Read my writeup for Shoppy machine on:
TL;DR
User 1: By utilizing NoSQL Injection, login authentication is bypassed. By searching for a user, the hash of josh is found and cracked. Using these credentials, access is gained to mattermost.shoppy.htb. On mattermost, the credentials for the user jaeger are discovered and used for SSH login.
User 2: By running the command sudo -l, it is determined that the binary password-manager can be run as the user deploy. By reversing the binary, the binary’s authentication password is found and it is discovered that the binary prints the credentials of the deploy user.
Root: Through the use of Docker container escape, restricted environments are bypassed and an interactive system shell is spawned, providing root access to the machine.