HackTheBox — Shoppy

ARZ101
5 min readJan 13, 2023

Shoppy an easy rated linux machine involved bypassing authentication through NoSQLi, further getting the credentials through that again which was used on mattermost subdomain found from fuzzing, from there finding jaeger’s credentials and logging in through ssh, with sudo privileges this user can run the password-manager binary as deploy which asks for a password that can be found by reversing the binary, giving us the credentials for deploy user which is a part of docker group through which we can escalate to root by mounting the root directory / of the machine in an alpine container.

NMAP

Nmap scan report for 10.10.11.180                                                                                                                                                                                                 
Host is up (0.12s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 9e:5e:83:51:d9:9f:89:ea:47:1a:12:eb:81:f9:22:c0 (RSA)
| 256 58:57:ee:eb:06:50:03:7c:84:63:d7:a3:41:5b:1a:d5 (ECDSA)
|_ 256 3e:9d:0a:42:90:44:38:60:b3:b6:2c:e9:bd:9a:67:54 (ED25519)
80/tcp open http nginx 1.23.1
|_http-title: Did not follow redirect to http://shoppy.htb
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.23.1
9093/tcp open copycat?
| fingerprint-strings:
| GenericLines:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest, HTTPOptions:

PORT 80

Visiting the website, it redirects to shoppy.htb so, add this in /etc/hosts file

The site just only shows a timer for a beta site

Fuzzing for files and directories using gobuster, this finds admin which redirects us to login page also fuzzing for subdomain it finds mattermost subdomain

Adding the subdomain in /etc/hosts file

Visiting the subdomain we’ll get a login page which needs valid credentials so let’s move back to the admin panel we had

Checking for sql injection, it just doesn’t respond if there’s a single quote ' in username

And just times out

So there’s some filtering going on I guess as sqlmap doesn’t work either

If we make an invalid request it will show a message about cannot GET the request which indicates that web application is using routes

So this application is probably using node js, we can try looking for ways to bypass login on node js, for this I spent hours on search bypassing login on node and didn’t find much, tried different payloads, read articles for bypassing authenticate on nodejs and found this article

Foothold

From this article it explained using ' || 'a'=='a which will make the query return true allowing us to login so our paylodad will be

admin' || 'a'=='a

From the dashboard, we can search for users

Which is also vulnerable to sqli

On using the same sqli payload, we’ll get exports.json file which has user's hashes, we can try cracking them if they are crackable

Cracksation cracked josh's hash but admin's hash wasn't crackable

Now using the credentials on mattermost, we’ll get logged in and we can find the credentials which we can use on SSH from Deploy Machine channel

Privilege Escalation (deploy)

With sudo -l we can check what permissions we have to run something as a privileged or other user

This shows that we can run password-manager with deploy user but this binary asks for a password which we don't know

For this we need to reverse the binary through ghidra

This shows us the string Sample which is being compared to our input and allows us to read /home/deploy/creds.txt if it's the matches

So we can enter Sample as the password which will return the contents of creds.txt from deploy’s home directory

We can use this password to switch to deploy user

Privilege Escalation (root)

From the output of id command, this user is in docker group so we can abuse that by mounting chroot (/) of the host machine in /mnt and spawn an alpine container executing commands so we can spawn bash

docker run -v /:/mnt --rm -it alpine chroot /mnt bash

References

--

--