HackTheBox

Writeups for the Hack The Box machines

View on GitHub

https://www.hackthebox.com/machines/Shoppy

image

Initia Recon:

Ran the scan using the Rust :

image

Found 3 open ports : 22,80,9093

image

Added the shoppy.htb to the hosts file.

Move on to the Subdomain enumeration :

image

Then scanned for the VHOST :

image

Here I found 1 vhost, i.e. : mattermost.shoppy.htb

Exploitation:

Now I have 2 URL’s to login,

- Mattermost.shoppy.htb/login
- Shoppy.htb/logn

image

Tried multiple SQLi parameters but failed to login successfully. Used payloads from : https://book.hacktricks.xyz/pentesting-web/nosql-injection

Then in the page shoppy.htb, tried this parameter : **admin’   ‘1=1**

image

After using admin’   ‘1=1, found that we are able to login successfully.

Found the page :

image

Where I tried the same parameter : admin’   ‘1=1, I got a Download export option. Which contains 2 users name & password hash, i.e : admin & josh

image image

Cracking hash!

We can use hashcat or the crackstation to crack the gathered hashes of ‘josh’ & ‘Admin’ : Josh : 6ebcea65320589ca4f2f1ce039975995

image

Cracked the Josh hash & found the password : remembermethisway But not able to crack the Admin hash.

User access:

Now as we have the password of josh we can try the SSH login & the mattermost.shoppy.htb login

- SSH access is denied with user josh, no luck here 😕 ![image](https://user-images.githubusercontent.com/87700008/198864769-039b852b-7233-43a8-9190-ec83963f0a57.png)

- Login on the domain mattermost.shoppy.htb, and pwn3d! 🙂

image

- While enumerating the logged in page found that there is a username password shared in the 'Deploy Machine' : 
username: jaeger
password: Sh0ppyBest@pp!

image

And, now after using this credential we now successfully logged into the SSH

image image

Root access

Did some manual recon & executed sudo -l & found this :

image

Checked the executable file in text format & found this : image

By looking at the extracted content found that the file contains josh password manager password, i.e : Sample

By using the gathered credentials logged into the josh password manager : image

And, got another credentials :

- username: deploy
- password: Deploying@pp!

Switched user to deploy & checked for the running processed using ‘top’ command but didn’t found any which means we are in a docker container right now:

image image

Now, we are aware that we are in a docker container we can run the docker priv esc command from the gtfo bins :

image image

Now, after running we just spawned the root shell & escaped the docker container.