Skip to content

Latest commit

 

History

History
142 lines (68 loc) · 5.5 KB

Shoppy.md

File metadata and controls

142 lines (68 loc) · 5.5 KB
Raw

https://www.hackthebox.com/machines/Shoppy

image

Initia Recon:

Ran the scan using the Rust :

image

Found 3 open ports : 22,80,9093

image

Added the shoppy.htb to the hosts file.

Move on to the Subdomain enumeration :

image

Then scanned for the VHOST :

image

Here I found 1 vhost, i.e. : mattermost.shoppy.htb

Exploitation:

Now I have 2 URL's to login,

- Mattermost.shoppy.htb/login
- Shoppy.htb/logn

image

Tried multiple SQLi parameters but failed to login successfully. Used payloads from : https://book.hacktricks.xyz/pentesting-web/nosql-injection

Then in the page shoppy.htb, tried this parameter : admin'||'1=1

image

After using admin'||'1=1, found that we are able to login successfully.

Found the page :

image

Where I tried the same parameter : admin'||'1=1, I got a Download export option. Which contains 2 users name & password hash, i.e : admin & josh

image image

Cracking hash!

We can use hashcat or the crackstation to crack the gathered hashes of 'josh' & 'Admin' : Josh : 6ebcea65320589ca4f2f1ce039975995

image

Cracked the Josh hash & found the password : remembermethisway But not able to crack the Admin hash.

User access:

Now as we have the password of josh we can try the SSH login & the mattermost.shoppy.htb login

- SSH access is denied with user josh, no luck here 😕

image

- Login on the domain mattermost.shoppy.htb, and pwn3d! 🙂

image

- While enumerating the logged in page found that there is a username password shared in the 'Deploy Machine' : 
username: jaeger
password: Sh0ppyBest@pp!

image

And, now after using this credential we now successfully logged into the SSH

image image

Root access

Did some manual recon & executed sudo -l & found this :

image

Checked the executable file in text format & found this : image

By looking at the extracted content found that the file contains josh password manager password, i.e : Sample

By using the gathered credentials logged into the josh password manager : image

And, got another credentials :

- username: deploy
- password: Deploying@pp!

Switched user to deploy & checked for the running processed using 'top' command but didn't found any which means we are in a docker container right now:

image image

Now, we are aware that we are in a docker container we can run the docker priv esc command from the gtfo bins :

image image

Now, after running we just spawned the root shell & escaped the docker container.