Special thanks goes to the 'Rob' for preparing the game.
I started netdiscover -r on Kali to find the address of the target VM. Next I used nmap to scan the box, below results:
After few seconds we can see 2 services: ssh and webapp available on port 3000/tcp:
We will back to the ssh later, now let's see that webpage:
I always like to see what's in the source code, so I decided to check JS files included here:
I tried to read the files one by one. After a while I found the file called app.js:
I decided to check next links I found:
So we have users and some hashes. Let's see if we can find any help on Kali:
We can ;]
Let's prepare fcrackzip:
If password is valid we will download the backup file:
I couldn't unzip the file because of the password but I was still able to list the content of the zipfile:
I decided to go back to fcrackzip:
Password was found, so let's check the content of the files:
Interestingly I found some hardcoded credentials:
Let's try to use it with SSH port also available on the machine:
After Ilisted /home of users I tried to connect to mentioned mongodb:
Good. This was the tricky part for me. How to use MongoDB to make it act like good old one raptor_udf. I started looking for some hints on Google and that's how I found: [1, 2, 3, 4 ].
Hints available there allowed me to update venome script and create a shell-file in JS.
(Fresh, updated copy of venome.sh you'll find on github.)
I copied revshell file to /var/www/html to download it - using MongoDB. I think we're ready to go:
Great! Reverse shell is ready. Now:
Good. We are able now to grab the user.txt file.
And then I found something interesting in the content of the "backup":
As you can see we will find multiple interesting hints there ;]
I decided to copy/paste this base64(?;)) to txt file and decode it, results you'll see below:
I used the password found in output from strings:
I decided to finish the machine. To do that I used this exploit (described as CVE-2017-16995).
Well. I think that's all.
And yeah... the root-flag:
Big thanks goes to the author for preparing Node:1 CTF.
It was a pleasure.
Thanks for sharing goes to the VulnHub Team.