Official Stocker Discussion

Got into the app and got stuck, any help?

this may be useful :wink:

#!/usr/bin/env node
‘use strict’;

const fs = require(‘fs’);
const path = require(‘path’);
const output = fs.readFileSync(path.join(__dirname, ‘output’), ‘utf8’);

This was a fun box, the web part had a similar bypass to another HTB machine. Do standard web enum and If you have wappalyzer you can see what framework is being used, then you can google to know what language the backend DB uses, to then do the bypass.

Test functionality of the app (intercept traffic in burp), and see that something that you can control (via burp) gets “reflected” in an output. This output can also be passed to exiftool to see what made it. Using this look for some form of code attack on generating this form of output.

Root is pretty straight forward, see what you can do, and how to privesc with that from a common bin site. (There is a trick needed here, which is commonly used in web attacks but works well in this scenario as well)


:package: ¡¡ Rooted !! :package:

If you need help, write me a message and I will be happy to help you. :grin:

1 Like


So satisfying.

1 Like

Did you get the shell?

I got the creds and connected via ssh. The way to root then was really simple…

1 Like

Rooted. :melting_face:
Very good machine with an interesting vulnerability.

  • Sometimes it happens that developers test the code elsewhere.
  • Do you think SQL is there? No. No SQL.
  • Just like that, not a payload works. What needs to be changed?
  • Look carefully at the fields passed to the application, maybe you can insert some kind of frame?
  • You should already know the username. The password remains. What files can it be in?


  • The path to the file to be executed is not always straight, sometimes you have to go forward and go back to get to another place.
1 Like

Little hint for enumeration : VHost enumeration
Little hint for login page : NoSQL sure, but in which form ?

So satisfying!

Thank you for the forum discussion got so much insight!! Got stuck during bypass the login page cause stupid mistake!! if stuck in bypass the login page don’t forget to check the content-type header

1 Like

I’m able to spot the subdomain using ffuf but it isnt showing up with gobuster. Anyone know if I’m missing a piece as I want to know if the tool is still viable

Yes, gobuster is still viable. However, in the latest versions you need to add the --append-domain switch with vhost enumeration.

1 Like

Rooted! Hints provided above were helpful. Used chatGPT to get from user to root.


Rooted! To get the root for this one you gotta shoot for the star!

I could not connect to the site, the server doesn’t even reply to my pings and shows no open ports. I’m using OpenVPN, can someone help me?

A lot of resets happening.


You can not connect to which site: to the HTB MAIN site or the one in the STOCKER challenge ? if it is the stocker’site I can help ohterwise bro check HTB FAQ’s.

Come on guys CHAT GPT are you serious ! what a hacker you will do ask CHAT GPT to hack the NSA see if it can lol I doubt about that haha

there is 2 open ports and the server in question is ON and respond properly you should connect normaly to the site otherwise add the IP address in: subl /etc/hosts then refresh the page and it works ! I suggest you to start by another challenge if you do not know that just saying you have to learn how to walk before running :stuck_out_tongue_winking_eye:

It’s the one in the Stocker challenge