In this post, I would like to share a walkthrough of the Stocker Machine from Hack the Box


This room will be considered an Easy machine on Hack the Box

What will you gain from the Stocker machine?


For the user flag, you will need to abuse the JSON exploitation to bypass the login which leads us to access the dashboard. We also are abusing the API application to obtain information on the credentials of the user.


As for the root flag, you need to abuse the node script to obtain root shell

Information Gathering on Stocker Machine


Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN


Let’s access the website interface


When we try to access the website by using the IP address of the machine, the page is been redirected to the domain “stocker.htb


From the website interface, nothing that looks interesting popup. As a result, let’s enumerate more on the directory and the subdomain


No obvious directory that we can analyze further.


However, we managed to retrieve a subdomain of the machine as dev.stocker.htb


The page has been redirected to a login page where we don’t have any credentials to use here.


Therefore, let’s try using the common username and password and try to inspect it via burpsuite


It looks like a dead-end on the credentials


When I change Content-Type to JSON type and i managed to found an potential directory that we can abuse in the future

Text

Description automatically generated

After a while, I was thinking that the login page might be vulnerable to NoSQL Injection which also exists within the Shoppy machine.


The exploit explanation can be found at HackTricks, ippsec video, and 0xdf walkthrough


If we successfully log in to the Dashboard, we will be directed to the page above.


The request on the page via burpsuite doesn’t show any malicious payload that we can abuse.

Inspecting the website interface using burpsuite

Graphical user interface

Description automatically generated with medium confidence

Let’s try to submit any purchase and try to inspect via burpsuite to find anything useful to exploit


The Request and Response for the purchase will look something as shown in the screenshot above.

Graphical user interface, application, Teams

Description automatically generated

The page of mentioning the response as “Thank you for your purchase!” will appear as shown above.

Graphical user interface, application

Description automatically generated

It does look like a Purchase Order for the item that we just recently bought from the website.

Text

Description automatically generated

I have a feeling that we can retrieve some information such as /etc/passwd by executing some Dangling Markup

Graphical user interface, text

Description automatically generated
Graphical user interface, text

Description automatically generated

Finally, it works as shown in the screenshot above.

Text

Description automatically generated

I might be able to make a wild guess with the directory that we might use to obtain any information.


Inside the index.js file, I notice there are some credentials such as passwords which we might be able to use for access via SSH service.


If the password is not correct, then we should find another credential on the machine itself

Text, website

Description automatically generated with medium confidence
Text

Description automatically generated

We can read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access

Text

Description automatically generated

As usual, we should be getting the SUID Binary by typing the command “sudo -l” and we managed to binary which is a node that can run any javascript

Text

Description automatically generated

Firstly, we need to check if bash permission doesn’t have any SUID permission

Text

Description automatically generated

Therefore, let’s create a js file that contains something as i do above.


After that, we should be able to run the command as shown above.


The bash file has been assigned to SUID which we will take advantage of it.

Graphical user interface, text

Description automatically generated

We can get root access by just typing the command “bash -p”


At last, we can read the root flag by typing the “cat root.txt” command

Extra Information