Skip to content

HTB Store — URL‑encoded traversal + static XOR → secrets → N... #1539

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

HTB Store — URL‑encoded traversal + static XOR → secrets → N... #1539

wants to merge 1 commit into from

Conversation

@carlospolop
Copy link
Collaborator

@carlospolop carlospolop commented Oct 30, 2025

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

  • Blog URL: https://0xdf.gitlab.io/2025/10/30/htb-store.html
  • Blog Title: HTB: Store — URL‑encoded traversal + static XOR → secrets → Node inspector RCE → Chrome debug root
  • Suggested Section: Pentesting Web -> Path Traversal / LFI (Express/Node.js URL-encoding bypass) with notes on Node.js Inspector RCE and SSH port-forwarding

🎯 Content Summary

Target: HackTheBox machine “Store” (Linux). Node.js/Express app exposes upload/list/read endpoints and serves requested file bytes inline via a data: URL. The app XORs file contents with a static 9‑byte key and stores encrypted copies under a web‑served tmp directory and in SFTP.

Recon

nmap -p- -vvv --min-rate 10000 10.129.31.17

nmap -p 22,5000,5001,5002 -sCV 10.129.31.17
Open TCP: 22/ssh (OpenSSH 8.9p1 Ubuntu), 5000/5001/5002 (Node.js/Express; i...

🔧 Technical Details

Static XOR decryption via known‑plaintext: When ciphertext length equals plaintext and a reusable key/keystream is suspected, XOR a known plaintext with its ciphertext to derive the repeating keystream (here 9 bytes: Hm9zeWC38). Reuse it to decrypt any blob produced by the same XOR routine.

Traversal bypass on naive path.normalize checks: If a server builds base + userInput and only verifies normalize(full)==full, encode separators (%2F) so Express decodes them into / later. Even if normalization causes a download step to be skipped, any subsequent file I/O against the original concatenated path can resolve outside the intended directory and read arbitrary files.

Decrypting XOR’d LFI embedded as data: URLs: Some endpoints return bytes in data:*;base64,.... Extract the base64, decode, and XOR with the recovered keystream to restore plaintext for arbitrary files ...

🤖 Agent Actions

I explored the repository and identified the best place to integrate this content as the NodeJS/Express page, since the blog’s core techniques revolve around Express path traversal, XOR-transformed reads embedded as data URLs, and pivoting to Node’s inspector for RCE. I updated a single file accordingly:

Updated file:

  • src/network-services-pentesting/pentesting-web/nodejs-express.md

What I added:

  • Express-specific path traversal technique via URL-encoded separators (%2F) with an unsafe path.normalize equality check anti-pattern, including exploitation approach and a secure validation pattern using path.resolve + startsWith.
  • Handling data: URL responses that contain XOR’d bytes, with a concise known-plaintext keystream derivation workflow and decryption of arbitrary reads. Included a compact derivation snippet and an expandable PoC script that automates traversal + base64 extraction + XOR decrypt.
  • Pivoting via LFI into /proc/self/environ and /proc/self/cmdline to locate --inspect details and runtime context.
  • Reaching localhost-bound Node inspector via SSH port forwarding even with forced SFTP, with a simple ssh -L example and a node inspect attachment note.
  • A note on Chrome DevTools remote debugging ports and a cross-reference to the existing comprehensive internal page on Node inspector/CEF/Chrome DevTools abuse.
  • Internal refs to:
    • ../../pentesting-web/file-inclusion/README.md (for generic LFI/traversal).
    • ../../linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse.md (for inspector/DevTools abuse details).
  • References section with:
    • 0xdf’s blog post URL.
    • Node.js inspector docs.
    • Chrome DevTools Protocol page.
    • feroxbuster and SecLists repos.

I kept the style concise and technical with code blocks and an expandable PoC. I verified internal ref paths and ensured the “## References” section is present before the closing banner include.

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

@carlospolop
Copy link
Collaborator Author

carlospolop commented Oct 30, 2025

🔗 Additional Context

Original Blog Post: https://0xdf.gitlab.io/2025/10/30/htb-store.html

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web -> Path Traversal / LFI (Express/Node.js URL-encoding bypass) with notes on Node.js Inspector RCE and SSH port-forwarding".

Repository Maintenance:

  • MD Files Formatting: 906 files processed

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@carlospolop