Hack The Box. Walkthrough Shoppy. NoSQL injection and vulnerability in docker

An investigation of nmap -sV -sC showed:

port 22: OpenSSH

port 80: ngingx 1.23.1: redirects to http://shoppy.htb

Let’s write the ip address of the machine and shoppy.htb, for display, in /etc/hosts.

Vhost via gobuster:

While we are scanning with nmap, we use gobuster to find potential subdomains and expand penetration opportunities.

gobuster vhost -w /home/hell59/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt -t 50 -u shoppy.htb

Manually explore the web application:

We examine manually the source code of the application.

We do not find anything but a timer.

Search for files and directories:

Let’s look for directories and files, maybe we’ll find something interesting.

wfuzz -c -z file,/hell59/SecLists/Discovery/Web-Content/raft-large-directories.txt --hc 404 "http://shoppy.htb/FUZZ/"

We see that there is a /admin prefix through which we get to /login:

MongoDB NoSQL:

Looking at the authorization, we understand that this is a MongoDB NoSQL database.

We can log in using the following NoSQL injection logic:

login: admin'||'1==1
password: admin


You can read about NoSQL injections here: https://book.hacktricks.xyz/pentesting-web/nosql-injection .

Let’s introduce admin'||'1==1 и получим список пользователей и хэш.

Use hashcat to crack the resulting md5 hash:

Let’s use hashcat with the rockyou.txt dictionary and look at the results:

Log in to the subdomain.

Now go to the subdomain mattermostafter adding it to /etc/hosts ,

http://www.mattermost.shoppy.htb with the obtained password.

Here is the user’s chat history, and we will find important information about the machine deploy:

Get the user flag:

With the received data, we log in via SSH, find the user.txt flag, and do cat user.txt.

Sudo -l

If you dig around and pay attention to all the files in the password-manager, you can fish out and substitute the Sample password.

Thus, we get the username and password data:

Log in via SSH as deploy user.

Get the root flag:

We use the docker vulnerability described here: https://gtfobins.github.io/gtfobins/docker/ .

docker run -v /:/mnt --rm -it alpine chroot /mnt sh

Hooray, we got root!

Similar Posts

One Comment

  1. I don’t see the authorization header, how did you determine it was MongoDB NoSQL

Leave a Reply

Your email address will not be published. Required fields are marked *