# Shared

## Gaining Access

Nmap scan:

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-9a84275524d46f69f2939d9d0df4cbcc2ad00640%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

I took note of the HTTPS site, and wanted to check it out. Also, added `shared.htb` to the `/etc/hosts` file as required.

### HTTPS Port

The website was a standard shopping page.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-e0c7c585796d01d80042b76eb2f2c2d065ef9ef3%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

I wanted to view the certificate that was used to view any names or information that I could use.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-d90d4d22885bbcdb297ad88f642230a0f186c57f%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

There were wildcards present in the domain, so I knew that we had to check for subdomains that were present.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-1d607f21907a34a55d775d6dbe5fbeb2d412050a%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

### Custom\_cart SQLI

The checkout page looked vulnerable to me.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-e1c761821de385d0b79830e3d01fb41955cbb1a7%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

All the parameters passed in via POST request were fine, but when proxying traffic, I noticed the weird `custom_cart` cookie that was used when we were adding products and viewing stuff. I tested some SQL injection payloads and found it to be vulnerable.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-56a3da59501e5915d1f2ecd66406848f9e7ec449%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

For instance, I was able to enumerate the datbase that was used.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-ef1aab216d607cf70b8e19da6743744ca6c9baae%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-9acd06715bd7282a909abc34f318230087f85654%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

The output of the injection was printed on screen for us. We can now enumerate the database, which has a **user** table within it. This payload can be used to enumerate whatever we need:

```
custom_cart = {"breached' and 0=1 union select 1, username, 3 from heckout.user -- -": "10"}
```

From there, we can find out the username of the user, which is **james\_mason**.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-b91d5fde5bd9d182d51b90c7fde314d2eda12c06%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

We can also find his hash.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-aacdd6364be134f7711cff0d217e536d8c48a0f0%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

This password can be cracked using crackstation.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-1767c38aeef93700b79fe7646444e7d578eae57b%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

Then, we can ssh in as `james_mason`.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-7059e4d55814d43000a002c85c3e4ff8ffceb1b1%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

## Privilege Escalation

We find that there's another user called `dan_smith`, and we cannot access the user flag he has:

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-320ace7f0a1dca36e76c2b7e4bc7f665ef84a5ba%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

### Pspy64

I ran `pspy` to see what processes were running on the server. Found a few interesting ones, the first being that the root user was running `redis-server`.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-a5ce5af63c93da344e74c8359567288e3b62b0af%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

The second was that `dan_smith` was running `ipython` consistently.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-d91512d30770dbfe9381cd8137b196b977f20189%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

### IPython

We can enumerate the version of `ipython` that was running.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-4dbcfcb0a3477c0fb26e4c194fd55cbc71093510%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

This version was vulnerable to an RCE exploit.

{% embed url="<https://github.com/ipython/ipython/security/advisories/GHSA-pq7m-3gw7-gq5x>" %}

Following the PoC, we can grab dan's private key:

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-f713d050fd5ba6458c8de21029ef1f4080df1dee%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

Then, we can SSH in as dan.

### Redis-Server

We saw earlier that root was running `redis-server`. We first need to search for the password for this server. Firstly, we can check the version and find that it's outdated and vulnerable to the Redis ExecuteCommand Module exploit.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-46fedca48f8d55eccb81efad009d7a8a75b31e66%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

{% embed url="<https://github.com/n0b0dyCN/RedisModules-ExecuteCommand>" %}

I ran LinPEAS, and found one within the `/usr/local/bin/redis_connector_dev` file.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-1e5c7cd281f97ba5084b7e79ae7b9b0fd46b234c%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

We can then sign in using `redis-cli` on the machine and load the exploit.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-eabc0f9833f06e9a9c77fdd448139a53e996fb42%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-e1a3ab750f385d8bfbfccec23780f1afe6e1eee6%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>