niedziela, 30 września 2018

Node:1 - CTF

Hi. It's been a while... when I tried to play CTF last time. So I decided to try a next one available online thanks to VulnHub. Let's try Node:1 CTF. Here we go...

Special thanks goes to the 'Rob' for preparing the game.

I started netdiscover -r  on Kali to find the address of the target VM. Next I used nmap to scan the box, below results:

After few seconds we can see 2 services: ssh and webapp available on port 3000/tcp:

We will back to the ssh later, now let's see that webpage:

As you can see we have 3 users here: tom, mark and rastating ;)

I always like to see what's in the source code, so I decided to check JS files included here:

I tried to read the files one by one. After a while I found the file called app.js:

Very interesting. Next step was to check the /partials/ link ;)

Checking without 'view-source':

I decided to check next links I found:

This is how I found our users:


When I found this I decided to go the earlier directory. Results:

So we have users and some hashes. Let's see if we can find any help on Kali:

We can ;]

Let's prepare fcrackzip:

If password is valid we will download the backup file:

So far, so good. Checking the file:

 I couldn't unzip the file because of the password but I was still able to list the content of the zipfile:

I decided to go back to fcrackzip:

Password was found, so let's check the content of the files:

Interestingly I found some hardcoded credentials:

Let's try to use it with SSH port also available on the machine:


Great! :)

After Ilisted /home of users I tried to connect to mentioned mongodb:

Good. This was the tricky part for me. How to use MongoDB to make it act like good old one raptor_udf. I started looking for some hints on Google and that's how I found: [1, 2, 3, 4 ].

Hints available there allowed me to update venome script and create a shell-file in JS.

(Fresh, updated copy of you'll find on github.)

I copied revshell file to /var/www/html to download it - using MongoDB. I think we're ready to go:

Great! Reverse shell is ready. Now:

Good. We are able now to grab the user.txt file.

And then I found something interesting in the content of the "backup":

As you can see we will find multiple interesting hints there ;]

I decided to copy/paste this base64(?;)) to txt file and decode it, results you'll see below:

I used the password found in output from strings:


Cool. ;]

I decided to finish the machine. To do that I used this exploit (described as CVE-2017-16995).

Well. I think that's all.

And yeah... the root-flag:

Big thanks goes to the author for preparing Node:1 CTF.
It was a pleasure. 

Thanks for sharing goes to the VulnHub Team.


Brak komentarzy:

Publikowanie komentarza