#Shoppy

Shoppy is a Hack The Box easy level linux machine.

Recon

we start with nmap aggressive scan which found 2 open ports ie, 80 and 22

Using feroxbuster we looked for hidden directory which found an admin endpoint.

We used wfuzz to look for subdomains which helped us in getting a subdomain named "mattermost"

using web browser we get "mattermost.shoppy.htb" which was also an login page.

Foothold

After trying Nosqli injection with payload admin' || '1=1 we successfully bypassed authentication.

website consist of a search box, we used the same payload that was used for authentication inside the search box which reveled some username and there hashed passwords

Using hashcat cracked the password for josh and logged into mattermost.shoppy.htb

Once logged in we found many chat groups and among one there was one named deploy machine we consist of username and password for another user named jaeger.

Gaining Access

Using ssh port we take shell access and run sudo -l, resulting output has the following message

when we run sudo -u command it asked for another master password

so we try to read that specific file named password manager, even though it was binary it contain some ASCII characters which consist of master password.

So after running the command with correct password we got another credentials for user deploy.

Privilege Escalation

Using deploy's cred we take ssh connection and run id command which help us to know that deploy user in docker group. So with the help of GTFobins we found payload for privilege escalation.

PWNED.!!!