HackTheBox Node:1 Vulnhub CTF Walkthrough

Node CTF is available at: https://www.vulnhub.com/entry/node-1,252/

This Vulnerable machine Node is based on the new technologies and how we can hack into them. It uses Node Express server Json and hadoop. There are many ways to hack into the machine, I tried both but got though with one, So here is my walk-through of that one way.

Let’s dive in the machine:

If you are having problem with setting up network configuration for your attacker and target machine, Read these article:

  1. VirtualBox: http://www.anonhack.in/2018/06/finding-the-ip-address-of-your-victim-in-your-hacking-lab-network/
  2. Vmware: http://www.anonhack.in/2018/06/part-2-finding-the-ip-address-of-your-victim-in-your-vmware-hacking-lab-network/

A Quick Netdicover on my Kali machine showed me the IP address of the Node machine.

nmap result for the Node is below:

So Now, we got two ports, One of them is http. I visited the website. I looked everywhere and finally got to know that it is sending all the authentication data to the client side that is me.

So while using burpuite for spidering the website, this is what I found on /api/users

The usernames for the login panel are right there for all the users that exist on the site. The username: my14ceAdminAccount is the admin because it’s is_admin flag is true.

A quick formulation of these passwords from the website: https://www.onlinehashcrack.com/hash-identification.php, gave me the hash identification to be of SHA family. finally got SHA-256 as the hash.
On decode this is the answer:

Logging in with the Admin credentials get us this:

Download The backup file.

If you look closely at the entire backup file, at the end there is a = sign giving a clue that it is base64 encoded. I used a window utility on Powershell called Certutil to decode this, because it’s quite big and wasn’t loading on my kali.

The decode file generated looked all gibberish, until I used file utility on Kali to check what kind of file it was.
The command: file decode
It said the file is a ZIP file. So I renamed it as decode.zip. When you open this, you will find out that it is password protected.
Now We have to crack the zip file password using fcrack and rockyou.txt list.

Password is magicword.

On looking around the ZIP file, You will find app.js, this contains the user mark’s mongodb login credentials. 

Now again there wasn’t much to do. So I tried this password on the SSH port of Node and it worked!

Looking around the mark’s account. There isn’t much information there. But there is a file in Tom’s account which is called user.txt. That I am not allowed to see since I am mark.

Tried suid bit searches too with the command: find . – perm /4000.
This command gave me a lot of files. I have tried SUID on ping6, on ping but it doesn’t gave me much.
There was this another file /usr/local/bin/backup on which suid bit is turned on. Couldn’t get around it. I think it is the second way!But I moved on.

So Now I used uname -a:

Looked at the Google for the Vulnerable script and Viola!
This kernal version have an exploit written at: https://www.exploit-db.com/exploits/44298/

I used wget to download this on mark’s account tmp folder. Renamed the file to index.html to v.c 

Commands:
For Compiling : gcc v.c

For executing : ./a.out

You will get the ROOT!

Checked the user.txt for Tom. It is password for TOM user.

And finally in the root directory got root.txt, flag password for root!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.