HackTheBox - Stocker

00:00 - Introduction
00:56 - Start of nmap
02:15 - Running Gobuster in VHOST Detection mode to find the dev subdomain
03:50 - Intercepting a request to dev.stocker.htb and seeing an connect.sid cookie and x-powered-by header saying express, both indicating it uses NodeJS/Express
05:00 - Explaining why I'm trying these injections
07:00 - Bypassing login with mongodb injection by setting both username and password to not equals instead of equals
09:10 - Playing with the e-commerce store and seeing it gives us a PDF
10:45 - Using exiftool to see how the PDF was generated
12:05 - Inserting an HTML IFRAME when we purchase an item to see if the PDF Generated will include local files
17:00 - Extracting /var/www/dev/index.js and getting the mongodb password which lets us log into the server
19:50 - The order numbers don't appear to be that random, looking at the source code to identify how this is generated. It's just mongo's object ID which is heavily based upon time stamps
26:00 - Looking at sudo, we can perform a directory traversal to execute run any .js file as root
27:50 - Showing that you can now put regex in the Sudoers file which would fix this exploit

Support the originator by clicking the read the rest link below.