Stocker

nmap :

make sure to add the stocker.htb to the etc/hosts file

Directory Enumeration : and we have no results

Directory Enumeration :

and we have no results

Virtual Host Enumeration :

ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.stocker.htb" -u http://stocker.htb -fc 403,301

and we have found dev.stocker.htb subdomain

make sure to add the subdomain found to the /etc/hosts file

and if we browse the subdomain we will be redirected to the login page

No SQL injection :

intercept the request of login in using burp using random credentials

now change the content-type to aplication/json and change the data sent to be json and we get redirected to an error page which is the page that will show invalid username or password

and this means that it accepts json data but our credentials are not valid

or using curl

curl -X POST -H "Content-Type: application/json" -d '{"username": {"$gt": ""},"password": {"$gt": ""} }' http://dev.stocker.htb/login 

and if we go back to the browser we will find that we were redirected to the /stock directory and logged in automatically

intercept Submit Purchase

add some elements to your basket and then click on view cart and purchase and you will be given an pdf file

the title is directly rendered in the pdf so maybe it is html so let's try injecting some html

let's save the pdf to a file (/api/po/orderId) is the path to the generated pdf and you will see this path if you view the generated pdf from the website

and now if we open the pdf we will see that the iframe is generated and it has the file passwd content in it and from we can find out that there is 2 users with bash enabled which are angoose and root

we dont know where is located the developement code a trick we can use is to send invalid json data so we get useful information in the errors and from the error we can see that the developement code is located at /var/www/dev

let's leak the index.js file from /var/www/dev (index.js is the entry point for javascript files)

the mongodb URL contains a password that maybe useful this is the format of a mongodb URL and if we campare it with the mongodb url in the leaked index.js we will find out that the password is : IHeardPassphrasesArePrettySecure

SSH into angoose user using the password found in the mongodb URL :

we have already found a user called angoose in the /etc/passwd file .

Root Shell :

search node on gtfobin

we will write the code between '' and we will put it inside a file that have .js extension and then execute it with node

we don't have permissions to move our exploit script to the /usr/local/scripts directory so we will use path traversal

hope you found this walkthrough easy to understand and follow

Greeting From Sayonara