Return to forum

fironeDerbert · September 17, 2022 at 4:40 PM

Shoppy - HTB [Discussion]

dumpster · September 17, 2022 at 7:08 PM

(September 17, 2022, 04:40 PM)fironeDerbert Wrote: Shoppy - HTB [Discussion]

Any leads?

nhocit · September 17, 2022 at 7:12 PM

Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 9e:5e:83:51:d9:9f:89:ea:47:1a:12:eb:81:f9:22:c0 (RSA)
| 256 58:57:ee:eb:06:50:03:7c:84:63:d7:a3:41:5b:1a:d5 (ECDSA)
|_ 256 3e:9d:0a:42:90:44:38:60:b3:b6:2c:e9:bd:9a:67:54 (ED25519)
80/tcp open http nginx 1.23.1
|_http-server-header: nginx/1.23.1
|_http-title: Shoppy Wait Page
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

dumpster · September 17, 2022 at 7:14 PM

i think this was goin to be Auth bypass

xurka · September 17, 2022 at 7:16 PM

check also port :9093

dumpster · September 17, 2022 at 7:21 PM

(September 17, 2022, 07:16 PM)xurka Wrote: check also port :9093

that contains metrics exposes

xurka · September 17, 2022 at 7:28 PM

it is googled to https://github.com/timescale/promscale but no issues or vuln found

elliotal · September 17, 2022 at 7:53 PM

if you put username' in the username field, the server couldnt proccess it for some reason

dumpster · September 17, 2022 at 7:57 PM

Guys i fuzzed a "9093" port output looks soo wierd

xurka · September 17, 2022 at 8:00 PM

(September 17, 2022, 07:53 PM)elliotal Wrote: if you put username' in the username field, the server couldnt proccess it for some reason

there is injection there that bring us as admin:
admin'||''==='
then we search the same username and get all users hashes
but hashes are uncrackable