Holiday -

Target Enumeration:

OS: Linux


User: 5edc176c52673a6e0f087c68c531c743

Root: a844cb50bf88ebbe8412e095a6b642e8

Ports / Services / Software Versions Running

22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)

8000/tcp open http Node.js Express framework

Vulnerability Exploited:

SQLi to get users login details

Stored cross site scripting to steal admin cookie

Command injection to gain a perl shell

Privilege Escalation:

User in sudoers group for npm enables preinstall function to execute commands as the root user.

Exploiting the host:


Gobuster on port 8000 did not bring anything up first time:

So modify the user agent to look like a browser:

Login page at /login

Test for everything including sqli, capture the login request:

Save as login.req and run sqlmap -r login.req --level=5 --risk=3

Vulnerable to sqli

Dump the whole database:

sqlmap -r login.req --level=5 --risk=3 --dump

There is a username and what looks like an md5 hash in the database:

Google the hash and it looks like we have been rickrolled

Once logged in it appears to be a booking form.

Check the notes page which are being checked every minute by an administrator so it could be an xss exploit.

Initially found very little on the application so we need to scan it intensively for flaws which also brought back nothing.

Try more advanced XSS with encoding:

Create the following inject.js file:

Encode the following string to inject into the page using

document.write('<script src=""></script>');

Create the following injection string in notepad (for debugging) and then add this to the page:

Like so:

Set up a nc listener and after 1 minute you should see the following:

Now create the following cookie stealing script called inject.js and host it with python webserver.

Change your nc listener to port 8000

Open a python server listener on port 80 to host your javascript.

Add a new note with the injection string

Wait around 1 minute

Response from nc listener:

Copy the cookie=$data to burp and decode as url and now you have the admin cookie:

Request the /admin page and capture it in burp and send to the repeater:

Now show the response in the browser:

The export tables function allows command execution, ensure you set the admin cookie on the requests:

The application filters out certian characters so use wget and your IP in binary format

This worked.

Lots of tools are missing on this box and we are restricted in what we can use however there is perl on the machine.

Create a perl reverse shell as follows:

Download it to the target system with nc running on port 443

Execute the perl2 payload

Now you have a shell:

Grab the user.txt file

Sudo -l says we can run the following commands as our current user.

Exploit link:

Create the following files locally:

Set up a nc listener on port 444 locally and download the created files to a directory called rimrafall/ in the app dir

Then execute the following command to get root:

cd ../
sudo npm i rimrafall --unsafe

Now you have a root shell so collect the flag.

Last updated