HackTheBox – Shoppy

00:00 – Intro
01:00 – Start of nmap
01:55 – Taking a look at the web page
02:30 – Discovering it is NodeJS based upon the error message [MasterRecon]
03:40 – Performing NoSQL boolean injection (mongodb) to bypass authentication
06:45 – Working payload for the NoSQL Injection.
09:30 – Dumping the user database with more NoSQL Injection and using CrackStation to get the password
12:00 – Using ffuf to find the mattermost.shoppy.htb subdomain
14:20 – Logging into MatterMost and getting a credential
15:50 – Log in as the Jaeger user and use strings to get a hardcoded password from the password-manager binary
20:20 – SSH into the box as the Deploy User, discover we can run Docker commands and use that to privesc by starting a new container that mounts the root fs
24:00 – Exploring the Password-Manager binary in Ghidra