Shoppy an easy rated linux machine involved bypassing authentication through NoSQLi, further getting the credentials through that again which was used on mattermost subdomain found from fuzzing, from there finding jaeger’s credentials and logging in through ssh, with sudo privileges this user can run the password-manager binary as deploy which asks for a password that can be found by reversing the binary, giving us the credentials for deploy user which is a part of docker group through which we can escalate to root by mounting the root directory / of the machine in an alpine container.
NMAP
Nmap scan report for 10.10.11.180
Host is up (0.12s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 9e:5e:83:51:d9:9f:89:ea:47:1a:12:eb:81:f9:22:c0 (RSA)
| 256 58:57:ee:eb:06:50:03:7c:84:63:d7:a3:41:5b:1a:d5 (ECDSA)
|_ 256 3e:9d:0a:42:90:44:38:60:b3:b6:2c:e9:bd:9a:67:54 (ED25519)
80/tcp open http nginx 1.23.1
|_http-title: Did not follow redirect to http://shoppy.htb
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.23.1
9093/tcp open copycat?
| fingerprint-strings:
| GenericLines:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest, HTTPOptions:PORT 80
Visiting the website, it redirects to shoppy.htb so, add this in /etc/hosts file
The site just only shows a timer for a beta site
Fuzzing for files and directories using gobuster, this finds admin which redirects us to login page also fuzzing for subdomain it finds mattermost subdomain
Adding the subdomain in /etc/hosts file
Visiting the subdomain we’ll get a login page which needs valid credentials so let’s move back to the admin panel we had
Checking for sql injection, it just doesn’t respond if there’s a single quote ' in username
And just times out
So there’s some filtering going on I guess as sqlmap doesn’t work either
If we make an invalid request it will show a message about cannot GET the request which indicates that web application is using routes
So this application is probably using node js, we can try looking for ways to bypass login on node js, for this I spent hours on search bypassing login on node and didn’t find much, tried different payloads, read articles for bypassing authenticate on nodejs and found this article
Foothold
From this article it explained using ' || 'a'=='a which will make the query return true allowing us to login so our paylodad will be
admin' || 'a'=='aFrom the dashboard, we can search for users
Which is also vulnerable to sqli
On using the same sqli payload, we’ll get exports.json file which has user's hashes, we can try cracking them if they are crackable
Cracksation cracked josh's hash but admin's hash wasn't crackable
Now using the credentials on mattermost, we’ll get logged in and we can find the credentials which we can use on SSH from Deploy Machine channel
Privilege Escalation (deploy)
With sudo -l we can check what permissions we have to run something as a privileged or other user
This shows that we can run password-manager with deploy user but this binary asks for a password which we don't know
For this we need to reverse the binary through ghidra
This shows us the string Sample which is being compared to our input and allows us to read /home/deploy/creds.txt if it's the matches
So we can enter Sample as the password which will return the contents of creds.txt from deploy’s home directory
We can use this password to switch to deploy user
Privilege Escalation (root)
From the output of id command, this user is in docker group so we can abuse that by mounting chroot (/) of the host machine in /mnt and spawn an alpine container executing commands so we can spawn bash
docker run -v /:/mnt --rm -it alpine chroot /mnt bash