Hack The Box

HackTheBox “Node” Walkthrough

Node, a medium-level Linux OS machine on HackTheBox, focuses on the meticulous enumeration of a NodeJS application to identify an API endpoint that exposes user password hashes. This challenge presents an opportunity…

HackTheBox “Node” Walkthrough, figure 1

Node, a medium-level Linux OS machine on HackTheBox, focuses on the meticulous enumeration of a NodeJS application to identify an API endpoint that exposes user password hashes. This challenge presents an opportunity to explore various services like MongoDB and experiment with Local Memory Corruption Vulnerability to escalate our privileges and gain a root shell.

Let’s get started! 🚀

Recon & Enumeration

Let’s use nmap to scan for open ports and services:

HackTheBox “Node” Walkthrough, figure 2

Let’s visit the target on port 3000.

HackTheBox “Node” Walkthrough, figure 3

The website appears to be a social media platform. Let’s examine its source code.

HackTheBox “Node” Walkthrough, figure 4

Let’s examine the JS files linked at the end of the source code.

HackTheBox “Node” Walkthrough, figure 5

The script “profile.js” located in the “assets/js/app/controllers” directory exposes the directory “/api/users” for access.

HackTheBox “Node” Walkthrough, figure 6

It reveals the presence of user accounts along with their corresponding password hashes. We can gather these hashes and submit them to Hashes.

dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0aff0e2e750791171b0391b682ec35835bd6a5c3f7c8d1d0191451ec77b4d75f240de5a1adf4fedcce1533915edc60177547f1057b61b7119fd130e1f7428705f735065db2df0d4ee53562c650c29bacf55b97e231e3fe88570abc9edd8b78ac2f0
HackTheBox “Node” Walkthrough, figure 7

Utilizing the credentials obtained from the compromised API, I am able to authenticate myself as myP14ceAdm1nAcc0uNT:manchester.

HackTheBox “Node” Walkthrough, figure 8

A download link is provided as the only available option, let’s download it.

HackTheBox “Node” Walkthrough, figure 9

The content of the file consists of a continuous sequence of ASCII characters, let’s have a look at some of the content.

HackTheBox “Node” Walkthrough, figure 10

The character set aligns with the base64 encoding scheme. After decoding, it was revealed that the content represents a Zip Archive.

HackTheBox “Node” Walkthrough, figure 11

It appears that the archived file, which has been renamed to .zip, contains the source code for the website.

HackTheBox “Node” Walkthrough, figure 12

When attempting to unzip the file, a password prompt is displayed. We can use the tool zip2john to extract the hash file from the zip file.

HackTheBox “Node” Walkthrough, figure 13

Let’s check the content of the hash.txt file.

HackTheBox “Node” Walkthrough, figure 14

We will use John to crack it.

HackTheBox “Node” Walkthrough, figure 15

We can utilize the password “magicword” to unzip the contents of the zip file.

HackTheBox “Node” Walkthrough, figure 16

Upon unzipping the files, we get the source code for the “myplace” application, providing us with an opportunity to carefully check its contents.

HackTheBox “Node” Walkthrough, figure 17

Within the app.js file, there exists a database connection string containing the credentials for the user named "mark":

mark:5AYRft73VtFpc84k@localhost

The credential for the user “mark” is valid for SSH authentication.

HackTheBox “Node” Walkthrough, figure 18

To delve deeper into local vulnerabilities of the target, we can employ linpeas.sh for analysis. Our next step involves launching an HTTP server on our attack box.

HackTheBox “Node” Walkthrough, figure 19

Retrieve the linpeas tool and save it in the /tmp directory, then execute it.

HackTheBox “Node” Walkthrough, figure 20

During the check of the linpeas results, we encountered a compelling process executing on the target system.

HackTheBox “Node” Walkthrough, figure 21

Upon further investigation, we discovered the presence of another process of app.js located at /var/scheduler/app.js.

In addition to examining the app.js file within the myplace directory, we decided to analyze this newly identified app.js. During our analysis, we uncovered a distinct MongoDB URI associated with a database named “scheduler,” which is different from the previously discovered “myplace” database.

HackTheBox “Node” Walkthrough, figure 22

The application attempts to retrieve the value of the “cmd” parameter from the “tasks” collection within the “scheduler” database. It then executes this command under the context of the “tom” user and subsequently removes it. As a result, command execution is achieved with the privileges of the “tom” user. Now, our objective is to acquire a shell.

Next, we endeavor to access the “scheduler” database as the “mark” user through the utilization of the mongo command below.

mongo -u mark -p 5AYRft73VtFpc84k scheduler

HackTheBox “Node” Walkthrough, figure 23

We can see the existence of a collection “tasks”. Our next step involves configuring the reverse shell command within the “cmd” value. To accomplish this, we generate a script named “shell.sh” within the /tmp directory.

HackTheBox “Node” Walkthrough, figure 24

Launch a listener on our attack box.

HackTheBox “Node” Walkthrough, figure 25

We proceeded to insert the “cmd” value into the MongoDB database.

db.tasks.insert( { cmd:"bash /tmp/shell.sh" } );

HackTheBox “Node” Walkthrough, figure 26

After seconds, we get a shell.

HackTheBox “Node” Walkthrough, figure 27

Privilege Escalation:

Now, let’s check the system information.

HackTheBox “Node” Walkthrough, figure 28

Let’s check searchsploit for information on Linux kernel 4.4.

HackTheBox “Node” Walkthrough, figure 29

We find a kernel privilege escalation for this version of the kernel highlighted above. We transfer the exploit to our working directory and subsequently to the target.

HackTheBox “Node” Walkthrough, figure 30

Download the exploit on the target machine.

HackTheBox “Node” Walkthrough, figure 31

We compile the exploit using gcc and execute the resulting executable.

HackTheBox “Node” Walkthrough, figure 32

And we get a root shell.

Cheers.