Skip to main content

HacktheBox Walkthrough - Shoppy

🟥Name ➡️ Shoppy
🟥Release Date ➡️ 17 Sep 2022
🟥Retire Date ➡️ 14 Jan 2023
🟥OS  ➡️ Linux
🟥Base Points Easy ➡️ [20]
🟥First Blood User 6 mins, 03 seconds 22sh
🟥First Blood Root 12 mins, 37 seconds 22sh

👉Shoppy was much easier to exploit From there, I’ll need the lighest of reverse enginnering to get a static password from a binary, which gets me to the next user.
👉I’ll start by finding a website and use a NoSQL injection to bypass the admin login page, and another to dump users and hashes.
👉This user is in the docker group, so I’ll load an image mounting the host file system, and get full disk access.
👉Shoppy was one of the easier HackTheBox weekly machines to exploit, though identifying the exploits for the initial foothold could be a bit tricky.
👉With a cracked hash, I’ll log into a Mattermost server where I’ll find creds to the box that work for SSH.
👉In Beyond Root, a video walkthrough of the vulnerable web-server code, showing how the injections worked, and fixing them.
👉I’ll show the ways to get a shell from that.

😝Let's start with Enumeration..

nmap
Finds two open TCP ports, SSH (22) and HTTP (80)

😝Based on the OpenSSH version,host is running Debian 11 bullseye.
By doing a simple curl and looking at the headers we can see the shoppy.htb domain

Subdomain Fuzz

😝Doing a bit of fuzzing we can see a /admin that redirects us to /login


😝I’ll add both shoppy.htb and mattermost.shoppy.htb to my /etc/hosts

😝Now Looking at it from the web we can see an authentication panel


NoSQL Injection
😝We can bypass it with a mongodb nosql injection of query admin'||'1==1

😝When entering the panel we can see a user search engine

😝We can try using the same query of the login admin'||'1==1 in the browser

😝When using the query it gives us an option to export the result

😝We can see a couple of users, and hashes in this file

😝By using john to crack the hashes we can crack one and see a password

😝Taking a look we can see another login, for which we can use the credentials


😝Credentials for Jaeger
Reading the different channels,two channels have interesting information.
Jaeger asks for a machine set up with a username and password
We can see a conversation, which well... gives us ssh credentials

😝We just connect and we can read the first flag

Shell as deploy
Enumeration

😝jaeger can run /home/deploy/password-manager as deploy

😝When executing it asks us for a password, so we do not have access

😝If we cat the file we can see a part that when shaped looks like this
Executing the file and passing the lekeada password we find credentials


Shell as root
😝We can connect by ssh as deploy with the credentials

😝By doing id we can see that it is in the docker group

😝Looking at gtfobins we can see that there is a way to get root shell
Running a container and mounting the root, we can be root in it and read the flag

😝Even though we are root, we are still in a container with a mount, we can modify the sudoers and see the mount changes reflected on the real machine

++++++Rooted++++++
😊 Thanks For Reading 💕💕💕

Comments

Post a Comment

Popular posts from this blog

HackTheBox Walkthrough - Explore

🛡️Types of OS : Android 🌞Released on : 26th June 2021 ☢️Difficulty : Easy 👍Point: 20 💉Running nmap scan: nmap -vv — reason -Pn -A — osscan-guess — version-all -p- $IP -oN Explore.nmap nmap_scan.report 💉Running the nmap scan gives four ports port 2222 — ssh port 59777 — http port 5555 — adbshell {This can be found by looking on  google } adb_shell_port ☢️Running FFUF ffuf -u  http://explore.htb:59777/FUZZ  -w /usr/share/wordlists/dirb/big.txt -t 200 -c ffuf_scan 😃Lets visit the web-page 😜As you can see its showing forbidden. So lets try some other directory. 😃And we get the same results. Lets try to enumerate port 59777 which service uses this port on android. ☺️we get this article from  Daily-Swigg  which explain the vulnerability in ES File explorer which exposes user data on open port and anyone can read it. 😏Lets try running FFUF on  http://explore.htb:59777/sdcard/ ffuf_sdcard 😏Look like we found our first flag. So easy 😁The POC for the above vulnerability can be found o...
3 comments
Read more

HackTheBox Active Machine Walkthrough - Knife 🗡️

😍A knife is only as good as the one who wields it Hocho Knife #Easy #Linux Machine created by MrKN16H went live 22 May 2021 at 19:00:00 UTC. 😜Let's Start the journey..... 🔐Enumeration🔰 💉From Dmitry result one thing caught my and that is it an apache httpd server instead of regular nginx in all the HackTheBox Machine. 🔰We can find 2 Open Ports. In Port 80 We can see web page. 🔧As the latest release for apache httpd is 2.4.46 there could be a known vuln in 2.4.41 so I looked for it on web. 🗽Looking for it I stumbled around this Rapid7 Post https://www.rapid7.com/db/vulnerabilities/apache-httpd-cve-2020-1934/. 🔰But there is one concerning thing about this exploit you need to have mod_proxy_ftp module running and have FTP backend which we know nothing of. 🖥️Web-Visting🛡️ 🤔We can find this static page and nothing  interesting in it.  🔐Looking the source code found pen.js which looked interesting but after looking at it got nothing interesting. Also added knife.htb in /etc/h...
7 comments
Read more

HackTheBox Walkthrough - Luanne

Luanne is a machine on the HackTheBox. Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with other members of similar interests. It contains several challenges that are constantly updated. This article will show how to hack Luanne box and get user.txt and root.txt. 😜Background😜 Luanne is a retired vulnerable VM from Hack The Box. 🔰Information Gathering Let’s start with a masscan probe to establish the open ports in the host. # masscan -e tun0 -p1-65535,U:1-65535 10.10.10.218 --rate=1000 Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2020-12-02 07:55:24 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 9001/tcp on 10.10.10.218 Discovered open port 22/tcp on 10.10.10.218 Discovered open port 80/tcp on 10.10.10.218 Open port 9001/tcp looks interesting. Let’s do one better with nmap scanning the discover...
Post a Comment
Read more