Stocker

Enumeration

Scanning the IP with Nmap, there were three open ports with the web-service redirecting to http://stocker.htb so I needed to add this to the /etc/hosts file.

After adding domain to the file and visiting the webpage, there wasn't anything obvious about the website, no robots.txt page and no live links, I also used FFUF to do directory bruteforcing but nothing, so I decided to look for subdomain.

Now, using FFUF for subdomain and subdiretory of the website I found a dev subdomain and some directory.

User

To access the subdomain, I first have to add it to the /etc/hosts file. After that I visited the website and landed on a login page.

I didn't have a login credential so I had to try several common default logins, no luck, also tried other several methods, eventually I found a working exploit with NoSQL on hacktrick.


In order to implement the auth. bypass. I first had to change the value of the Content-Type to application/json and then add the json credential in the request.

After gaining access, I was directed to the a store bucket, I started playing around with the store and noticed you can add product to cart as seen below.

Once a product gets added, we get a PDF invoice of the product as seem below. However, from the burp request, I notice a title tag that also appears on the PDF invoice. What if I can extract information from the server

To exploit this, I used the iframe tag to dump the etc/passwd file from the server.

As seem below, the only user account with a shell is angoose, after getting this passwd file, I tried dumping angoose's SSH id_rsa file but it doesn't exist. I also checked the .bash_rc file but nothing juicy...

... It then occurred to me that the site was built on Nodejs and as such, every Nodejs site has an index.js file that contains configuration of the website. once located, I found a password using the same method I used in dumping the passwd file

With the password I was able to gain ssh access on the server.

Privilege Escalation

Using the sudo -l, I found that I can run any Javascript file under /usr/local/scripts using node binary.

Nodejs is what is being referred to as node here, I checked gtfobins and found a befitting exploit https://gtfobins.github.io/gtfobins/node/