kedaegan.github.io

Shoppy

Enumeration

Ports and Services

Software Installed:

Nmap Scan Results:

Port 80

Redirects to shoppy.htb

Homepage:

/login

Gobuster Scan

Subdomain Scan:

Subdomain mattermost.shoppy.htb

Initial Foothold

Bypassed authentication for admin using username

admin'||''==='

##

Searching for users button goes to a user search field.
Existing user produces a json export file that has ID, username and password:
I know admin exists because that is username used to login
http://shoppy.htb/admin/search-users?username=admin

##

Brute Forced usernames and found josh:


Password:

Password crack:

Used josh to login to mattermost.shoppy.htb:

Interesting Messages in Development Channel:

Interesting Messages in Deploy Machine channel:

SSH as jaegar

User.txt Proof Screenshot

Privilege Escalation

Sudo -l

Strings for /home/deploy/password-manager

Catting the file reveals:


SSH as deploy

User deploy is member of docker group.
Using this as a guide I was able to add a new root user:
https://flast101.github.io/docker-privesc/

SU to root

RootScreenshot Here: