Jason TryHackMe Walkthrough
introduction
Hello guys back again with another walkthrough this time we’ll be tackling jason from TryHackMe. A box created by elbee. The box is actually an easy one with just two two steps from initial foothold to getting root on the box. We start of by doing an nmap scan and discovering that two ports are open. SSH running on port 22 and HTTP running on port 80. The website seem to allow users to subscribe to news letters by them providing an email address. Then the web application set up a cookie for that specific user. The cookie is base64 encoded and decoding it we find that it’s a JSON object. Sweet!! perform a NodeJS deserialization attack and get a shell on the system. Next we use npm to install a malicious node package and get a root shell on the box. Without much say let’s jump in
As always we’ll start of with an nmap scan of the box. And looking at the result below we have 2 ports that are open.
- Port 22 running secure shell
- Port 80 running a web server with NodeJS
Secure shell shouldn’t be of much interest to us since it requires credentials for access which we don’t have one as of now. Unless there is a 1 day exploit in the SSH version itself we should enumerate it last. Looking that nmap scan we see that nmap identified HTTP but failed to fingerprint exactly the type of server it’s running.
Opening the web server using Mozilla we get a standard web page.
The website seems to allow users to subscribe to news letters using an email address. Also the website is built with NodeJS as seen from the image. Next we do all our standard website enumeration.
First we run a nikto scan maybe I’ll identify vulnerabilities on the web server itself
Next i ran a ffuf in case there were any hidden directories on the server.
After that i decided to enumerate the server manually. The website allowed us to subscribe for a newsletter. Let’s subscribe for one and intercept the request using burpsuite a web proxy.
Looking at the request we see that once we subscribe for a newsletter the application in turn gives is a cookie
And the cookie appears to be base64 encoded. I copied the cookie and tried decoding it using my terminal
Looking at the screenshot above we get a JSON object with our email address in it. Next i tested for NodeJS deserializaion and it worked. It’s a vulnerability we’ve exploited before in the channel. You can read the article using the link provided. I used a payload from opsecx and tweaked it to my liking and the final result was as seem below
The payload will cause the target system to ping my box if by any chance the server is vulnerable to a NodeJS deserialization attack. I encoded the payload to base64 and set up a tcpsump listener to listen for any icmp packets
Then sent the payload to the server inform of a cookie.
Going back to the tcpdump listener we had a ping
Sweet we have confirmed remote code execution on the server (RCE). Next we want to get a shell on the system and since i didn’t want to complicate the payload with a reverse shell since a reverse shell always contains bad chars i decided to save the payload in a file called shell.sh and set up a python web server host the reverse shell. Download the reverse shell on the target system and execute it.
The payload used was as seen below
The reverse shell used was:
Next i started a web sever on port 8000 and a netcat listener where my reverse shell would connect to.
Then encoded the malicious JSON object and sent it to the server. Going back to my web server we had a shell on the system
Sweet!!. Now we need to perform a privilege escalation on the system. Executing sudo -l we see that we can run npm as any user on the box
Using GTFOBins payload i was able to tick the npm to execute bash that gave me a root shell on the box.
Looking at the screenshot above we have a root shell on the system. Sweet whats remaining is submitting the flags.
Looking at the root folder we have the root flag.
Going to Dylan’s home directory we have the user flag
And the box is pretty much done.
You might be wondering how the vulnerability occurred in the first place. Looking at the source code we see that the cookie was passed to a unserialize call leading to the vulnerability
Hope you enjoyed the walkthrough if so don’t forget to clap for me down below and follow me so that you won’t miss any upcoming walkthrough