Official Stocker Discussion

ankitosh · March 2, 2023, 8:12am

try checking with S#$ %%%%%ion… It has login mechanism so might something is stored which you can exploit…

Yovecio18 · March 2, 2023, 9:46am

Umh can’t recall but the PE is the one i sent you before…

Paradise_R · March 2, 2023, 2:51pm

Absolutely, I sent you a DM related to it

derboi · March 6, 2023, 7:51pm

Can someone give me a hint, I am so close: I found the mongodb-connection string in index.js but obviously cannot connect to it because the port is not open. Do I have to make another iframe injection? Or do I need a different file?

Nevermind, I found it. DM me if you need help.

XVX · March 11, 2023, 9:16pm

Incorporating AI into cyber security is the future I think.

razvan1040 · March 13, 2023, 4:15am

When I try to get to the subdomain …stocker. htb, I get a message “view router info” and a redirect to https://…stocker.htb/cgi-bin/index.cgi which is my ISP info router stuff. I updated the etc/hosts file already also.
Yet, I’m able to get to stocker.htb with no problems.
What I’m doing wrong here, that I can’t reach that URL?

Alex191200 · March 17, 2023, 9:18pm

Hello, i got to a really got point with the machine but i need to undestand a quick thing before continueing, may i dm you?

Paradise_R · March 17, 2023, 9:50pm

Surely, any time you wish

infnite20005 · March 22, 2023, 3:09pm

I tried go******* and sub****** for enumeration but it keeps giving me error on 301 i also added file on etc/hosts but no avail. Whats the solution

noxioustab · March 25, 2023, 9:23am

Worst box ever…i dont know if its just for my vpn server or for everyone but after bypassing login i cant see the items and the “view cart” button is non functional…its annoying because this is an easy box a more difficult one showing such bad errors would’ve been more acceptable.

Pixart · March 26, 2023, 4:13pm

I think it’s your openvpn set up which is causing problems: I had a similar issue by visiting a website through a virtual machine with a vpn set up on my host machine. Maybe try to launch the openvpn instance in the vm you use to attack…

SnooDonuts · March 30, 2023, 12:38am

Hey I got stuck when when burp tells me it found /login insread of /stock. All it does is web page not found. Do you know why this is? Thanks

hasturo · April 1, 2023, 10:09pm

Nice that you are able to solve this in 15 Minutes!

MapleLeaf1998 · April 2, 2023, 1:50am

Can anyone please tell about me payload format for stock page? is it json or other?

leiz95 · April 2, 2023, 4:14pm

Hi all,
i can access to the stock page. But it was not loaded any products. Even i found the product api. but i wasnot show anything.
anyone can give me a hint?
Thanks

woadey · April 2, 2023, 6:21pm

I am also having this problem. I tried last night and today after resetting the box.

Edit: its working now. Not sure what happened

MapleLeaf1998 · April 2, 2023, 7:59pm

how can i exploit stock page??Please help me.I feel like i am going nuts

Paradise_R · April 2, 2023, 8:49pm

Intercept your requests and regenerate the receipt PDF as it pleases you

MapleLeaf1998 · April 2, 2023, 11:57pm

How?? I am trying everything …It does not work…

{“username”: {“$ne”: null}, “password”: {“$ne”: null} }
" ’ db.basket.find"

none of works

Paradise_R · April 3, 2023, 12:01am

Oh, you mean the login, your payload is correct, it may be a syntax error