HackTheBox

Writeups for the Hack The Box machines

View on GitHub

image https://app.hackthebox.com/machines/Stocker

Enuemration

Rustscan

Started with a quick Rustscan :

sudo rustscan -a 10.10.11.196 -- -sC -sV -T4 -vv -oN stock_nmap

image image

After scan I only found 2 open ports, i.e. :

22 - open  ssh  syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80 - open  http syn-ack ttl 63 nginx 1.18.0 (Ubuntu)

Also, found a re-direction towards the domain : http://stocker.htb, added this redirection to the /etc/hosts file.

After adding browsed through the website & found a regular website which is still under developement.

image

Ran GoBuster for the subdomain enumeration but didn’t found anything helpful.

image

Then moved ahead to the vhost enumeration using GoBuster but didn’t got any of the result as well.😕

After failed to find any intitial access vector in the website & the subdomain enumeration I thought of finally giving a try with “FFUF” for vhsot enumeration & subdomain enumeration & I finally got a new vhost from the scanning result.

    dev.stocker.htb

image

Added the newly found domain in the /etc/hosts config file & opened the link in the browser & found a login page on the screen.

image

Also, ran a sub-domain enumeration again on this new website but didn’t found any useful subdomain.

image

In this login page I tried different SQLi payloads but none of them worked, then I moved on to try the NoSQL payloads from the hactrickz website. Tried this json payload & got the 200 response :

    {"username": {"$ne": null}, "password": {"$ne": null} }

Also, the Content-Type needs to be changed to Content-Type: application/json because we are using the json syntax.

image

Followed the re-direction & landed onto this website : “dev.stocker.htb/stock”

image

When checked the source code of the page found that there is an api request which is performing the POST request with the order id.

image

I then performed some manual enumeration & orderd something on the website & intercepted the requests with Burp. I observed from the proxy requests that the order ID which is appeared in the burp proxy is also visible in the final URL of the PDF result.

image image

Which means that the PDF is working dynamically, so I took some help from the hint & found an exploit related to Dynamic PDF.

Next, I moved on with the steps for the exploitation & added the payload in the title section :

    <iframe src=file:///etc/passwd height=1000px width=1000px></iframe>

image

After intercepting the request & changing the parameter I got the list of passwd files in the Dynamic PDF. We can see that there is a user present in the list : “angoose”

image

Now, as the website is using Node.js we can fetch the index.js file & check the configuration file for some sensitive info. For fetching index.js I used this payload :

    <iframe src=file:///var/www/dev/index.js height=1000px width=1000px></iframe>

In the configuration file I got the password :

image

User Flag :

I tried the gathered credentials with the “angoose” account & successfully logged in via SSH, where I got my user flag. (pwn3d!🙂)

image

Priv Esc :

For the privilege escalation I always start with the manual enumeration for the possible vectors & after that I prefer the Linpeas or other script. I started checking with the sudo permissions & I got this :

image

I can run sudo command using node :

    /usr/bin/node /usr/local/scripts/*.js

I checked on the internet I found this blog which is exaclty matching as my condition, the wild card in the path will lead us to the sudo user.

The blog is pretty straight forward & quick process for the root access.

I created a “test.js” file in the temp directory, which contains this code that will spawn a root shell :

    require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]})

Then I ran the node with the sudo user but because it’s using the wildcard in the path I ran my “test.js” script, which gave me the root shell. (pwn3d!🙂)

    sudo /usr/bin/node /usr/local/scripts/../../../tmp/test.js

image