VulNet: Node
Scanning
Lets run nmap scan to find open ports and services
Enumeration
Lets visit the website on port 8080.
We have a Node.js webpage, we have some usernames
Tilo Mitra, Eric Ferraioulo, Reid Burke and Andrew Wooldridge
Lets look for hidden directories using gobuster
Lets look at the login page
We have a login form, but we do not have credentials. Lets try to submit random credentials and see what happens when we do with burpsuite.
Lets capture the request
Ok, so it looks like we have a session cookie even though we did not login yet, this is interesting. Lets send this request to the Repeater tab and test different requests with the cookie we have.
First lets decode the cookie as it looks encoded with base64
.
So the username is guest and the isGuest
value is set to true. I tried changing the username to admin and logging in , but it did not work, so lets see what the server will show us when there is an error in the request.
Exploitation
It looks like the web application is trying to unserialize the session cookie but it is showing an error. Lets look for exploit on this. And I found a blog that talks about this and shows us how to exploit this.
Reading the blog what we find the exploit that we will use.
So by passing the ND_FUNC
into the statement , it will lead to code execution on the web app. So lets try to get a shell on the box, lets create a reverse shell file on our machine so that the server can curl the it and give us a reverse shell.
Next we have to change the payload a little so that it will give us a reverse shell.
Next we have to start a http server on our machine and a netcat listener.
Lets encode the payload with base64 and then lets replace the current cookie value with our payload.
Now lets replace it and send the request
The file should get downloaded
And we should have a reverse shell
Privilege Escalation
Lets run the sudo -l
command to see what we can run with sudo.
Lets look on GTFOBins to find the commands to switch users to serv-manage.
Lets run these commands.
We are now serv-manage
. We can read the user flag.
Lets run sudo -l
again.
Looks like we can edit a system service called vulnnet-auto.timer
. Lets look at this file
Looks like it is executing a systemctl service
called vulnnet-job.service
. Lets see if we can modify this file and see what it contains.
We can write to the file. Lets modify the command and replace it with a reverse shell that we used before so that we can get a shell as root.
Lets start a netcat listener and the http server if you stopped it.
Lets now run the stop and start the service to get a shell.
We are now root. We can read the root flag.
Last updated