The Stocker machine in HackTheBox is a challenging virtual machine designed to test and improve penetration testing skills. This machine revolves around a web application hosted on an NGINX web server. The goal is to identify and exploit various vulnerabilities within the application to gain unauthorized access, escalate privileges find user and root flags.
Network Enumeration
The initial reconnaissance begins with a Nmap scan
nmap 10.10.11.196-sC -sV -Pn -oA nmap_10.10.11.196.log
During the Nmap scan, port 80 was discovered to be open on the target system. Port 80 is commonly used for HTTP traffic, so this indicated the presence of a web server running on the target. To confirm this, the web server was accessed using a web browser. The browser displayed a home page for a web application hosted on the target system, confirming the presence of the web server and its availability on port 80.
Directory/Subdomain enumeration
Gobuster was used for directory and subdomain enumeration on the discovered web application. SecLists was used as a wordlist for both requirements.
gobuster dir -u 10.10.11.196 -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txtDirectory enumeration did not reveal any important directories or files.
gobuster vhost -u 10.10.11.196 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt --append-domain 
Nevertheless, Subdomain enumeration successfully identified a subdomain named “dev.stocker.htb”.
We cannot use the DNS Mode here as this is an HTB Machine. The VHOST mode should not be mistaken to be the same as the DNS mode. In the DNS mode, the tool attempts to DNS resolve the subdomains and based on that we are given the result. In VHOST mode, the tool checks if the subdomain exists by visiting the formed URL and verifying the IP address.
Upon visiting the subdomain in a web browser, a login page was discovered.
Exploitation
After capturing the login request using Burp Suite, the request was then passed onto the sqlmap tool to check for any RDBMS database injection vulnerabilities.
However, the scan was unsuccessful in finding any potential vulnerabilities.
NO-SQL Injection
Further analysis using the Burp suite revealed that the login page was vulnerable to NoSQL injection and a basic authentication bypass was possible. The identified vulnerability allowed for the bypass of the authentication process by using a payload from Hacktricks.
{"username":{"$ne":"dummyusername123"},"password":{"$ne":"dummypassword123"}}
Forwarding this request resulted in the successful authentication bypass to dev.stocker.htb/stock.
Server-Side Template Injection(SSTI)
Furthermore, I found a PDF report generation feature in the cart purchase process that was vulnerable to arbitrary HTML code injection. The ‘title’ field from the order POST was rendered in the PDF output, which could be exploited further for SSTI
The HTML iframe tag payload shown below was used to read the contents of the ‘/etc/passwd’ file.
<iframe src=file:///etc/passwd height=1000px width=800px></iframe> The height and width values can be adjusted accordingly
The HTML injection was successful in accessing the /etc/passwd file, which contained information about the system users. By analyzing the file, it was discovered that a user named “angoose” was present in the system. This information can be used to further investigate the user and determine if any vulnerabilities exist related to their account.
During the previous Nmap scan, it was discovered that the web application was running on an NGINX web server. In NGINX, all configuration files are located in the /etc/nginx/ directory, with the primary configuration file located in /etc/nginx/nginx.conf. We tried to gain further insight into the web application’s configuration and potentially identify any security vulnerabilities or misconfigurations using the same SSTI vulnerability.
The HTML iframe tag shown below was used to read ‘/etc/nginx/nginx.conf ‘ file:
<iframe src=file:///etc/nginx/nginx.conf=1000px width=800px></iframe> 
During the analysis of the NGINX configuration file, it was discovered that the default working directory for the web application was set to ‘/var/www/dev’ and there is an index.html file in that web application.
This directory is typically used to store web files and is a common location for web applications to be deployed on an NGINX web server. Assuming that an index.js file is located in ‘/var/www/dev’ itself, the previous Server-Side Template Injection (SSTI) vulnerability can be leveraged to print the output of index.js in the invoice PDF file.
The HTML iframe tag shown below was used to read ‘/var/www/dev/index.html’ file:
<iframe src=file:///var/www/dev/index.html=1000px width=800px></iframe> 
The credentials for the MongoDB database were discovered in the index.js file. However, the exact username was not present in the file. As a basic assumption, it was made that the previously identified username “angoose” was the development user. Using this assumption, the identified credentials were used to access an open port discovered in an Nmap scan, in which SSH was running.
Privilege Escalation
After conducting further analysis of the user “angoose,” it was determined that this user is not a root user. However, it was discovered that the user has permission to execute a node.js binary as root. This binary can be used for privilege escalation. By leveraging this binary, it is possible to gain elevated privileges and access to the system.
Further investigation of the user “angoose” revealed that the user has the ability to run any file with the .js format located in the ‘/usr/local/scripts’ directory using the ‘/usr/bin/node’ binary. However, upon inspection of this directory, no JavaScript files were found. Additionally, it was discovered that the user did not have write permission in this directory, making it impossible to place an exploit there to get a shell with root privileges.
As a workaround, the JavaScript exploit was placed in the /tmp folder, where the user had write permission. The below JavaScript exploit was used to call /bin/sh shell as a child process of Node.js. The {stdio: [0, 1, 2]} option specifies that the standard input, output, and error streams of the new process should be connected to those of the current process. This effectively creates a new shell process that runs with the root permissions and environment as the current process.
require("child_process").spawn("/bin/sh", {stdio: [0,1,2]})A reverse directory traversal method was then used to execute the exploit with the /usr/bin/node binary
After successfully executing the JavaScript exploit on the target machine using the reverse directory traversal method, a shell with root privilege connection was obtained
Post Exploitation
the goal was to find both the user flag and root flag on a compromised system. After successfully gaining access to the system the user flag was found in the home directory of the compromised user ‘angoose’, while the root flag was located in the root directory.
In conclusion, the Stocker machine in HackTheBox provided an exciting and challenging penetration testing experience. Through careful enumeration and exploitation, we were able to uncover multiple vulnerabilities in the web application hosted on the target system.
