Skip to main content

Featured

 Hi there, I am malw_guy , a former Penetration-Tester, currently pursuing a degree in Electro-Communications. I've been nourishing my hacking skills since I was just a teenager, I started back when I was 13 (I'd like to keep my current age confidential). The purpose of this blog is as a showcase / portfolio so people can grasp a lil' bit of my knowledge in the field.  It should be noted that I am inclined to withhold public disclosure of the majority of my accomplishments in this particular field, primarily due to their involvement with governmental entities. However, should you possess a compelling reason to inquire further about these achievements, I am prepared to disclose them on a case-by-case basis, depending on the nature of your inquiry.
Read more

Machine: Stocker

Today we're looking into Stocker, and as usually we kick things off using nmap
Nothing unusual, the basic ssh and webserver on port 80. I checked the webserver and found nothing interesting, no services to hijack or misconfiguration to play around with, I've found some things in the source code, but nothing that could get us a foothold or help us get it, tried a directory busting but everything was 302, so I moved over to brute-forcing dns.
Check this link to clarify how gobuster work and why I used VHOST, eitherway, we add dev.stocker.htb to our /etc/hosts file and we're ready to go.
Here we have a log-in page, finally something interesting and of course. exploitable,
tried different ways to bypass the login, but nothing worked, the password field was being sanitized, I tried some login bypasses from here and luckily I found one that worked.
Now let's see what's this /stock about. We add something in the cart and do the "purchase"
Now let's see the order
In the pdf that the server generated based on our purchase, if we use burp to intercept the traffic, we can see that the information in the pdf is sent with the request, it's not generated on the webserver itself, so we can modify it if we want to. I found an exploit on the internet, and it looks like this
Now let's rewrite our request, modify the json data
and now let's open our pdf again to see if anything happened
We can succesfully display the content of /etc/passwd, but the box in the pdf seem to be way too small for our output, so let's give the proper dimensions in our iframe
And our output will be perfect
Now, we know from the nmap scan that the server runs on nginx, after a lil' bit of google, I found some default location of the configuration file, let's take a look into it
Now this is still too small so let's make the iframe even bigger
We can see that in var/www/dev we have some index files that might be interesting, let's try to see what's in them.
and the contents of our file is pretty long but all we care about is
We know from /etc/oasswd that there's no dev user, beside root there's only one user called angoose, so let's try to ssh with that password.
Now just get the user flag
Let's run sudo -l so we can see what permissions we have on the machine
So we can run any .js file that's located in the /usr/local/scripts directory, unfortunately we don't have writing permissions on that folder, but /usr/local/scripts/*.js is vulnerable to path traversal because of the "*", so basically we can go into our home directory, create a file, and execute it on /usr/local/scripts/../../../home/angoose/ur_script.js. We can use the reverse shell from this website
Alright now let's write and execute our reverse shell
Also don't forget to start your netcat listener to catch back the connection
and that was it :)