Hack The Box
HackTheBox “Node” Walkthrough
Node, a medium-level Linux OS machine on HackTheBox, focuses on the meticulous enumeration of a NodeJS application to identify an API endpoint that exposes user password hashes. This challenge presents an opportunity…

Node, a medium-level Linux OS machine on HackTheBox, focuses on the meticulous enumeration of a NodeJS application to identify an API endpoint that exposes user password hashes. This challenge presents an opportunity to explore various services like MongoDB and experiment with Local Memory Corruption Vulnerability to escalate our privileges and gain a root shell.
Let’s get started! 🚀
Recon & Enumeration
Let’s use nmap to scan for open ports and services:

Let’s visit the target on port 3000.

The website appears to be a social media platform. Let’s examine its source code.

Let’s examine the JS files linked at the end of the source code.

The script “profile.js” located in the “assets/js/app/controllers” directory exposes the directory “/api/users” for access.

It reveals the presence of user accounts along with their corresponding password hashes. We can gather these hashes and submit them to Hashes.
dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0aff0e2e750791171b0391b682ec35835bd6a5c3f7c8d1d0191451ec77b4d75f240de5a1adf4fedcce1533915edc60177547f1057b61b7119fd130e1f7428705f735065db2df0d4ee53562c650c29bacf55b97e231e3fe88570abc9edd8b78ac2f0
Utilizing the credentials obtained from the compromised API, I am able to authenticate myself as myP14ceAdm1nAcc0uNT:manchester.

A download link is provided as the only available option, let’s download it.

The content of the file consists of a continuous sequence of ASCII characters, let’s have a look at some of the content.

The character set aligns with the base64 encoding scheme. After decoding, it was revealed that the content represents a Zip Archive.

It appears that the archived file, which has been renamed to .zip, contains the source code for the website.

When attempting to unzip the file, a password prompt is displayed. We can use the tool zip2john to extract the hash file from the zip file.

Let’s check the content of the hash.txt file.

We will use John to crack it.

We can utilize the password “magicword” to unzip the contents of the zip file.

Upon unzipping the files, we get the source code for the “myplace” application, providing us with an opportunity to carefully check its contents.

Within the app.js file, there exists a database connection string containing the credentials for the user named "mark":
mark:5AYRft73VtFpc84k@localhost
The credential for the user “mark” is valid for SSH authentication.

To delve deeper into local vulnerabilities of the target, we can employ linpeas.sh for analysis. Our next step involves launching an HTTP server on our attack box.

Retrieve the linpeas tool and save it in the /tmp directory, then execute it.

During the check of the linpeas results, we encountered a compelling process executing on the target system.

Upon further investigation, we discovered the presence of another process of app.js located at /var/scheduler/app.js.
In addition to examining the app.js file within the myplace directory, we decided to analyze this newly identified app.js. During our analysis, we uncovered a distinct MongoDB URI associated with a database named “scheduler,” which is different from the previously discovered “myplace” database.

The application attempts to retrieve the value of the “cmd” parameter from the “tasks” collection within the “scheduler” database. It then executes this command under the context of the “tom” user and subsequently removes it. As a result, command execution is achieved with the privileges of the “tom” user. Now, our objective is to acquire a shell.
Next, we endeavor to access the “scheduler” database as the “mark” user through the utilization of the mongo command below.
mongo -u mark -p 5AYRft73VtFpc84k scheduler

We can see the existence of a collection “tasks”. Our next step involves configuring the reverse shell command within the “cmd” value. To accomplish this, we generate a script named “shell.sh” within the /tmp directory.

Launch a listener on our attack box.

We proceeded to insert the “cmd” value into the MongoDB database.
db.tasks.insert( { cmd:"bash /tmp/shell.sh" } );

After seconds, we get a shell.

Privilege Escalation:
Now, let’s check the system information.

Let’s check searchsploit for information on Linux kernel 4.4.

We find a kernel privilege escalation for this version of the kernel highlighted above. We transfer the exploit to our working directory and subsequently to the target.

Download the exploit on the target machine.

We compile the exploit using gcc and execute the resulting executable.

And we get a root shell.
Cheers.