Skip to main content

HacktheBox Walkthrough - Shoppy

🟥Name ➡️ Shoppy
🟥Release Date ➡️ 17 Sep 2022
🟥Retire Date ➡️ 14 Jan 2023
🟥OS  ➡️ Linux
🟥Base Points Easy ➡️ [20]
🟥First Blood User 6 mins, 03 seconds 22sh
🟥First Blood Root 12 mins, 37 seconds 22sh

👉Shoppy was much easier to exploit From there, I’ll need the lighest of reverse enginnering to get a static password from a binary, which gets me to the next user.
👉I’ll start by finding a website and use a NoSQL injection to bypass the admin login page, and another to dump users and hashes.
👉This user is in the docker group, so I’ll load an image mounting the host file system, and get full disk access.
👉Shoppy was one of the easier HackTheBox weekly machines to exploit, though identifying the exploits for the initial foothold could be a bit tricky.
👉With a cracked hash, I’ll log into a Mattermost server where I’ll find creds to the box that work for SSH.
👉In Beyond Root, a video walkthrough of the vulnerable web-server code, showing how the injections worked, and fixing them.
👉I’ll show the ways to get a shell from that.

😝Let's start with Enumeration..

nmap
Finds two open TCP ports, SSH (22) and HTTP (80)

😝Based on the OpenSSH version,host is running Debian 11 bullseye.
By doing a simple curl and looking at the headers we can see the shoppy.htb domain

Subdomain Fuzz

😝Doing a bit of fuzzing we can see a /admin that redirects us to /login


😝I’ll add both shoppy.htb and mattermost.shoppy.htb to my /etc/hosts

😝Now Looking at it from the web we can see an authentication panel


NoSQL Injection
😝We can bypass it with a mongodb nosql injection of query admin'||'1==1

😝When entering the panel we can see a user search engine

😝We can try using the same query of the login admin'||'1==1 in the browser

😝When using the query it gives us an option to export the result

😝We can see a couple of users, and hashes in this file

😝By using john to crack the hashes we can crack one and see a password

😝Taking a look we can see another login, for which we can use the credentials


😝Credentials for Jaeger
Reading the different channels,two channels have interesting information.
Jaeger asks for a machine set up with a username and password
We can see a conversation, which well... gives us ssh credentials

😝We just connect and we can read the first flag

Shell as deploy
Enumeration

😝jaeger can run /home/deploy/password-manager as deploy

😝When executing it asks us for a password, so we do not have access

😝If we cat the file we can see a part that when shaped looks like this
Executing the file and passing the lekeada password we find credentials


Shell as root
😝We can connect by ssh as deploy with the credentials

😝By doing id we can see that it is in the docker group

😝Looking at gtfobins we can see that there is a way to get root shell
Running a container and mounting the root, we can be root in it and read the flag

😝Even though we are root, we are still in a container with a mount, we can modify the sudoers and see the mount changes reflected on the real machine

++++++Rooted++++++
😊 Thanks For Reading 💕💕💕

Comments

Post a Comment

Popular posts from this blog

HackTheBox Active Machine Walkthrough - Knife 🗡️

😍A knife is only as good as the one who wields it Hocho Knife #Easy #Linux Machine created by MrKN16H went live 22 May 2021 at 19:00:00 UTC. 😜Let's Start the journey..... 🔐Enumeration🔰 💉From Dmitry result one thing caught my and that is it an apache httpd server instead of regular nginx in all the HackTheBox Machine. 🔰We can find 2 Open Ports. In Port 80 We can see web page. 🔧As the latest release for apache httpd is 2.4.46 there could be a known vuln in 2.4.41 so I looked for it on web. 🗽Looking for it I stumbled around this Rapid7 Post https://www.rapid7.com/db/vulnerabilities/apache-httpd-cve-2020-1934/. 🔰But there is one concerning thing about this exploit you need to have mod_proxy_ftp module running and have FTP backend which we know nothing of. 🖥️Web-Visting🛡️ 🤔We can find this static page and nothing  interesting in it.  🔐Looking the source code found pen.js which looked interesting but after looking at it got nothing interesting. Also added knife.htb in /etc/h...
6 comments
Read more

HackTheBox Walkthrough - Explore

🛡️Types of OS : Android 🌞Released on : 26th June 2021 ☢️Difficulty : Easy 👍Point: 20 💉Running nmap scan: nmap -vv — reason -Pn -A — osscan-guess — version-all -p- $IP -oN Explore.nmap nmap_scan.report 💉Running the nmap scan gives four ports port 2222 — ssh port 59777 — http port 5555 — adbshell {This can be found by looking on  google } adb_shell_port ☢️Running FFUF ffuf -u  http://explore.htb:59777/FUZZ  -w /usr/share/wordlists/dirb/big.txt -t 200 -c ffuf_scan 😃Lets visit the web-page 😜As you can see its showing forbidden. So lets try some other directory. 😃And we get the same results. Lets try to enumerate port 59777 which service uses this port on android. ☺️we get this article from  Daily-Swigg  which explain the vulnerability in ES File explorer which exposes user data on open port and anyone can read it. 😏Lets try running FFUF on  http://explore.htb:59777/sdcard/ ffuf_sdcard 😏Look like we found our first flag. So easy 😁The POC for the above vulnerability can be found o...
3 comments
Read more