# GLITCH

![](/files/-McBmCdTY93AdwiOxM3V)

## Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (**-Pn**)

```
nmap -Pn 10.10.81.21
```

![](/files/-McBmsewS-QmeLCdemhV)

Detailed Nmap Scan :&#x20;

Command Breakdown:&#x20;

* (**-sV):** Service version
* (**-sC**): Default nmap scripts
* (**-p):** Specifying ports 80
* (**-oN nmap**): Saving it into a file called nmap

```
nmap -sV -sC -p 80 -oN nmap 10.10.81.21
```

![](/files/-McBn1A0_ogY7jDujS9R)

## Enumeration

Lets visit the site

![](/files/-McBn7q71OS6cQFFsRfQ)

There is nothing on the page, lets look at the source code

![](/files/-McBnFBAnZo5RoMvpoJS)

We can see that there is a `getAccess()` function, but it not called, lets do to developer tools and call the function. (`Ctrl + i`) Go to console and type this

```
getAccess()
```

![](/files/-McBnueqkjTYSlZRjrZY)

We have a base64 string, lets decode it.

![](/files/-McBo5UYgci0uavdDumF)

Looking at the first question, this is a token, lets look at the tokens on the site. (Located in the storage tab).

![](/files/-McBoI-iKde45BMetpiU)

Lets replace the current value for token with the token we just decoded.

![](/files/-McBomTcxidhvI_wywi4)

Now refresh the page

![](/files/-McBora4XdPRYqlzvuwV)

We have another page. Lets look at the source code

![](/files/-McBpNHExIvKgJosRw3I)

There is a `script.js` file in the end , lets check it out

![](/files/-McBp_PZWTTkk5nK1vaO)

Looking through the page, there is a `/api/items` page what is being fetched, lets go check it out.

![](/files/-McBqV-tTyuXQb4adErg)

![](/files/-McBqR8QvpWeAPRYSjT3)

There seems to be nothing interesting. Here I was stuck so I looked at the hint tryhackme gave us.&#x20;

![](/files/-McBqvoUqbYjaWdsLn8i)

So now lets catch the request with Burp Suite and send it to repeater.

![](/files/-McBs03J6niVJ5S3wRJK)

It looks like it is using a `GET` method, lets change it to `POST`

![](/files/-McBs8fjMN0VmZvwFVPP)

We find something interesting. As this item endpoint accepts a post request too, we can try sending data to the endpoint only if we have a parameter, to do this lets fuzz the API parameter , lets use ffuf to do this.

```
ffuf -w /usr/share/wordlists/dirb/common.txt -X POST -u http://10.10.81.21/api/items?FUZZ=test -fs 45 -mc all
```

![](/files/-McBvRXnEfPo37FJULrZ)

Looks like cmd is the parameter. Lets send a post request to this endpoint using the `cmd` parameter.

![](/files/-McBw-pMokeezFS-V44A)

Looking at the output of the error, we can see `eval`. I went searching on google and then found this [article ](https://medium.com/@sebnemK/node-js-rce-and-a-simple-reverse-shell-ctf-1b2de51c1a44)that gives us a breakdown of how the eval function can be exploited to gain RCE on the machine.

## Exploitation

![](/files/-McBxeYNXcMWC6M7zR4V)

Lets use this, but with our own reverse shell, make sure to start a reverse shell

![](/files/-McC5zDJ5lJ18N9BPSd2)

![](/files/-McC5ck3KRVmGrWoePET)

Once you hit you should get this response and a reverse shell

![](/files/-McC6DlF7DoTUjQRr_fG)

We can stabilize the shell and read the `user.txt` file

![](/files/-McC6x9shTX2lR2JLpZ9)

## Privilege Escalation

Looking in the home directory of user, we see this directory `.firefox`

![](/files/-McC79NVR1w6EioXpd5m)

Lets see the content of the file

![](/files/-McC7HoL6WRkaDXpnZzH)

Looking on google I found [firefox\_decrypt](https://github.com/unode/firefox_decrypt.git). Lets clone it and then lets copy the `.firefox` directory to our machine

Lets first start a netcat listener

![](/files/-McCCHi7pbUdqSNobqdx)

Then lets send the folder using netcat on the victim machine

![](/files/-McCCB8J36aV7RfvRBsY)

Now we should get a connection and also we should see the `.firefox` directory on our machine

![](/files/-McCCRfLmc38VejXO6A2)

Now lets run the python exploit we cloned from GitHub on the directory

![](/files/-McCCl33Uu37-l_HnlNs)

We got a username and a password, lets switch users to v0id

![](/files/-McCD6E4vUWrKs7C3HJH)

Lets now look at the `SUIDs` that we can exploit

![](/files/-McCDPT195p_br7k_C7i)

Lets look at what `doas` is&#x20;

![](/files/-McCDf5Wj0zYNLVP11BB)

So we can execute command as other users, lets read the root.txt file with this command

![](/files/-McCE3lxKNdJINMo_ilT)

We can also switch users to root

![](/files/-McCEFBbWVT1p5gRz7A3)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://writeups.adityadindi.com/tryhackme/untitled/glitch.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.