Node machine is a vulnerable machine with Linux operating system among retired machines. It is desired to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan
Full port scan
As a result of port scanning, 22/tcp ssh OpenSSH 7.2p2 and 3000/tcp hadoop-tasktracker Apache ports are open.
When there is no vulnerability on the ssh port, let’s provide enumeration on port 300.
Looking here in developer mode, we found /api/admin/backup
When I go to this knee
No useful information found Continue searching for api in developer mode
We encountered the /api/users/ directory
Here we have obtained hashed passwords
We break these hashes and note them down.
We break them at https://crackstation.net/
myP14ceAdm1nAcc0uNT:manchester
tom: spongebob
mark:snowflake
rastating: 5065db2df0d4ee53562c650c29bacf55b97e231e3fe88570abc9edd8b78ac2f0
We saw the login part in the interface, when we logged in using the credential information of the user myP14ceAdm1nAcc0uNT, we saw the backup file.
After downloading the backup file, a cat search revealed a very large base64 decoded result
When we decode this output and identify the file, we saw that there was a zip file, when extracting this zip file, it asked us for a password, we did not extract the files because we did not have a password.
Let’s try to crack this zip file with the John tool
This is how we cracked the password of the zip file as magicword
We have detected credentail information in the app.js file
const url = ‘mongodb://mark:5AYRft73VtFpc84k@localhost:27017/myplace?authMechanism=DEFAULT&authSource=myplace’;
Let’s ssh to user mark
This is how we got a shell connection.
In this shell connection, our authorization was limited, so we provide local enumeration.
It uses port 27017, when we look at who this port is used by default, we saw it as mongoDB.
Let’s look at the procel that user tom has run here
Here we see 2 processes belonging to tom.
Let’s look at the files they use app.js
Here let’s connect on scheduler on mongodb
We provided enumuerations on the databse, then we found the table, the table was empty inside the table, this empty table was running as schduled, we added the command for us to give us shlle.
1 db name saw
2 show tables we have seen for your table
3 We read inside the task table
We added 4 shells
After using these commands we obtained shelli from our tom user.
Here we have added our user flag, but we still do not have root authorization.
We provide local enumeration to get root authorization.
We run the linenum.sh file from the Tom user privileges.
We realized that something was happening here on the group.
What files can we use here?
find / -perm /4000 2> /dev/null
We said let’s use the command
The /usr/local/bin/backup file is remarkable, let’s look at it
An interesting file authorized root from admin group 🙂
I realized how to exploit this file.
I continued with local enumeration and searched for others
We checked the kernel version with uname -a
Let’s see if there is a weakness here on kerel
When we looked at Searchsploit, we came across a remarkable code
Let’s download this code and transmit it to our target machine
Let’s compile and run this code on the target machine
As we can see we have obtained the root flag