Hack The Box: Node Write-up (#11)

Reconnaissance

Let’s run a full TCP scan.

  • -sC: Default Nmap script
  • -sV: Service/version info
  • -O: Enable OS detection
  • -oA: Output scan results in 3 different formats
  • -p-: Scan all ports from 1–65535

We get the back the following result:

  • Port 22: — Running OpenSSH 7.2p2 Ubuntu 4ubuntu2.2
  • Port 3000: — Running Apache Hadoop

While I get initial access to this box, the UDP scan was still running. So I didn’t provide the result for this box.

Quick mental notes:

  1. Port 22, OpenSSH 7.2p2 do not have known vulnerability to get initial access to the box. So we don’t spend time to enumerate this service.
  2. Port 3000, Apache Hadoop which is accessible via the browser. Likely this will be our initial foothold to get access to this box. We need to enumerate as much as we can to find sensitive info.

Service Enumeration

Port 3000 (hadoop-datanode) Apache Hadoop

First, configure the target URL in the Burp Proxy. Go to Target > Scope. Under ‘Include in Scope’ section, click add and type or copy and paste the URL. Then click OK.

Why are we doing this? When we are accessing or brute-forcing web directory the Burp Proxy will record all that we or automated tool visited resources under Site Map tab. In this way, we can get back here and enumerate further.

Now, visit the page.

Click Login and we have a login page.

Check “View-Page-Source”.

This page using quite many Java scripts. It is worth to check each of them to find out any hidden paths. After reviewing those files, app.js and admin.js files have more paths.

If we access to the /api/admin/backup, it has a ‘download backup’ button. But only the admin user can download.

Let’s do a web directory brute-forcing. For this, I used dirsearch since gobuster is not working for this site. Run below command.

We get back the following results.

When I accessed to all the 3 directories it redirects to me index.html page. So nothing I can find here.

Let’s go back to the Burp Proxy. After viewing the files and response tab, I found user credentials under /api/users/.

Visit the page from the browser.

Great. We have an admin user “myP14ceAdm1nAcc0uNT” and other users. all passwords are hashed. We need to find the correct hash type and decode it. Many online sites can help to guess the hash type even decode hashes for you. One of the sites I love to use is https://hashes.com/. Now copy and paste all the hashes into the hashes box. Tick “Show algorithm of found” and then click SUBMIT & SEARCH.

We get back the following results.

Based on the output, SHA-256 was used to hash the passwords and the plain text passwords are recovered. Let’s update what we found.

Next, we know that only the admin user can download the backup file. So let use admin credentials to login and download the backup file.

Click Download Backup.

Save the file. Check the downloaded file type with file command.

We get the following results.

Further checking the file with strings command to see any hidden information, revealed it is base64 encoded strings.

Let’s decode this file.

  • -d: — decode

Check the file type.

Now we have a zipped file. Let’s unzip it with zip utility.

It prompts us to enter a password. Let’s try to crack it using fcrackzip.

We got the password. Use it to unzip the backup file.

We got the var directory. Let’s enumerate for sensitive info like passwords and usernames using grep utility.

  • -R: — Dereference-recursive
  • -i: — Ignore-case
  • head: — Display first 10 lines

We get a MongoDB credential.

Based on the results above, this credential belongs to user mark and access to MongoDB from localhost.

Exploitation/ or Just Login

Let’s try to SSH to this box with this credential.

Enter password 5AYRft73VtFpc84k.

The credential works. We got initial shell into the box in the context of user mark.

Post-Exploitation Enumeration

Download and execute linux-smart-enumeration script in the target box.

  • -l: — Output verbosity level
  • -i: — Non-interactive mode

We get back the following result.

From the above result, tom and root are members of the admin group. So we might need to escalate privilege to tom and enumerate further. Let’s continue next result.

Tom is running two jobs. One is under scheduler directory and other is under myplace directory. Next, check listening services.

We can confirm that MongoDB is running in localhost with default port 27017. The last interesting info is setuid binary file.

We will check this file in privilege escalation phase.

Let’s check the 2 files running by user tom. First check /var/scheduler/app.js.

We have mark credentials to access MongoDB scheduler.

Explanation of the code:

  1. setInterval() function checks rows(doc) in table (collection) called ‘task’ for configured jobs.
  2. If no errors and job is configured in a row, execute that job that is configured with ‘cmd’ variable.
  3. After execute, clear the row.

With this information, we can create a bash file with the owner of the file tom and SUID bit set on to escalate privilege to tom.

Next, check /var/www/myplace/app.js.

The interesting part is the /usr/local/bin/backup. This backup binary takes 3 arguments.

  • -q
  • backup_key
  • _dirname: — directory name

With these arguments, it performs a backup of the given directory. We will test this in privilege escalation phase.

Privilege Escalation

Let’s login into DB.

  • -u: — username
  • -p: — password

Once successfully login into MongoDB. Type below commands.

Now the job is successfully executed. Under the /tmp directory you can find tombash file created with SUID bit set on and owner of the file is tom.

Let’s execute tombash.

We have successfully escalated our first privilege to tom.

Let’s review the enumerated result again.

This /usr/local/bin/backup is familiar to us. We found earlier which is running by user tom through app.js script. Let’s check this file.

It is confirmed the SUID bit is on and the owner of the file is root. Only user tom can execute this file. Let’s test this file.

We get long base64 encoded strings. Run again by redirecting the output to a file.

Decode the file.

Check the file type.

It is a zip file format. Let unzip the file. When prompt for a password, type the same password we used to unzip backup file “magicword”.

Alright, it just zips the given directory and unzips the zipped file to the same directory structure. Now, let’s try to zip the /root directory.

We get the following results base64 strings.

Repeat the above step, decode and unzip the file.

This time, we need 7z to unzip the file. So I need to copy the base64 encoded strings to my Kali and unzip.

Check the content of the file.

We got a Troll face. This could be intended not to let us easily get the root.txt file. This time, I have created a file *r00t under /tmp/. Let’s try backup this.

This time the output of base64 encoded string length is not so long as we did for /root directory. Also, the extracted output exact directory structure. Let’s try a few more options.

Backup /r**t/r**t.txt.

Again we get the same length of base64 encoded strings. Let extract and see if we get the root.txt.

Nice. We can read the root.txt flag.

Do the same for /home/tom/user.txt and we get the user.txt flag.

Let’s analyst the backup binary file using strings command.

We get back the following results.

We can see this backup binary using zip utility with 4 arguments.

  • -r: Travel the directory structure recursively.
  • -P: Password
  • %s: first string is the output in zip format
  • %s: second string is the input directory to zip.

Further analysis from the strings result above, /root and /etc seems like restricted to backup. As we did for /root if you test for /etc you will get a Troll face which I already had tried.

Privilege Escalation to Root

In this section, I used 3 methods to get a root shell. First is the kernel exploitation. I managed to exploit kernel vulnerability to get a root shell. But in a real-life penetration test, this must be the last resort when there are no other ways. Second and third is from ippsec video using command injection.

Let’s begin.

Method #1

Check kernel version in the target.

Check kernel exploits using linux-exploit-suggester-2.

Exploit #4 is my favourite and it always works for me. Download the exploit using searchsploit to Kali.

Compile the exploit.

Transfer the exploit to target and give execute permission.

Then execute it.

Rooted!

Method #2

Using newline character we can escalate privilege to root. Type below command.

We rooted again.

Method #3

Using newline character in printf function. Type below command.

And again we rooted.

Attack Strategy Map

Thank you for reading :-) Next box is Valentine.

I am a security enthusiast. Learning new things every day for a joy. I love ethical hacking. I am deeply loved by God.