Short Overview

This box consist of several vulnerabilities:

• NoSQL Injection - Specifically the part with sending the payload using JSON, we use this vulnerability to bypass the login process.
• Server Side Template Injection - We could directly use HTML and then inject an iframe which src is set to /etc/passwd and after that we traverse the application itself to find the MongoDB user/password, and we used those to connect successfully to the machine using the password provided there. With that, we owned the User.
• Linux Privilege Escalation - Then we use sudo -l to check what commands are we allowed to execute with root privileges. And we exploited the node executable, which runs with root privileges, to own the System.