The Marketplace
This is a write-up for the room on TryHackMe: https://tryhackme.com/room/marketplace
Nmap scan:
Output of nmap scan:
I started off by visiting the main page on port 80:
There is a robots.txt, which was indicated in the nmap scan:
This leads to the following:
The same page is visible for the webserver on port 32768:
I signed up and made a new listing on the site. I then added <script>alert(document.cookie)</script>, in the title to see if I can get some information:
I seem to get a token. I found out that this is JWT or JSON Web Token. When I decoded it, this was my result:
I believe my next step is to change the payload data to have me be the admin, so I am allowed to view the page. I tried to modify the payload as admin, but I ended up failing. I found this write-up, that led me to a website: https://github.com/s0wr0b1ndef/WebHacking101/blob/master/xss-reflected-steal-cookie.md. Using the github link, I first ran the python script mentioned in the github page, and then I tried the first option:
I then got this response from the website:
I then tried it again, this time removing the alert box code:
I then submitted the listing. Based on the hint from TryHackMe, I then reported this listing to the admins.
At this point, I realized that I was making a mistake, and that I was entering the IP of the server itself, and not my own IP from TryHackMe. I then corrected my javascript:
When I reported it this time to the admin, I got the cookie using the python script from the GitHub page:
I entered this in jwt.io, and got the following result:
We can see the username of the admin is michael. I then logged out of the account. I then logged in using credentials I had made previously, test:test, and when the following prompt came up in burpsuite (I used the burpsuite browser for this part), I modified it to use the cookie of the admin:
I was then in:
In order to access /admin, you have to manually force the admin cookie in bupsuite. After I did that, I got to the following site:
I did the same for the Administration Panel, and got the first flag:
I see that jake is also an administrator. After a while, viewing this write-up, made me realize that I should focus more on the SQL Injection than the user jake. Using the same write-up I ended up finding about the following web query:
This led to the output that tolds what table names there are:
Running the following web query led to the column names:
From the write-up, the author then went on to make this query:
This led to the following output:
This seems to be the SSH password for a user. The credentials worked for jake:
The user.txt file was in the directory you enter in:
I then ran sudo -l to find out what actions we have as a sudoer:
I found out we have a file we have access to read. We do not have access to edit the file. I found this website, based on a couple of the write-ups I had read online, that talked about exploiting wildcards for privilege escalation. I followed the commands from the website:
I first ran cat /etc/cron
and got the following output:
There does not seem to be anything of importance here, so I moved on to the next step, which was creating a msfvenom payload:
We then copy the mkfifo output (previous image) into the jake user's shell (in the /opt/backups directory). I then ran the following commands, going off of this write-up:
I ran into an issue here where I was not able to backup the files. I kept getting an error, in order to fix it, I moved backup.tar to bkup.tar. I then ran the sudo command once again and got the reverse shell. Source: https://www.infosecarticles.com/tryhackme-the-marketplace-walkthrough/
After I ran the aforementioned commands, I had a reverse shell:
I then spawned a python shell here running the following command, from this website:
After I got the shell, I tried to run sudo -l, but that did not work out for me. I had to get the shell again and start over. I read a write-up and found out we are part of the docker group. I also found out that I made a mistake copying a command from GTFOBins (for the docker command):
I was not supposed to use sudo for this. I was then able to get the flag:
Last updated