top of page
Search

#Shoppy

  • Writer: bikupothen1615
    bikupothen1615
  • Oct 1, 2022
  • 1 min read

Updated: Dec 9, 2022

Shoppy is a Hack The Box easy level linux machine.


ree

Recon


we start with nmap aggressive scan which found 2 open ports ie, 80 and 22

ree

Using feroxbuster we looked for hidden directory which found an admin endpoint.


ree

ree

We used wfuzz to look for subdomains which helped us in getting a subdomain named "mattermost"

ree

using web browser we get "mattermost.shoppy.htb" which was also an login page.

ree

Foothold


After trying Nosqli injection with payload admin' || '1=1 we successfully bypassed authentication.

ree

website consist of a search box, we used the same payload that was used for authentication inside the search box which reveled some username and there hashed passwords

ree

Using hashcat cracked the password for josh and logged into mattermost.shoppy.htb

Once logged in we found many chat groups and among one there was one named deploy machine we consist of username and password for another user named jaeger.

ree

Gaining Access


Using ssh port we take shell access and run sudo -l, resulting output has the following message

ree

when we run sudo -u command it asked for another master password

so we try to read that specific file named password manager, even though it was binary it contain some ASCII characters which consist of master password.

ree

So after running the command with correct password we got another credentials for user deploy.

ree

Privilege Escalation


Using deploy's cred we take ssh connection and run id command which help us to know that deploy user in docker group. So with the help of GTFobins we found payload for privilege escalation.

ree

PWNED.!!!

 
 
 

Recent Posts

See All

Comments


bottom of page