This time I've gone
for the Temple of Doom machine. You can grab it here:
https://www.vulnhub.com/entry/temple-of-doom-1,243/
https://www.vulnhub.com/entry/temple-of-doom-1,243/
--> MISSION
[+] A CTF created by
https://twitter.com/0katz
[+] Difficulty:
Easy/Intermediate
[+] Tested in
VirtualBox
[+] Note: 2 ways to
get root!
--> REC0N / ENUMERATION
The vm loads with an IP it's obtained from DHCP. So for today, my target is 192.168.52.102.
First I kick things off with an nmap scan across all tcp ports:
So two ports here ssh and doom on tcp/666. Nice!
I run nmap again to enumerate the services on these ports, as well as the OS.
nmap -n -v -sS -sV -O -p 22,666 -T4 192.168.52.102
Ok so I'm assuming doom is what we want to be looking at. Node.js. Hmmm, I'm not too familiar with what this is, looks like it's some sort of web server, given nmaps output above.
Let's see if there's anything interesting via the browser:
Let's see what we find with searchsploit
I also dig around a bit more on the web.
What is node.js
"Node.js is an open-source, cross-platform JavaScript run-time environment that executes JavaScript code outside the browser"
Source: https://en.wikipedia.org/wiki/Node.js
More info: https://nodejs.org/en/
I did a bit more searching on exploit-db and came across this:
https://www.exploit-db.com/docs/english/41289-exploiting-node.js-deserialization-bug-for-remote-code-execution.pdf
Which brings me to CVE-2017-5941:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5941
"An issue was discovered in the node-serialize package 0.0.4 for Node.js. Untrusted data passed into the unserialize() function can be exploited to achieve arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression (IIFE)."
Now, a lot of this goes over my head, but reading Ajin Abraham's write-up. Essentially what we're doing here is exploiting JavaScript unserialize() function from a serialize() function. It's explained perfectly on page 3 of the PDF.
We want the serialize() function to perform a reverse shell. To do this, we need to generate shellcode. For this, I use Ajin's python script to generate it. (I could also probably use msfvenom).
You'll find the script here:
https://github.com/ajinabraham/Node.Js-Security-Course/blob/master/nodejsshell.py
I generate a reverse shell on tcp/443.
I output the shellcode into a file and edit it further.
This needs to be wrapped inside IIFE brackets, which in JavaScript are "Immediately Invoked Function Expression". This is used to call the function.
To do this, I prefix the shellcode with {"rce":"_$$ND_FUNC$$_function (){ and close it with }()"}.
Now according to the exploit, the payload needs to be base64 encoded. I couldn't remember the shortcut in Burp, so I just output the base 64 encoded payload to another file:
Start my nc listener:
Fire up burp and capture the GET request:
I replace the the profile= with the base64 encoded JavaScript reverse shell:
Ha! Would you look at that:
--> TIME TO PE
Quick enum we are user 'nodeadmin' on Fedora 28 running Kernel 4.16.3-301.
Change over to a python tty shell:
Let's see what other users we have:
Can't get into the fireman's home drive…
Fireman doesn't seem to have any exciting permissions… but I'll keep looking:
Lastlog:
Fireman is running something:
Quick google, looks like ss-manager is "Shadowsocks" which is a multi-user and traffic control for node.js.
Ohhh this could be interesting…
So reading the libev command execution (https://www.exploit-db.com/exploits/43006/)
I should be able to execute arbitrary commands on udp/8839 locally. But it hangs my shell. So I'll see if I can nc back on another reverse shell:
And would you like at that. We're now fireman!I switch to the python tty shell, and what's interesting is my working directory is now /root, but I can't move!
I'm guessing fireman will have some sudo abilities
Now I remember back when I did my OSCP, there is a way to escalate with Tcpdump.
Quick google I find:
https://www.stevencampbell.info/2016/04/why-sudo-tcpdump-is-dangerous/
I try but get permission denied:
I forget I have to make the 'test' file executable, so I chmod it, and whala. It's executing as root:After a while and trying a few things, I finally work out to just do what I've done… create another reverse shell, this time, it'll execute as root!
Fire away:
BOOM!
The demon has been slayed!
And I found the most perfect reaction gif ever for this root!
--> n33dle
No comments:
Post a Comment