}==[n33dle]>----: July 2018

Time for another vulnhub machine.

This time I've gone for the Temple of Doom machine. You can grab it here:
https://www.vulnhub.com/entry/temple-of-doom-1,243/

--> MISSION

[+] A CTF created by https://twitter.com/0katz

[+] Difficulty: Easy/Intermediate

[+] Tested in VirtualBox

[+] Note: 2 ways to get root!

--> REC0N / ENUMERATION

The vm loads with an IP it's obtained from DHCP. So for today, my target is 192.168.52.102.

First I kick things off with an nmap scan across all tcp ports:

So two ports here ssh and doom on tcp/666. Nice!

I run nmap again to enumerate the services on these ports, as well as the OS.

nmap -n -v -sS -sV -O -p 22,666 -T4 192.168.52.102

Ok so I'm assuming doom is what we want to be looking at. Node.js. Hmmm, I'm not too familiar with what this is, looks like it's some sort of web server, given nmaps output above.

Let's see if there's anything interesting via the browser:

Let's see what we find with searchsploit

I also dig around a bit more on the web.

What is node.js

"Node.js is an open-source, cross-platform JavaScript run-time environment that executes JavaScript code outside the browser"

Source: https://en.wikipedia.org/wiki/Node.js

More info: https://nodejs.org/en/

I did a bit more searching on exploit-db and came across this:

https://www.exploit-db.com/docs/english/41289-exploiting-node.js-deserialization-bug-for-remote-code-execution.pdf

Which brings me to CVE-2017-5941:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5941

"An issue was discovered in the node-serialize package 0.0.4 for Node.js. Untrusted data passed into the unserialize() function can be exploited to achieve arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression (IIFE)."

Now, a lot of this goes over my head, but reading Ajin Abraham's write-up. Essentially what we're doing here is exploiting JavaScript unserialize() function from a serialize() function. It's explained perfectly on page 3 of the PDF.

We want the serialize() function to perform a reverse shell. To do this, we need to generate shellcode. For this, I use Ajin's python script to generate it. (I could also probably use msfvenom).

You'll find the script here:

https://github.com/ajinabraham/Node.Js-Security-Course/blob/master/nodejsshell.py

I generate a reverse shell on tcp/443.

I output the shellcode into a file and edit it further.

This needs to be wrapped inside IIFE brackets, which in JavaScript are "Immediately Invoked Function Expression". This is used to call the function.

To do this, I prefix the shellcode with {"rce":"_$$ND_FUNC$$_function (){ and close it with }()"}.

Now according to the exploit, the payload needs to be base64 encoded. I couldn't remember the shortcut in Burp, so I just output the base 64 encoded payload to another file: