# GLITCH ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McBMtf7RdM7SDUiYSnJ%2F-McBmCdTY93AdwiOxM3V%2Fimage.png?alt=media\&token=6e931e4d-17ae-4681-8d7c-23abe1af07c8) ## Reconnaissance Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (**-Pn**) ``` nmap -Pn 10.10.81.21 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McBMtf7RdM7SDUiYSnJ%2F-McBmsewS-QmeLCdemhV%2Fimage.png?alt=media\&token=ac686e98-2098-45e0-a3ae-e75bde7780f8) Detailed Nmap Scan : Command Breakdown: * (**-sV):** Service version * (**-sC**): Default nmap scripts * (**-p):** Specifying ports 80 * (**-oN nmap**): Saving it into a file called nmap ``` nmap -sV -sC -p 80 -oN nmap 10.10.81.21 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McBMtf7RdM7SDUiYSnJ%2F-McBn1A0_ogY7jDujS9R%2Fimage.png?alt=media\&token=281fe6fd-a199-4540-9cde-77a66a2507b8) ## Enumeration Lets visit the site ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McBMtf7RdM7SDUiYSnJ%2F-McBn7q71OS6cQFFsRfQ%2Fimage.png?alt=media\&token=b657012c-1cd8-46ae-9e82-8889069fd0e5) There is nothing on the page, lets look at the source code ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McBMtf7RdM7SDUiYSnJ%2F-McBnFBAnZo5RoMvpoJS%2Fimage.png?alt=media\&token=a3cabdea-3141-46c0-bd4b-246a65153bb4) We can see that there is a `getAccess()` function, but it not called, lets do to developer tools and call the function. (`Ctrl + i`) Go to console and type this ``` getAccess() ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McBMtf7RdM7SDUiYSnJ%2F-McBnueqkjTYSlZRjrZY%2Fimage.png?alt=media\&token=80485a1a-05f5-4b5c-8aa2-0208bd5deb7b) We have a base64 string, lets decode it. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McBMtf7RdM7SDUiYSnJ%2F-McBo5UYgci0uavdDumF%2Fimage.png?alt=media\&token=6b341947-c386-40d8-a00a-2811775236a1) Looking at the first question, this is a token, lets look at the tokens on the site. (Located in the storage tab). ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McBMtf7RdM7SDUiYSnJ%2F-McBoI-iKde45BMetpiU%2Fimage.png?alt=media\&token=ea9ad0a6-efd1-44c6-8c99-5745ba9b8f38) Lets replace the current value for token with the token we just decoded. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McBMtf7RdM7SDUiYSnJ%2F-McBomTcxidhvI_wywi4%2Fimage.png?alt=media\&token=d4070bc4-c7e9-4821-9f83-a46b09167570) Now refresh the page ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McBMtf7RdM7SDUiYSnJ%2F-McBora4XdPRYqlzvuwV%2Fimage.png?alt=media\&token=7c4f6329-ff8e-4e42-8d03-22fd59bb89ff) We have another page. Lets look at the source code ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McBMtf7RdM7SDUiYSnJ%2F-McBpNHExIvKgJosRw3I%2Fimage.png?alt=media\&token=ca10f8e7-ff9b-4257-8741-f223058fa6bd) There is a `script.js` file in the end , lets check it out ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McBMtf7RdM7SDUiYSnJ%2F-McBp_PZWTTkk5nK1vaO%2Fimage.png?alt=media\&token=4ccd4869-52ab-4fb4-898d-bd89c8133cb8) Looking through the page, there is a `/api/items` page what is being fetched, lets go check it out. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McBqKARyscTa2MDleA0%2F-McBqV-tTyuXQb4adErg%2Fimage.png?alt=media\&token=d23a7cf2-285a-4c24-8c12-21187f585f8c) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McBqKARyscTa2MDleA0%2F-McBqR8QvpWeAPRYSjT3%2Fimage.png?alt=media\&token=c0929d00-aaec-4465-b78e-e260360e5f2f) There seems to be nothing interesting. Here I was stuck so I looked at the hint tryhackme gave us. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McBqKARyscTa2MDleA0%2F-McBqvoUqbYjaWdsLn8i%2Fimage.png?alt=media\&token=6a01a1c6-f953-44b9-ac3a-80a0464609bb) So now lets catch the request with Burp Suite and send it to repeater. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McBqKARyscTa2MDleA0%2F-McBs03J6niVJ5S3wRJK%2Fimage.png?alt=media\&token=ba47fd83-9699-4c80-ae32-f3b3b78debcc) It looks like it is using a `GET` method, lets change it to `POST` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McBqKARyscTa2MDleA0%2F-McBs8fjMN0VmZvwFVPP%2Fimage.png?alt=media\&token=ef1947f0-04a7-49f4-9d1a-d030fbae4228) We find something interesting. As this item endpoint accepts a post request too, we can try sending data to the endpoint only if we have a parameter, to do this lets fuzz the API parameter , lets use ffuf to do this. ``` ffuf -w /usr/share/wordlists/dirb/common.txt -X POST -u http://10.10.81.21/api/items?FUZZ=test -fs 45 -mc all ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McBt-TBnvln9GK-9HQ0%2F-McBvRXnEfPo37FJULrZ%2Fimage.png?alt=media\&token=baace960-b97c-4ad0-b0b4-9f13df0762b5) Looks like cmd is the parameter. Lets send a post request to this endpoint using the `cmd` parameter. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McBt-TBnvln9GK-9HQ0%2F-McBw-pMokeezFS-V44A%2Fimage.png?alt=media\&token=64093f06-6e7c-4ca2-beab-352e2eb4bd1e) Looking at the output of the error, we can see `eval`. I went searching on google and then found this [article ](https://medium.com/@sebnemK/node-js-rce-and-a-simple-reverse-shell-ctf-1b2de51c1a44)that gives us a breakdown of how the eval function can be exploited to gain RCE on the machine. ## Exploitation ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McBt-TBnvln9GK-9HQ0%2F-McBxeYNXcMWC6M7zR4V%2Fimage.png?alt=media\&token=7683f39b-1155-47f7-9df5-b73494b5bbf8) Lets use this, but with our own reverse shell, make sure to start a reverse shell ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McBt-TBnvln9GK-9HQ0%2F-McC5zDJ5lJ18N9BPSd2%2Fimage.png?alt=media\&token=88ed60d2-459c-43f5-9bd6-a21097d573b0) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McBt-TBnvln9GK-9HQ0%2F-McC5ck3KRVmGrWoePET%2Fimage.png?alt=media\&token=1b097454-92a9-4f81-a941-9daceaaa77fa) Once you hit you should get this response and a reverse shell ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McBt-TBnvln9GK-9HQ0%2F-McC6DlF7DoTUjQRr_fG%2Fimage.png?alt=media\&token=f6e35c19-f4b0-414c-9dff-a0ee96899bb2) We can stabilize the shell and read the `user.txt` file ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McBt-TBnvln9GK-9HQ0%2F-McC6x9shTX2lR2JLpZ9%2Fimage.png?alt=media\&token=a5ea87b7-3694-48df-b5a6-7910c3793b3b) ## Privilege Escalation Looking in the home directory of user, we see this directory `.firefox` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McBt-TBnvln9GK-9HQ0%2F-McC79NVR1w6EioXpd5m%2Fimage.png?alt=media\&token=c7d997c4-7150-42e0-a576-cf421dd67383) Lets see the content of the file ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McBt-TBnvln9GK-9HQ0%2F-McC7HoL6WRkaDXpnZzH%2Fimage.png?alt=media\&token=345bc81e-0f97-45e9-8339-7d458a71b898) Looking on google I found [firefox\_decrypt](https://github.com/unode/firefox_decrypt.git). Lets clone it and then lets copy the `.firefox` directory to our machine Lets first start a netcat listener ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McBt-TBnvln9GK-9HQ0%2F-McCCHi7pbUdqSNobqdx%2Fimage.png?alt=media\&token=d6df34f9-3af3-42e5-8627-d0405cd98fd8) Then lets send the folder using netcat on the victim machine ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McBt-TBnvln9GK-9HQ0%2F-McCCB8J36aV7RfvRBsY%2Fimage.png?alt=media\&token=5b9f1ac7-7bf9-4f56-9bfa-244a21d540c7) Now we should get a connection and also we should see the `.firefox` directory on our machine ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McBt-TBnvln9GK-9HQ0%2F-McCCRfLmc38VejXO6A2%2Fimage.png?alt=media\&token=94d9aa49-d7b3-4069-b683-7cbf3646f696) Now lets run the python exploit we cloned from GitHub on the directory ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McBt-TBnvln9GK-9HQ0%2F-McCCl33Uu37-l_HnlNs%2Fimage.png?alt=media\&token=f75470a0-9f28-40a2-8993-828ec12c3956) We got a username and a password, lets switch users to v0id ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McBt-TBnvln9GK-9HQ0%2F-McCD6E4vUWrKs7C3HJH%2Fimage.png?alt=media\&token=0f24518a-983b-44fd-b51a-f2d5a3dc054e) Lets now look at the `SUIDs` that we can exploit ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McBt-TBnvln9GK-9HQ0%2F-McCDPT195p_br7k_C7i%2Fimage.png?alt=media\&token=b7a83aa8-08ba-463e-8aa7-679f1d09267b) Lets look at what `doas` is ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McBt-TBnvln9GK-9HQ0%2F-McCDf5Wj0zYNLVP11BB%2Fimage.png?alt=media\&token=6471a492-60d1-46e5-a115-b8747f5abba9) So we can execute command as other users, lets read the root.txt file with this command ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McBt-TBnvln9GK-9HQ0%2F-McCE3lxKNdJINMo_ilT%2Fimage.png?alt=media\&token=bec38eb2-dfb4-4828-b046-c55068d28386) We can also switch users to root ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McBt-TBnvln9GK-9HQ0%2F-McCEFBbWVT1p5gRz7A3%2Fimage.png?alt=media\&token=87830bc5-3f05-4935-9fab-bd9ad5b48275)