HackTheBox - Stocker
00:00 - Introduction
00:56 - Start of nmap
02:15 - Running Gobuster in VHOST Detection mode to find the dev subdomain
03:50 - Intercepting a request to and seeing an cookie and x-powered-by header saying express, both indicating it uses NodeJS/Express
05:00 - Explaining why I’m trying these injections
07:00 - Bypassing login with mongodb injection by setting both username and password to not equals instead of equals
09:10 - Playing with the e-commerce store and seeing it gives us a PDF
10:45 - Using exiftool to see how the PDF was generated
12:05 - Inserting an HTML IFRAME when we purchase an item to see if the PDF Generated will include local files
17:00 - Extracting /var/www/dev/ and getting the mongodb password which lets us log into the server
19:50 - The order numbers don’t appear to be that random, looking at the source code to identify how this is generated. It’s just mongo’s object ID which is heavily based upon time st
3 weeks ago 00:33:44 1
4 weeks ago 00:27:16 1
4 weeks ago 02:00:43 1
4 weeks ago 00:20:43 1
4 weeks ago 00:36:09 1
1 month ago 00:30:39 1
2 months ago 00:13:24 1
2 months ago 11:21:04 1
2 months ago 07:22:03 1
2 months ago 00:41:25 4
3 months ago 05:30:24 3
3 months ago 01:02:06 14
3 months ago 00:16:21 18
3 months ago 02:09:39 12
4 months ago 00:15:02 1
4 months ago 00:13:41 1
4 months ago 00:46:30 1
4 months ago 00:09:21 1
4 months ago 00:39:17 7
5 months ago 00:42:37 10
5 months ago 02:34:35 10
5 months ago 00:52:33 9
5 months ago 00:46:53 7
5 months ago 01:21:40 6
