Shoppy is a Hack The Box easy level linux machine.
Recon
we start with nmap aggressive scan which found 2 open ports ie, 80 and 22
Using feroxbuster we looked for hidden directory which found an admin endpoint.
We used wfuzz to look for subdomains which helped us in getting a subdomain named "mattermost"
using web browser we get "mattermost.shoppy.htb" which was also an login page.
Foothold
After trying Nosqli injection with payload admin' || '1=1 we successfully bypassed authentication.
website consist of a search box, we used the same payload that was used for authentication inside the search box which reveled some username and there hashed passwords
Using hashcat cracked the password for josh and logged into mattermost.shoppy.htb
Once logged in we found many chat groups and among one there was one named deploy machine we consist of username and password for another user named jaeger.
Gaining Access
Using ssh port we take shell access and run sudo -l, resulting output has the following message
when we run sudo -u command it asked for another master password
so we try to read that specific file named password manager, even though it was binary it contain some ASCII characters which consist of master password.
So after running the command with correct password we got another credentials for user deploy.
Privilege Escalation
Using deploy's cred we take ssh connection and run id command which help us to know that deploy user in docker group. So with the help of GTFobins we found payload for privilege escalation.
PWNED.!!!
Comments