OSCP PREPROTİONS – HTB Node

Node machine is a vulnerable machine with Linux operating system among retired machines. It is desired to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan

Full port scan

As a result of port scanning, 22/tcp ssh OpenSSH 7.2p2 and 3000/tcp hadoop-tasktracker Apache ports are open.
When there is no vulnerability on the ssh port, let’s provide enumeration on port 300.

Looking here in developer mode, we found /api/admin/backup

When I go to this knee

No useful information found Continue searching for api in developer mode
We encountered the /api/users/ directory

Here we have obtained hashed passwords

We break these hashes and note them down.
We break them at https://crackstation.net/
myP14ceAdm1nAcc0uNT:manchester
tom: spongebob
mark:snowflake
rastating: 5065db2df0d4ee53562c650c29bacf55b97e231e3fe88570abc9edd8b78ac2f0

We saw the login part in the interface, when we logged in using the credential information of the user myP14ceAdm1nAcc0uNT, we saw the backup file.

After downloading the backup file, a cat search revealed a very large base64 decoded result

When we decode this output and identify the file, we saw that there was a zip file, when extracting this zip file, it asked us for a password, we did not extract the files because we did not have a password.

Let’s try to crack this zip file with the John tool

This is how we cracked the password of the zip file as magicword

We have detected credentail information in the app.js file

const url         = ‘mongodb://mark:5AYRft73VtFpc84k@localhost:27017/myplace?authMechanism=DEFAULT&authSource=myplace’;

Let’s ssh to user mark

This is how we got a shell connection.
In this shell connection, our authorization was limited, so we provide local enumeration.

It uses port 27017, when we look at who this port is used by default, we saw it as mongoDB.
Let’s look at the procel that user tom has run here

Here we see 2 processes belonging to tom.
Let’s look at the files they use app.js

Here let’s connect on scheduler on mongodb

We provided enumuerations on the databse, then we found the table, the table was empty inside the table, this empty table was running as schduled, we added the command for us to give us shlle.

1 db name saw
2 show tables we have seen for your table
3 We read inside the task table
We added 4 shells

After using these commands we obtained shelli from our tom user.

Here we have added our user flag, but we still do not have root authorization.

We provide local enumeration to get root authorization.
We run the linenum.sh file from the Tom user privileges.

We realized that something was happening here on the group.
What files can we use here?
find / -perm /4000 2> /dev/null
We said let’s use the command

The /usr/local/bin/backup file is remarkable, let’s look at it

An interesting file authorized root from admin group 🙂
I realized how to exploit this file.
I continued with local enumeration and searched for others
We checked the kernel version with uname -a

Let’s see if there is a weakness here on kerel

When we looked at Searchsploit, we came across a remarkable code

Let’s download this code and transmit it to our target machine

Let’s compile and run this code on the target machine

As we can see we have obtained the root flag

Comments

  1. Pingback: OSCP Prep – HTB all Linux Machine – Muhammed AYGÜN

  2. Anderson

    Hi my loved one! I want to say that this article is awesome, nice written and
    include approximately all significant infos. I’d like to see
    extra posts like this .

  3. Travin

    Greetings from Los angeles! I’m bored to tears at work so I decided to browse your blog on my iphone
    during lunch break. I enjoy the knowledge you present here and can’t wait to take a look
    when I get home. I’m shocked at how fast your blog loaded on my cell
    phone .. I’m not even using WIFI, just 3G ..
    Anyhow, good site!

  4. Krystale

    Yesterday, while I was at work, my cousin stole my iPad and tested to see if it can survive a twenty five
    foot drop, just so she can be a youtube sensation. My apple ipad is now broken and
    she has 83 views. I know this is completely off topic but
    I had to share it with someone!

  5. Ike

    I’ve learn some just right stuff here. Certainly price bookmarking for revisiting.
    I surprise how much attempt you set to create the sort of fantastic informative web site.

  6. Jaryd

    When someone writes an post he/she keeps the plan of a user in his/her brain that how a user can be aware of it.

    Thus that’s why this post is outstdanding. Thanks!

  7. Avalon

    My coder is trying to convince me to move to .net from
    PHP. I have always disliked the idea because of the expenses.

    But he’s tryiong none the less. I’ve been using Movable-type
    on a variety of websites for about a year and am
    concerned about switching to another platform. I have heard
    good things about blogengine.net. Is there a way I can transfer all my wordpress content into it?
    Any help would be greatly appreciated!

  8. Anas

    Today, I went to the beach front with my children. I found a
    sea shell and gave it to my 4 year old daughter and said “You can hear the ocean if you put this to your ear.” She placed the shell to her ear and screamed.
    There was a hermit crab inside and it pinched her ear.
    She never wants to go back! LoL I know this is totally off topic but I had to tell someone!

  9. Demian

    Fantastic beat ! I wish to apprentice at the same time as you amend your website, how can i subscribe for a weblog website?
    The account helped me a acceptable deal. I had been tiny bit familiar of this your
    broadcast provided brilliant transparent idea

  10. Fareed

    I loved as much as you’ll receive carried out
    right here. The sketch is attractive, your authored material stylish.
    nonetheless, you command get bought an edginess over that you wish
    be delivering the following. unwell unquestionably come more formerly again as exactly the same nearly very often inside case
    you shield this increase.

  11. Laguan

    Hey very cool website!! Man .. Beautiful .. Wonderful ..
    I will bookmark your website and take the feeds also?
    I’m happy to find numerous helpful information here in the post, we need work out more strategies in this regard, thank you for sharing.
    . . . . .

  12. Ife

    I am extremely impressed along with your writing skills and also with
    the format for your weblog. Is that this a paid theme or
    did you customize it yourself? Anyway stay up the nice high quality writing,
    it is uncommon to peer a nice blog like this one these days..

  13. dobry sklep

    Wow, marvelous weblog structure! How lengthy have you been running
    a blog for? you make blogging glance easy.
    The full glance of your web site is fantastic, let alone the content!
    You can see similar here ecommerce

  14. dobry sklep

    I know this if off topic but I’m looking into starting my
    own blog and was wondering what all is needed to get
    setup? I’m assuming having a blog like yours would cost a
    pretty penny? I’m not very web savvy so I’m not 100% sure.
    Any tips or advice would be greatly appreciated. Many thanks I saw similar here: Sklep internetowy

  15. ecommerce

    Hey there! Do you know if they make any plugins to assist with SEO?
    I’m trying to get my blog to rank for some targeted keywords but I’m not seeing very good results.

    If you know of any please share. Kudos! You can read
    similar art here: Dobry sklep

  16. ecommerce

    Hello there! Do you know if they make any plugins to help with SEO?

    I’m trying to get my blog to rank for some targeted keywords but I’m
    not seeing very good results. If you know of any please share.
    Cheers! You can read similar article here: Dobry sklep

  17. Rastrear Celular

    É muito difícil ler os e-mails de outras pessoas no computador sem saber a senha. Mas mesmo que o Gmail tenha alta segurança, as pessoas sabem como invadir secretamente a conta do Gmail. Compartilharemos alguns artigos sobre crackear o Gmail, hackear qualquer conta do Gmail secretamente sem saber uma palavra.

  18. tlovertonet

    Thanks for some other great article. The place else may anyone get that type of information in such an ideal approach of writing? I’ve a presentation next week, and I am at the search for such info.

  19. uWeed Schweiz

    I am typically to running a blog and i actually recognize your content. The article has really peaks my interest. I am going to bookmark your website and hold checking for new information.

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir