This box isn’t too bad and was actually pretty educational. First we started off with an nmap scan, noticing only one port open “3000”. Using the flag -sV we can use banner grabbing to determine what service is running on the port. We then found out it was node.js and a web host.
So we go to the url and get some funny messages which was a nice touch. What I eventually came to discover is that node.js has a deserialization exploit that is capable of remote code execution. Following a guide online we were able to exploit this vulnerability using the cookies parameter. I won’t even try to explain the bug as the link below explains it way better than I could. https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/
Ensure that you set the LHOST to your openvpn IP address and not 127.0.0.1 and ensure that you change the == at the end of the base64 encoded cookie to %3D%3D.
Now it’s time for some privesc. First thing we obviously want to search the users directories. Exploring /home we can see some interesting files such as “output.txt” and in Documents you will find the user.txt and also script.py. So if you do “cat /var/log/syslog | grep output” you can see some interesting stuff. Such as the fact that root is running /home/Documents/script.py as root every 5 minutes and saving the output to output.txt.
There are definitely a bunch of different ways you can attack this part of the box but I thought it’d be simplest to just print out the root.txt file. In order to do this we must create a python script that we can swap for script.py so that it will run as root every 5 minutes. I spent some time on my kali box to make sure the script worked properly.
f = open(‘/root/root.txt’,’r’)
message = f.read()
That’s all it takes… of course the box is gonna be super annoying and not have nano or vim which leaves us with vi. Not only vi but a vi that doesn’t work whatsoever cause we aren’t in an actual terminal. Of course there are ways around this but let’s take the lazy way and use echo. To do this echo each line of the script by appending them to the script.py file. Once the 5 minute timer passes the script will be ran and the output.txt file will be full of glory.