In this post, I would like to share a walkthrough of the Stocker Machine from Hack the Box
This room will be considered an Easy machine on Hack the Box
What will you gain from the Stocker machine?
For the user flag, you will need to abuse the JSON exploitation to bypass the login which leads us to access the dashboard. We also are abusing the API application to obtain information on the credentials of the user.
As for the root flag, you need to abuse the node script to obtain root shell
Information Gathering on Stocker Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
Let’s access the website interface
When we try to access the website by using the IP address of the machine, the page is been redirected to the domain “stocker.htb“
From the website interface, nothing that looks interesting popup. As a result, let’s enumerate more on the directory and the subdomain
No obvious directory that we can analyze further.
However, we managed to retrieve a subdomain of the machine as dev.stocker.htb
The page has been redirected to a login page where we don’t have any credentials to use here.
Therefore, let’s try using the common username and password and try to inspect it via burpsuite
It looks like a dead-end on the credentials
When I change Content-Type to JSON type and i managed to found an potential directory that we can abuse in the future
After a while, I was thinking that the login page might be vulnerable to NoSQL Injection which also exists within the Shoppy machine.
If we successfully log in to the Dashboard, we will be directed to the page above.
The request on the page via burpsuite doesn’t show any malicious payload that we can abuse.
Inspecting the website interface using burpsuite
Let’s try to submit any purchase and try to inspect via burpsuite to find anything useful to exploit
The Request and Response for the purchase will look something as shown in the screenshot above.
The page of mentioning the response as “Thank you for your purchase!” will appear as shown above.
It does look like a Purchase Order for the item that we just recently bought from the website.
I have a feeling that we can retrieve some information such as /etc/passwd by executing some Dangling Markup
Finally, it works as shown in the screenshot above.
I might be able to make a wild guess with the directory that we might use to obtain any information.
Inside the index.js file, I notice there are some credentials such as passwords which we might be able to use for access via SSH service.
If the password is not correct, then we should find another credential on the machine itself
We can read the user flag by typing the “cat user.txt” command
Escalate to Root Privileges Access
Firstly, we need to check if bash permission doesn’t have any SUID permission
Therefore, let’s create a js file that contains something as i do above.
After that, we should be able to run the command as shown above.
The bash file has been assigned to SUID which we will take advantage of it.
We can get root access by just typing the command “bash -p”
At last, we can read the root flag by typing the “cat root.txt” command