HackTheBox - Stocker

00:00 - Introduction 00:56 - Start of nmap 02:15 - Running Gobuster in VHOST Detection mode to find the dev subdomain 03:50 - Intercepting a request to dev.stocker.htb and seeing an connect.sid cookie and x-powered-by header saying express, both indicating it uses NodeJS/Express 05:00 - Explaining why I'm trying these injections 07:00 - Bypassing login with mongodb injection by setting both username and password to not equals instead of equals 09:10 - Playing with the e-commerce store and seeing it gives us a PDF 10:45 - Using exiftool to see how the PDF was generated 12:05 - Inserting an HTML IFRAME when we purchase an item to see if the PDF Generated will include local files 17:00 - Extracting /var/www/dev/index.js and getting the mongodb password which lets us log into the server 19:50 - The order numbers don't appear to be that random, looking at the source code to identify how this is generated. It's just mongo's object ID which is heavily based upon time stamps 26:00 - Looking at sudo, we can perform a directory traversal to execute run any .js file as root 27:50 - Showing that you can now put regex in the Sudoers file which would fix this exploit