Shoppy

Introduction

Shoppy is an easy box, however, I had to refer to the hackthebox forum for nudge and engage in extensive research just to get foothold. Also learned about MongoDB NoSQL Injection which was the actual cause of the WTF moments.

Enumeration

Down to Business, Nmap returned three open ports as seen below. The last port 9093 however is simply a page displaying metrics on the running services

The webpage redirects to shoppy.htb so I had to add the entry to host file to be able to access it

The URL led to the page below which displays a countdown and no links, robots.txt does not exist too so I had to try directory brute-force.

Directory bruteforce found a login page but so far I haven't found a credential to login with, basic login credentials didn't either. This was the part I started pulling out my hair and had to check out the conversation on the HTB forum page. I got a nudge and started Googling, eventually I found this page about MongoDB NoSQL injection.

Given the payload in the page I was able to use the payload admin'||''===' to get access to the login page.

The page has a static page with a button to search for users, searching for admin, it returned the user ID and hashed password. Other searched usernames were not valid. I tried cracking the password which which happen to be a MD5 but no result was found then I used the same payload used for login injection and I got ID and password for a user named josh.

This time the password Hash was successfully cracked

Now I have a cracked password what can I do with that?...you guessed right. I ran off to SSH but, I kid you not, no access 😪.

Total roadblock, no other open port in place apart from 9093, I decided to skim through and see whether I could see a running service. Indeed I found a lead.

Another round of Googling and research then I found the below Github page about mattermost

The site seems to have Mattermost running somewhere, not on either port 80 or 9093 and I used Nmap -p- switch so I didn't miss an open port. the directory /mattermost also doesn't exit so there is one more option to try...yes, subdomain...yes, it worked.

Tried the long gotten credential for poor josh and I have access to their mattermost-playbook account

User

With Jaeger's credential above I was able to SSH into the system and get the user flag.

Privilege Escalation

So, we are currently logged-in as Jaeger but there is another account on the box, deploy.

Trying the first priv-esc method, sudo -l we see that J. can run the below command as root as (also as deploy).

Running the file as authorized in the sudo file, I was requested to enter the master password...what master password 🤦‍

I cat the password_manager file whether I could find some hint. well, I found both hint and the password, simple uhn?

Running the password_manager command again with the master password and we got deploy login credentials

Remember, in the screenshot from mattermost conversation, josh made mention of docker deployment.

checking GTFObin for a docker priv-esc payload and we got instant root on execution.

Pheew!🕵️