HackTheBox - Shoppy

00:00 - Intro
01:00 - Start of nmap
01:55 - Taking a look at the web page
02:30 - Discovering it is NodeJS based upon the error message [MasterRecon]
03:40 - Performing NoSQL boolean injection (mongodb) to bypass authentication
06:45 - Working payload for the NoSQL Injection.
09:30 - Dumping the user database with more NoSQL Injection and using CrackStation to get the password
12:00 - Using ffuf to find the mattermost.shoppy.htb subdomain
14:20 - Logging into MatterMost and getting a credential
15:50 - Log in as the Jaeger user and use strings to get a hardcoded password from the password-manager binary
20:20 - SSH into the box as the Deploy User, discover we can run Docker commands and use that to privesc by starting a new container that mounts the root fs
24:00 - Exploring the Password-Manager binary in Ghidra

Support the originator by clicking the read the rest link below.