80

The IP redirects to shoppy.htb so I put it in the hosts list. Because this a vhost it makes sense to run vhost fuzzing. (I merged both subdomain-top1million and bitquarks subdomains into one file to be thorough next time. The subdomain found here didn't exist in the subdomain-top1million. It's better to be thorough even though it will take longer for fuzzing).

ffuf -u http://10.10.11.180 -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1mill-bitquark.txt -H 'Host: FUZZ.shoppy.htb' -fs 169 

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.11.180
 :: Wordlist         : FUZZ: /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1mill-bitquark.txt
 :: Header           : Host: FUZZ.shoppy.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 169
________________________________________________

mattermost              [Status: 200, Size: 3122, Words: 141, Lines: 1, Duration: 75ms]
:: Progress: [191406/191406] :: Job [1/1] :: 266 req/sec :: Duration: [0:06:46] :: Errors: 0 ::

The main page is kinda empty so I ran directory fuzzing.

ffuf -u http://shoppy.htb/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt 

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://shoppy.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

# directory-list-2.3-medium.txt [Status: 200, Size: 2178, Words: 853, Lines: 57, Duration: 139ms]
# Priority ordered case-sensitive list, where entries were found [Status: 200, Size: 2178, Words: 853, Lines: 57, Duration: 143ms]
# Copyright 2007 James Fisher [Status: 200, Size: 2178, Words: 853, Lines: 57, Duration: 143ms]
# This work is licensed under the Creative Commons [Status: 200, Size: 2178, Words: 853, Lines: 57, Duration: 143ms]
#                       [Status: 200, Size: 2178, Words: 853, Lines: 57, Duration: 156ms]
# on at least 2 different hosts [Status: 200, Size: 2178, Words: 853, Lines: 57, Duration: 159ms]
#                       [Status: 200, Size: 2178, Words: 853, Lines: 57, Duration: 159ms]
#                       [Status: 200, Size: 2178, Words: 853, Lines: 57, Duration: 161ms]
                        [Status: 200, Size: 2178, Words: 853, Lines: 57, Duration: 164ms]
# or send a letter to Creative Commons, 171 Second Street, [Status: 200, Size: 2178, Words: 853, Lines: 57, Duration: 164ms]
# Attribution-Share Alike 3.0 License. To view a copy of this [Status: 200, Size: 2178, Words: 853, Lines: 57, Duration: 209ms]
# license, visit http://creativecommons.org/licenses/by-sa/3.0/ [Status: 200, Size: 2178, Words: 853, Lines: 57, Duration: 209ms]
images                  [Status: 301, Size: 179, Words: 7, Lines: 11, Duration: 209ms]
# Suite 300, San Francisco, California, 94105, USA. [Status: 200, Size: 2178, Words: 853, Lines: 57, Duration: 213ms]
#                       [Status: 200, Size: 2178, Words: 853, Lines: 57, Duration: 144ms]
login                   [Status: 200, Size: 1074, Words: 152, Lines: 26, Duration: 135ms]
admin                   [Status: 302, Size: 28, Words: 4, Lines: 1, Duration: 74ms]
assets                  [Status: 301, Size: 179, Words: 7, Lines: 11, Duration: 87ms]
css                     [Status: 301, Size: 173, Words: 7, Lines: 11, Duration: 87ms]
Login                   [Status: 200, Size: 1074, Words: 152, Lines: 26, Duration: 81ms]
js                      [Status: 301, Size: 171, Words: 7, Lines: 11, Duration: 78ms]
fonts                   [Status: 301, Size: 177, Words: 7, Lines: 11, Duration: 80ms]

We find a login page.

When we make a request to a directory page that doesn't exist like /TESTING we get 'Cannot GET /TESTING' indicating it might be running NodeJS as the backend server and most likely running a NoSQL database like MongoDB. NodeJS has packages like mongoose that make it easier to integrate mongoDB databases. I don't have any experience with NoSQL injections so ippsec's walkthrough really helped a lot!

For SQLi I would check using a payload like admin' OR '1'='1' — -. The equivalent NoSQL version would be admin'||'1'=='1 which is weird because we are not commenting out the password part in the query but it still works!

Using the NoSQLi payload we get in.

There is a Search for users functionality that if the username is correct will return the hashed password for the user from database.

We know that the DB is vulnerable to NoSQLi, so we might be able to export all users if we send the search payload as: admin'||'1'=='1

We find another use: josh. Cracking the hash with crackstation we get our first pair of credentials - josh:remembermethisway

Next, I tried using the credentials on the SSH but failed. So I tried it in the Mattermost page and we got access. Mattermost is similar to Slack used for internal communications. And here I found a credential

We got another pair of credentials jaeger:Sh0ppyBest@pp!

I was able to SSH and get foothold.

PreviousEnumeration NextFoothold

Last updated 10 months ago