Today we’re going to solve another CTF machine “Node“. It is now retired box and can be accessible if you’re a VIP member.

Specifications

  • Target OS: Linux
  • IP Address: 10.10.10.58
  • Difficulty: Hard

Contents

  • Getting user
  • Getting root

Reconnaissance

As always, the first step consists of reconnaissance phase as port scanning.

Ports Scanning

During this step we’re gonna identify the target to see what we have behind the IP Address.

Nmap revels Node.js framework running on port 3000.

Enumeration

Let’s browse the URL http://10.10.10.58/login and we see a login page. which requires username and password.

If you take a look at source code of the page you’ll see several JavaScript files at the bottom of the page.

Let’s take a look at these files.

There’s an interesting JavaScript file which contains important information for us. http://10.10.10.58:3000/assets/js/app/controllers/profile.js and it revels a path “/api/users“.

Let’s identify the hash first.

Now, we know it’s SHA-256 let’s crack it.

Online Cracking

Offline Cracking

Let’s intercept the response and download our backup file which we found through JavaScript paths.

Look’s like we found a file which is encoded into Base64 let’s decode it.

The zip file asking for the password let’s crack it using fcrackzip or zipcracker-ng.

Let’s explore decompressed files from backup.zip and we found credentials inside app.js file.

There are sometimes possibilities that admin can re-use the passwords, so we have another port open which is SSH let’s try our luck.

Privilege Escalation

As part of the standard enumeration phase, it’s worth checking all running processes. If we take a look user tom is running our myplace application as well another application called scheduler.

OR

Let’s keep this aside for now and let’s enumerate more. let’s search for odd SUID files.

OR

We have an odd file named backup and owned by root and assigned to group admin.

If we check another user tom it is also a member of group admin.

So, to access that file we need to be user tom or group admin. Our previous finding shows we have a process running under tom.

Let’s take a look at /var/scheduler/app.js

Now, let’s access mongodb database, and we can execute any task placed within the tasks table. Let’s create reverse shell using msfvenom and execute it.

Let’s transfer our shell to remote ssh.

Now let’s login to mongodb and execute commands and start the listener.

Or we can do this without spawning a reverse shell.

Now we can access SUID backup file which we found.

We know it’s an executable file but let’s check some strings first.

This is what we found Base64 and few commands.

Let’s extract that zip file.

Password can be find in strings: magicword

This extracted root.txt file and contains troll.

If we analyze app.js file and it contains a syntax using backup file.

Let’s locate backup_key

We created a link between /root/root.txt -> /dev/shm/master/root.txt

And we got root.