> For the complete documentation index, see [llms.txt](https://rouvin.gitbook.io/ibreakstuff/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://rouvin.gitbook.io/ibreakstuff/writeups/hackthebox/medium/shared.md).

# Shared

## Gaining Access

Nmap scan:

<figure><img src="/files/tc0FWgIyonW2dwbXydH8" alt=""><figcaption></figcaption></figure>

I took note of the HTTPS site, and wanted to check it out. Also, added `shared.htb` to the `/etc/hosts` file as required.

### HTTPS Port

The website was a standard shopping page.

<figure><img src="/files/THClbZyxkVW9erKVQCFG" alt=""><figcaption></figcaption></figure>

I wanted to view the certificate that was used to view any names or information that I could use.

<figure><img src="/files/TRj06EOVx5agqJYqwspT" alt=""><figcaption></figcaption></figure>

There were wildcards present in the domain, so I knew that we had to check for subdomains that were present.

<figure><img src="/files/rS6m6l4QDOaarIBZjHkz" alt=""><figcaption></figcaption></figure>

### Custom\_cart SQLI

The checkout page looked vulnerable to me.

<figure><img src="/files/5MHyo3iNoFAVYs4n4hEE" alt=""><figcaption></figcaption></figure>

All the parameters passed in via POST request were fine, but when proxying traffic, I noticed the weird `custom_cart` cookie that was used when we were adding products and viewing stuff. I tested some SQL injection payloads and found it to be vulnerable.

<figure><img src="/files/e69CNuNBJKxTNgdOWwNr" alt=""><figcaption></figcaption></figure>

For instance, I was able to enumerate the datbase that was used.

<figure><img src="/files/923eElbiC99Uy357IEZG" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/1kBeVmzbAYNNAVjlJYk3" alt=""><figcaption></figcaption></figure>

The output of the injection was printed on screen for us. We can now enumerate the database, which has a **user** table within it. This payload can be used to enumerate whatever we need:

```
custom_cart = {"breached' and 0=1 union select 1, username, 3 from heckout.user -- -": "10"}
```

From there, we can find out the username of the user, which is **james\_mason**.

<figure><img src="/files/uJi0x1H8OxmIhboJnyrp" alt=""><figcaption></figcaption></figure>

We can also find his hash.

<figure><img src="/files/xpzYntdlx7lSXzOA2tdQ" alt=""><figcaption></figcaption></figure>

This password can be cracked using crackstation.

<figure><img src="/files/QpkjrVLLTsuT4HCU0n4K" alt=""><figcaption></figcaption></figure>

Then, we can ssh in as `james_mason`.

<figure><img src="/files/OTaj4AHXkRjgFCGzmmBP" alt=""><figcaption></figcaption></figure>

## Privilege Escalation

We find that there's another user called `dan_smith`, and we cannot access the user flag he has:

<figure><img src="/files/mwr2vHpTku6CxCtwOFGG" alt=""><figcaption></figcaption></figure>

### Pspy64

I ran `pspy` to see what processes were running on the server. Found a few interesting ones, the first being that the root user was running `redis-server`.

<figure><img src="/files/CT8eJAQUuK0IKLT2iPxm" alt=""><figcaption></figcaption></figure>

The second was that `dan_smith` was running `ipython` consistently.

<figure><img src="/files/Tl47V8Y4nImW8tXv4q5T" alt=""><figcaption></figcaption></figure>

### IPython

We can enumerate the version of `ipython` that was running.

<figure><img src="/files/0yvrZlKGk3OWMRWy72jp" alt=""><figcaption></figcaption></figure>

This version was vulnerable to an RCE exploit.

{% embed url="<https://github.com/ipython/ipython/security/advisories/GHSA-pq7m-3gw7-gq5x>" %}

Following the PoC, we can grab dan's private key:

<figure><img src="/files/vFOrG9E4Vqj8qc8lli25" alt=""><figcaption></figcaption></figure>

Then, we can SSH in as dan.

### Redis-Server

We saw earlier that root was running `redis-server`. We first need to search for the password for this server. Firstly, we can check the version and find that it's outdated and vulnerable to the Redis ExecuteCommand Module exploit.

<figure><img src="/files/hysVTPtXYF7haaBE4FkW" alt=""><figcaption></figcaption></figure>

{% embed url="<https://github.com/n0b0dyCN/RedisModules-ExecuteCommand>" %}

I ran LinPEAS, and found one within the `/usr/local/bin/redis_connector_dev` file.

<figure><img src="/files/ZUh32k9C15SflzSx9MJR" alt=""><figcaption></figcaption></figure>

We can then sign in using `redis-cli` on the machine and load the exploit.

<figure><img src="/files/fd6wFlf0ZGFIMNDn66Xo" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/5RCKiLRWArziRySMYQ51" alt=""><figcaption></figcaption></figure>
