BambooInvoice 1.0.4 is affected by a Cross Site Request Forgery vulnerability due to a lack of CSRF protection. This could lead to an attacker tricking the administrator into executing arbitrary code via a specially crafted HTML page.

I think at some point, I started this box but didn't finish it.  That's been known to happen -- I only allot so much time to this kind of thing.  As I wrapped up the box from yesterday, I saw this one, took a quick look and down the rabbit hole I went.  This box is interesting because I don't have a huge amount of experience with Node and I did a little bit of extra hunting.  Perhaps if I were more familiar with Node, I would have honed in on one piece sooner than later.

Anyway, I don't want to spoil anything so let's get rolling.  We kick off with Nmap:

Dare I say this box was easy?  Maybe not for everyone, of course, but I will say this could be the quickest HtB box I've ever rooted.  There's a little bit of hunting and a little be of creativity required.  Aside from that, take a look at what's in your hand and do some Googling, you can figure this one out quickly.

We kick off with Nmap: