Marketplace
Nmap
The root page for port 80 takes us to the following page:
Under the /signup directory we can create a new user.
After creating the account moving over to the /login directory and then proceed to login with the user that was created.
Looking at the available listings we can see that we have an opportunity to report a listing.
After reporting a listing we receive a confirmation message to say that an someone will soon investigate the listing. Shortly after we receive a resppmse to say that the listing has been reviewed.
This implies that staff are actively checking the listings that are reported. Knowing this we have potential for XSS.
We can then create our own listing and check to see if we can potentially use XSS. I used the <h1> header tag for testing purposes.
After submitting the query we are redirected to the new listing and can see that this has worked.
With this we can set a XSS script to retrieve a cookie when someone visits the listing to send back to us. I used the following python script below:
Edit the script to include the VPN interface IP and preferred port.
Before running the script add the following code to a new listing in the description box.
Now report the new listing and then run the script. After a short while you should receive a cookie back.
We can then open the Firefox storage console and replace our current cookie with the new one whilst on the target machine webpage. If this has worked as expected we should then login as the admin account.
From here going to the administration panel and selecting a user shows potential for SQL injection.
Putting an apostrophe in the statement in place of a 1 to purposely break the statement produces a SQL error.
The following commands was then used to enumerate the database.
Find how many columns exist in the table:
Run statement in a write able column to find database names.
Show tables from selected 'marketplace' database.
Get column names from selected table 'messages'.
Dump contents of select found columns inside the table.
Dump contents of messages table.
We now have a potential password of: @b_ENXkGYUCAv3zJ
Trying the user jake on SSH with the given password allows SSH access.
Checking sudo -l
shows we can run the /opt/backups/backup.sh file as michael without specifying a password.
Running cat on backup.sh shows the following contents:
As the tar command end in a wildcard we can exploit this to gain a shell as michael. This technique is referenced here in https://www.hackingarticles.in/exploiting-wildcard-for-privilege-escalation/
Conceptual Information:
If you have ever explored tar to read its optional switches then you will find the following option.
–checkpoint[=NUMBER] show progress messages every Numbers record (default 10)
–checkpoint-action=ACTION execute ACTION on each checkpoint
There is a ‘–checkpoint-action’ option, that will specify the program which will be executed when the checkpoint is reached. Mainly, this permits us to run an arbitrary command. Hence Options ‘–checkpoint=1’ and ‘–checkpoint-action=exec=sh shell.sh’ are handed to the ‘tar’ program as command-line options.
Created a netcat
reverse shell with the command below.
Run the following commands on the host machine inside the /opt/backup directory. Specifying the generated msfvenom command.
We should then receive a shell as michael.
As michael is part of the docker group we can escalate privileges as per GTFOBins: https://gtfobins.github.io/gtfobins/docker/.
Last updated