackable
Now using the credentials on mattermost, we'll get logged in and we can find the credentials which we can use on SSH from Deploy Machine channel
Privilege Escalation (deploy)
WIth sudo -l we can check what permissions we have to run something as a privileged or other user
This shows that we can run password-manager with deploy user but this binary asks for a password which we don't know
For this we need to reverse the binary through ghidra
This shwos us the string Sample which is being comapred to our input and allow us to read /home/deploy/creds.txt if it's the matches with it
So we can enter Sample as the password which will return the contents of creds.txt from deploy's home directory
We can use this password to switch to deploy user
Privilege Escalation (root)
From the id ouput, this user is in docker group so we can abuse that by mounting chroot (/) of the host machine in /mnt and spawn an apline container executing commands so we can spawn bash
docker run -v /:/mnt --rm -it alpine chroot /mnt bash
