π‘Node
Recon & Enumeration
ports open
22 -ssh
3000 -pppdirectory scsn
/partials
/uploads
/assets
/vendorTheir is login page on the website , neither default creds are working , nor i know the password I tried Nosql injection and failed I intercept the request in burp and get to know the path "/api/session/authentication" I use developer tools to check whether their is any api path is calling by website or not ,and i didn't get any api path , but i found bunch of scripts ".js" loaded by page default After looking a little - their is "home.js" script which contains a path "/api/users/latest" NOTE :- we can also find all these scripts by viewing the page-source
this page contains username , password (hash) , admin role i tried tom & mark user to login and succeeded but no-benefit because they don't have admin privileges , the page says :- "only admin users can access the control pannel" then in url path i removed the "latest" and used "/api/users" to check what this directory contains and i get the 1 another user along with the other 3 users After logging in as admin user , i get download option on webpage for backup file . i downloaded the file "myplace.backup"
myplace.backup
Lets see the file first
After reading a little , i gussed its encoded in base64 , lets decode it
its a zip file , lets unzip it
it requires password , i don't have one , lets crack it
and we got a /var directory , after unzip
shell as mark
/var/www/myplace/ directory conatins lot of files and directories as well.
/var/www/myplace/app.js
i got mongodb creds in this file :-
its mongodb credentials , but worth of trying ssh , as sometimes user uses same password for different service as well username :- mark & password = 5AYRft73VtFpc84k , and i got in
privesc mark => tom
ps auxw
i got 2 process running for user tom
/var/scheduler/app.js
As i already read the first file , i will this one now , after reading the js code i get to know that :-
it connects with mongodb using mark credentials
after connecting it searches the object in the collection - task
if their is any object present in the collection it executes it using :- exec(doc.cmd);
before executing it tskes time intervel of 30000 milisecs :- 30 seconds
after executing the command it delets the object
exploitation
connect to db
check collection & any object present in collection
insert/create an object in collection and insert the reverse shell
NOTE :- while creating the json document (object) , the object must be cmd as this is the only parameter that script /var/scheduler/app.js use to execute and value is reverse shell payload
setup the listener,after 30 secs we got the reverse shell as tom
privesc tom => root
i skipped this because it include BOF (buffer overflow)
Last updated