Got into the app and got stuck, any help?
this may be useful 
#!/usr/bin/env node
āuse strictā;
const fs = require(āfsā);
const path = require(āpathā);
const output = fs.readFileSync(path.join(__dirname, āoutputā), āutf8ā);
console.log(output);
This was a fun box, the web part had a similar bypass to another HTB machine. Do standard web enum and If you have wappalyzer you can see what framework is being used, then you can google to know what language the backend DB uses, to then do the bypass.
Test functionality of the app (intercept traffic in burp), and see that something that you can control (via burp) gets āreflectedā in an output. This output can also be passed to exiftool to see what made it. Using this look for some form of code attack on generating this form of output.
Root is pretty straight forward, see what you can do, and how to privesc with that from a common bin site. (There is a trick needed here, which is commonly used in web attacks but works well in this scenario as well)
4 Likes
Ā”Ā” Rooted !!
If you need help, write me a message and I will be happy to help you. 
1 Like
ROOTED!
So satisfying.
1 Like
Did you get the shell?
I got the creds and connected via ssh. The way to root then was really simpleā¦
1 Like
Rooted. 
Very good machine with an interesting vulnerability.
User:
- Sometimes it happens that developers test the code elsewhere.
- Do you think SQL is there? No. No SQL.
- Just like that, not a payload works. What needs to be changed?
- Look carefully at the fields passed to the application, maybe you can insert some kind of frame?
- You should already know the username. The password remains. What files can it be in?
Root:
- The path to the file to be executed is not always straight, sometimes you have to go forward and go back to get to another place.
1 Like
Little hint for enumeration : VHost enumeration
Little hint for login page : NoSQL sure, but in which form ?
So satisfying!
Thank you for the forum discussion got so much insight!! Got stuck during bypass the login page cause stupid mistake!! if stuck in bypass the login page donāt forget to check the content-type header
1 Like
Iām able to spot the subdomain using ffuf but it isnt showing up with gobuster. Anyone know if Iām missing a piece as I want to know if the tool is still viable
Yes, gobuster is still viable. However, in the latest versions you need to add the --append-domain switch with vhost enumeration.
1 Like
Rooted! Hints provided above were helpful. Used chatGPT to get from user to root.
2 Likes
Rooted! To get the root for this one you gotta shoot for the star!
I could not connect to the site, the server doesnāt even reply to my pings and shows no open ports. Iām using OpenVPN, can someone help me?
A lot of resets happening.
Hi
You can not connect to which site: to the HTB MAIN site or the one in the STOCKER challenge ? if it is the stockerāsite I can help ohterwise bro check HTB FAQās.
Come on guys CHAT GPT are you serious ! what a hacker you will do ask CHAT GPT to hack the NSA see if it can lol I doubt about that haha
there is 2 open ports and the server in question is ON and respond properly you should connect normaly to the site otherwise add the IP address in: subl /etc/hosts then refresh the page and it works ! I suggest you to start by another challenge if you do not know that just saying you have to learn how to walk before running 
Itās the one in the Stocker challenge