This box consist of several vulnerabilities:
- NoSQL Injection - Specifically the part with sending the payload using JSON, we use this vulnerability to bypass the login process.
- Server Side Template Injection - We could directly use HTML and then inject an
srcis set to
/etc/passwdand after that we traverse the application itself to find the MongoDB user/password, and we used those to connect successfully to the machine using the password provided there. With that, we owned the User.
- Linux Privilege Escalation - Then we use
sudo -lto check what commands are we allowed to execute with root privileges. And we exploited the
nodeexecutable, which runs with root privileges, to own the System.