sábado, 14 de enero de 2023

Shoppy HackTheBox Writeup


Scanning

We performed an nmap scan of all ports, including scripts and software versions. We list the domain "shoppy.htb" in the nmap information.


Enumeration

We put the domain "shoppy.htb" in our "/etc/hosts" file and access the website, inside we see a kind of countdown to present the beta of their software.



We launched dirsearch and discovered some interesting routes:


On the other hand, we access the port 9093 resource, we see a kind of plugins playbooks log:


Exploitation

But let's go by parts, we continue with the port 80 service, we access an authentication panel of a software called "Shoppy".


Tests on the authentication panel, attempt to bypass the login and we see that we can access with the following payload in user and password "'||'2'||'".


We try to set default users as "admin", we see that it exists and it creates a file to download.


If we click on it, we see that it exports a json file with the user's hashed credentials:


Now we try to search for users, since there are no other options, but something tells me that we are going to have to fuzz with a dictionary of user names:


We launch an enumeration of users with wfuzz and we see that valid users are appearing:


We reviewed the information of the user "Josh":


We try to get the password from hashes.com and see that we can get the password in plain text:



We try to use the credentials on the SSH service, but we see that they don't work, so we must be missing some other web service to enumerate.

So we try to enumerate subdomains under "shoppy.htb" with the wfuzz tool and enumerate the subdomain "mattermost.shoppy.htb":


Other panel enumerate:


We access with the credentials and find that credentials are being shared through a "Mattermost" channel:


We access by SSH, list the files, read the user flag and see that we can execute a binary called "password-manager" with the user "deploy":


Privilege Escalation

If we try to run the binary, we see that it asks for credentials. So I ran a "strings" on the path of the binary and saw that it internally tries to read a file that is supposed to contain the valid credentials.


But we do not have access to read the file "creds.txt":


We review the permissions and files that exist in the folder of the user "deploy":


We try to "cat" binary over the "password-manager" file and we see that a string that could be the password is being leaked:


We test the password and obtain the credentials of the "deploy" user:



We authenticate as the "deploy" user and see that we are in relevant groups to read files or do privilege escalations:


So we don't complicate things, we run docker to raise a shell and we manage to read the root flag.