In this post, I would like to share a walkthrough of the Shoppy Machine from Hack the Box

This room will be considered an Easy machine on Hack The Box

What will you gain from the Shoppy machine?

For the user flag, you will need to find a way than SQL injection where we use NoSQL injection to bypass the admin login page and use it for dumping users and hashes. We also can use the password from the hashes to access the Mattermost server where we will find Credentials for SSH.

As for the root flag, you need to use some method of reverse engineering to obtain a password from the binary and then try to docker execution command to load an image mounting on the host file system.

Information Gathering on Shoppy Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

Let’s access the website

However, nothing that we look at when accessing the website.

Therefore, let’s enumerate the directory using gobuster.

We have finally seen the /login directory can be accessed

We managed to access the login page for the Shoppy Admin

Whenever I see a login page, I normally try the SQL Injection attack method but I found out that the page is vulnerable to NoSQL Injection.

Let’s inspect the packet via burpsuite and key-in the NoSQL Injection attack such as ‘||”===’

At last, we have finally managed to access the Admin Interface that shows in the screenshot above.

After roaming the website interface, i found out there’s a function of “search-user”

We should be able to use NoSQL Injection attack over here too.

Wow! We have some credentials that we can use in the later stage.

Finally, we managed to obtain the password from the hashes.

We managed to retrieve our subdomain of the shoppy.htb which resulted mattermost.

The website shows a login page where we can try to enter the credentials that we obtained earlier.

A Success! We have managed to access the Shoppy Dashboard and we managed to retrieve other credentials after roaming the website dashboard.

At last, we successfully have login to jaeger via SSH service

We can read the user flag by typing “cat user.txt” command

Escalate to Root Privileges Access

As usual, we can enumerate manually by executing the command sudo -l to see the SUID binary that we can exploit.

We can try to read the content of the binary file that we managed to see the password which it will be giving us “Access Granted”

Therefore, let’s execute the binary with deploy privileges access and we managed to sight the password for deploy

We can try to access the machine by using the deploy credentials via SSH service.

From the linpeas output, i notice that there’s a binary for docker even though we are not inside the docker.

The screenshot above is another way to verify that docker is a thing in the machine

Based on the gtfobins guide, we can use the command from there and see if we will manage to obtain the root shell.

We can read the root flag by typing the “cat /root/root.txt” command

Extra Information