Rooting this box was really fun.
User : sql attack + sub**** enumeration is key concept here
Root : Basic manual enumeration for lateral movement and again basic enumeration will give the priv esce path.
hacktricks is always there with help for how to do when you know what to do…
Anyone need help dm me.
You should add --append-domain and the command will be like this:
gobuster vhost -w /path/to/bitquark-subdomains-top100000.txt -u shoppy.htb --append-domain
It works for me.
Heed @ald3rs0n 's words about enumerating your way to root here: think basic. Like, the. most. basic. thing you might do to extract information out of a file.
Overthinking it really had me tearing my hair out, and (confession), when I entered The Basic Command, it was an accidental autopilot; I was about to clear my screen and try something else, when I realised, “wait… that output looks different”…
I do not understand why I can not test with sqlmap. I just does not work. I get that
[CRITICAL] connection timed out to the target URL
I copied the request from burp! So my command looks like this
sqlmap -r shoppy_login_request.txt -p username --level 3 --risk 3
Any ideas why that does not work? I feel like its the only way to get in that mchine!!
EVEN wfuzz does not work!
Hey have you rooted the box? I think I need some help over here regarding the running services. I tried both the s** and nos** injection before but didnt seem to work for me. I’ve tried reading some writeup regarding the payloads but still dont understand how one comes up with a way to tweak the payload.
Edit: Well I think I kinda understand now after researching how the query works. Kindly DM me if you’re up for discussion
Feel free to pm me, I will add you on discord and we could discuss there 
hi… i couldn’t bypass the login page… can you help me…?
hi, do we bypass login page first then try to find the subdomain or vice versa?
because the application times out for some reason, so sqlmap is not effective. You have to find a manual way to do it.
Hi All,
I wanted to ask if someone could explain to me the SQLi vulnerability. More specifically, how to determine what to enter in the input fields. I was able to use a single character to determine there was an SQLi vulnerability, but not how to exploit it further. I found something on the internet that worked, I’m sure a few of you have, but I want to understand how the specific SQLi exploit worked.
I don’t want to just copy/paste things I find, so if anyone would mind talking me through, or providing a link, to explain how I might have found the right exploit myself, I’d really appreciate it.
Guys i am 2 steps ahead of root flag , I’m stuck between master and deploy