Cybersecurity Solutions and Support Services

    HackTheBox Node Walkthrough

    I think at some point, I started this box but didn't finish it.  That's been known to happen -- I only allot so much time to this kind of thing.  As I wrapped up the box from yesterday, I saw this one, took a quick look and down the rabbit hole I went.  This box is interesting because I don't have a huge amount of experience with Node and I did a little bit of extra hunting.  Perhaps if I were more familiar with Node, I would have honed in on one piece sooner than later.

    Anyway, I don't want to spoil anything so let's get rolling.  We kick off with Nmap:





    Not much here so I'll assume that port 3000 is our entry. 

    Checking out the site:





    As I'm browsing around, I'm digging through Burp and I find:





    Pulling up that URL, we find:





    Those look like hashes, I toss them into hash-identifer to see what it thinks:





    SHA256 hashes -- let's move them over to Hashcat:





    2 out of 3 hashes cracked.  We attempt to login with both accounts:





    And we get the same message -- essentially, we need to be admin.  I circle back through Burp and I find a new edition:





    Back to Hashcat:





    Because this account lists "is_admin" as true, we should be able to get further with the login:





    We download the backup:





    I run file on the backup and I take a peek, it looks like Base64.  I decode the Base64 and I run file again, it's a zip file.  I attempt to extract the zip file but it's password protected.  I run fcrackzip:





    We retrieve the password.  I unzip the backup:





    And I get a ton of data.  Not really know where to hunt, I use grep to search in the files to find the word "password":





    When I open up app.js, I find:





    That looks like a username and password.  I attempt to SSH with those creds:





    And we're in!  Checking out the environment:





    Vulnerable to several kernel exploits:





    And we're root! 

    Once last thing to do:





    I know, I skipped the user flag again.  I'll leave that up to you.


    © 2020 sevenlayers.com