OSCP PREPROTİONS – HTB Node

Node machine is a vulnerable machine with Linux operating system among retired machines. It is desired to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan

Full port scan

As a result of port scanning, 22/tcp ssh OpenSSH 7.2p2 and 3000/tcp hadoop-tasktracker Apache ports are open.
When there is no vulnerability on the ssh port, let’s provide enumeration on port 300.

Looking here in developer mode, we found /api/admin/backup

When I go to this knee

No useful information found Continue searching for api in developer mode
We encountered the /api/users/ directory

Here we have obtained hashed passwords

We break these hashes and note them down.
We break them at https://crackstation.net/
myP14ceAdm1nAcc0uNT:manchester
tom: spongebob
mark:snowflake
rastating: 5065db2df0d4ee53562c650c29bacf55b97e231e3fe88570abc9edd8b78ac2f0

We saw the login part in the interface, when we logged in using the credential information of the user myP14ceAdm1nAcc0uNT, we saw the backup file.

After downloading the backup file, a cat search revealed a very large base64 decoded result

When we decode this output and identify the file, we saw that there was a zip file, when extracting this zip file, it asked us for a password, we did not extract the files because we did not have a password.

Let’s try to crack this zip file with the John tool

This is how we cracked the password of the zip file as magicword

We have detected credentail information in the app.js file

const url         = ‘mongodb://mark:5AYRft73VtFpc84k@localhost:27017/myplace?authMechanism=DEFAULT&authSource=myplace’;

Let’s ssh to user mark

This is how we got a shell connection.
In this shell connection, our authorization was limited, so we provide local enumeration.

It uses port 27017, when we look at who this port is used by default, we saw it as mongoDB.
Let’s look at the procel that user tom has run here

Here we see 2 processes belonging to tom.
Let’s look at the files they use app.js

Here let’s connect on scheduler on mongodb

We provided enumuerations on the databse, then we found the table, the table was empty inside the table, this empty table was running as schduled, we added the command for us to give us shlle.

1 db name saw
2 show tables we have seen for your table
3 We read inside the task table
We added 4 shells

After using these commands we obtained shelli from our tom user.

Here we have added our user flag, but we still do not have root authorization.

We provide local enumeration to get root authorization.
We run the linenum.sh file from the Tom user privileges.

We realized that something was happening here on the group.
What files can we use here?
find / -perm /4000 2> /dev/null
We said let’s use the command

The /usr/local/bin/backup file is remarkable, let’s look at it

An interesting file authorized root from admin group 🙂
I realized how to exploit this file.
I continued with local enumeration and searched for others
We checked the kernel version with uname -a

Let’s see if there is a weakness here on kerel

When we looked at Searchsploit, we came across a remarkable code

Let’s download this code and transmit it to our target machine

Let’s compile and run this code on the target machine

As we can see we have obtained the root flag