make sure to add the stocker.htb to the etc/hosts file
Directory Enumeration : and we have no results
## Directory Enumeration :
and we have no results
## Virtual Host Enumeration :
```python
ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.stocker.htb" -u http://stocker.htb -fc 403,301
```
and we have found `dev.stocker.htb` subdomain
make sure to add the subdomain found to the **/etc/hosts** file
and if we browse the subdomain we will be redirected to the login page
## No SQL injection :
intercept the request of login in using burp using random credentials
now change the **content-type** to **aplication/json** and change the data sent to be json and we get redirected to an error page which is the page that will show invalid username or password
and this means that it accepts json data but our credentials are not valid
or using curl
```python
curl -X POST -H "Content-Type: application/json" -d '{"username": {"$gt": ""},"password": {"$gt": ""} }' http://dev.stocker.htb/login
```
and if we go back to the browser we will find that we were redirected to the **/stock** directory and logged in automatically
intercept Submit Purchase
add some elements to your basket and then click on view cart and purchase and you will be given an pdf file
the title is directly rendered in the pdf so maybe it is html so let's try injecting some html
let's save the pdf to a file (/api/po/orderId) is the path to the generated pdf and you will see this path if you view the generated pdf from the website
and now if we open the pdf we will see that the iframe is generated and it has the file passwd content in it and from we can find out that there is 2 users with bash enabled which are **angoose** and **root**
we dont know where is located the developement code a trick we can use is to send invalid json data so we get useful information in the errors and from the error we can see that the developement code is located at **/var/www/dev**
let's leak the index.js file from /var/www/dev (index.js is the entry point for javascript files)
the mongodb URL contains a password that maybe useful this is the format of a mongodb URL and if we campare it with the mongodb url in the leaked index.js we will find out that the password is : **IHeardPassphrasesArePrettySecure**
## SSH into angoose user using the password found in the mongodb URL :
we have already found a user called angoose in the /etc/passwd file .
## Root Shell :
search node on **gtfobin**
we will write the code between '' and we will put it inside a file that have .js extension and then execute it with node
we don't have permissions to move our exploit script to the /usr/local/scripts directory so we will use path traversal
hope you found this walkthrough easy to understand and follow
Greeting From [Sayonara](https://github.com/ismail-arame)
