Access the Machine Here Shoppy
Make sure to Connect with the HackTheBox’s VPN before start
nmap scan,directory and Subdomain Enumeration firstOpen ports
22 - ssh
80 - http
Make sure to addshoppy.htb to your hosts using the Below command
We got nothing Interesting in the source code and there are no functionalities
2. Let’s EnumerateHTTP using Gobuster
gobuster dir -u http://shoppy.htb/ -w /usr/share/wordlists/dirb/big.txt
3. Bypassing Login using Mongo DB Injection
username — admin’ || ‘ 1=1
password — pass
4. Now Let’s try to search for users likeadmin
5. Looks like the value of the password is a hash, so let’s try to crack using Crackstation orHashcat
Seems like we are unable to crack the admin password’s hash, so let’s Apply the SQL Injection on Search Field
6. Injecting the same query in the search field
7. Let’s crack thejosh password hash
we got the password — remembermethisway
8. Let’s try to log in to ssh
Unfortunately, It’s not the Password : (
9. Okay Let’s use this password to login into the subdomain which we found on subdomain Enumeration — http://mattermost.shoppy.htb
Before that add the host to your/etc/hosts
10. Login with the Credentials that we already found
11. We found a Credential onDeploy Machine Option
12. Let’s try this cred to login ssh
We are In : )
13. Elevating privilege is very easier than I think
Flag: 64694d936ba3910ee38ec83e9a77fbe5
Feel Free to Ask Queries via LinkedIn and to Buy me a Cofee : )
Thank you for Reading!!
Happy Hacking ~
Author: Karthikeyan Nagaraj ~ Cyberw1ng
Hackthebox , htb , SQL injection , mongo db , shoppy , root , nmap , elevation , root.txt , cat.txt , machine , writeup , solution , walkthrough , flag , karthikeyan nagaraj , cyberw1ng