niedziela, 30 września 2018

Node:1 - CTF

Hi. It's been a while... when I tried to play CTF last time. So I decided to try a next one available online thanks to VulnHub. Let's try Node:1 CTF. Here we go...

Special thanks goes to the 'Rob' for preparing the game.

I started netdiscover -r  on Kali to find the address of the target VM. Next I used nmap to scan the box, below results:


After few seconds we can see 2 services: ssh and webapp available on port 3000/tcp:


We will back to the ssh later, now let's see that webpage:

As you can see we have 3 users here: tom, mark and rastating ;)

I always like to see what's in the source code, so I decided to check JS files included here:


I tried to read the files one by one. After a while I found the file called app.js:

Very interesting. Next step was to check the /partials/ link ;)

Checking without 'view-source':


I decided to check next links I found:

This is how I found our users:

Switch:

When I found this I decided to go the earlier directory. Results:


So we have users and some hashes. Let's see if we can find any help on Kali:

 

We can ;]

Let's prepare fcrackzip:


If password is valid we will download the backup file:

 

So far, so good. Checking the file:


 I couldn't unzip the file because of the password but I was still able to list the content of the zipfile:


I decided to go back to fcrackzip:


Password was found, so let's check the content of the files:


Interestingly I found some hardcoded credentials:


Let's try to use it with SSH port also available on the machine:

And...


Great! :)

After Ilisted /home of users I tried to connect to mentioned mongodb:


Good. This was the tricky part for me. How to use MongoDB to make it act like good old one raptor_udf. I started looking for some hints on Google and that's how I found: [1, 2, 3, 4 ].

Hints available there allowed me to update venome script and create a shell-file in JS.


(Fresh, updated copy of venome.sh you'll find on github.)

I copied revshell file to /var/www/html to download it - using MongoDB. I think we're ready to go:


Great! Reverse shell is ready. Now:


Good. We are able now to grab the user.txt file.

And then I found something interesting in the content of the "backup":


As you can see we will find multiple interesting hints there ;]

I decided to copy/paste this base64(?;)) to txt file and decode it, results you'll see below:


I used the password found in output from strings:

Checking:

Cool. ;]

I decided to finish the machine. To do that I used this exploit (described as CVE-2017-16995).



Well. I think that's all.

And yeah... the root-flag:



Big thanks goes to the author for preparing Node:1 CTF.
It was a pleasure. 

Thanks for sharing goes to the VulnHub Team.


Cheers
Posted by at
Labels: , ,

Brak komentarzy:

Prześlij komentarz

Subskrybuj: Komentarze do posta (Atom)