Thursday 11 April 2019

Solve the Node1 Vulnhub without MSF


This article is going to walk through the step I used to solve the Node 1 vulnerable VMs that can be download at the https://www.vulnhub.com/entry/node-1,252/

The objective of the game
Get the root access and read the file /root/flag.txt

Tools used on this game
  • Kali 64bits (192.168.187.135)
  • netdiscover
  • NMAP
  • fcrackzip (word list file: /user/share/wordlists/rockyou.txt)
Game Setup
1) Downloaded Node 1 at VulnHub to start the game using any VM client.  The VMware Workstation  15 was used for this walkthrough.

Information Gathering
2) Used nmap or netdiscover to find the target machine IP address

3)  Gathered some information about the target machine
nmap -n -v -Pn -p- -A --reason -oN nmap-131.txt 192.168.187.131

An HTTP server was set up using Node.js Express Framework and an SSH was enabled.

4) Using Nikto check any problem of the website, but no luck.

5) Checked the webpage http://192.168.187.131:3000


5) Study the source code, as the backend is Node.js, checking all JS program.




6) A user list was found 



7)  Decode the password, using online hashing tools




The result
  • manchester :myP14ceAdm1nAcc0uNT
  • tom:spongebob
  • mark:snowflake
  • restating:<not found>


8) Using the decrypted password to login the system, Manchester user can log in 
 The user manchester user can log in and a file available for download



9) The file is Base64 hashed file, after converted, it is a ZIP file with password protected
 
  
10) Try to brute-force attack to find the password using fcrackzip using word list file: /user/share/wordlists/rockyou.txt

11)  After unzipped the file, it was a website repository.  Checking any hardcode password for login or database connection in some properties files


find ./ -type f -exec grep "password" '{}' \; -print
find ./ -type f -exec grep "key" '{}' \; -print

 I got it

12) The app.js contained the database connection string with the password
User Id: mark
Password: 5AYRft73VtFpc84k

Try to log in the target server using SSH

13) Checked any privilege escalation can do, but no luck. checking any background job running.
14) A scheduled job was set up to connect the database to check the tasks object for every 30000 ms, using the provided connection URL to log in the mongo database. 

Anyone have an idea to create an attack at the MongoDB 

15) Nothing can do, change another direction. Check the OS version and see any privilege escalation

16) try to download the exploit code but fail, as the mark did not have write permission at his home directory 
17) Changed to /tmp/ and tried again.

18) Compiled the exploit code and run it, GOT it.........

 19) I got the answer


Calvin Work A) My Study Plan B) My CTF Record C) My Python Code-  github    1) Crypto    2) Crunch in python (generate d...