Node: 1

Node: 1 is the latest box (as of today) available on VulnHub. It’s a nifty thing with a few interesting hoops to jump through in order to get root. Here’s the scoop:

nmap reports an SSH service on port 22 and something else on port 3000. A quick banner grab with NetCat tells us that it’s an Express Node.js app. Simply by browsing around the site we’re able to enumerate a few users.

After looking at the source code we can also see references to paths on the server which are intended to return additional data.

So clearly we’re able to find hashed passwords of users, as long as we know their usernames.

On the off-chance that we might find some other flaw in the application I tried a simple GET while leaving out any usernames at all…bingo!

We now see four different username/passhash combinations. We can throw these into a file and use John the Ripper to see what we can break.

JTR very quickly identifies the passwords for 3 users, including the one we really wanted, which is myP14ceAdm1nAcc0uNT:manchester. While it was worth a shot to try and SSH with these credentials, that doesn’t work. But this does allow authentication into this Node.js app. The app provides a button to “Download Backup”, which is obviously my next step.

The file is of course assumed to be an archive of sorts, so I rename to zip, but it still isn’t the correct format. Looking closer, it appears to be base64 encoded. The good news is that after decoding the file our unzip command works just fine.

The bad news is that the file is password protected.  Fortunately for us, Kali comes standard with fcrackzip.

app.js turns out to be the heart of where this app is configured. The file contains a path to the local MongoDB instance and also includes plain text username/password, which, in this case *does* allow us to SSH into the server.

Now we’re logged in with a lower privilege user. A quick kernel check shows version 4.4.

Using our trusty something-search we find some low hanging potential fruit.

Turns out this exploit works perfectly, providing root access and the capture of the two desired flags!