Difference between revisions of "Temple of Doom: 1 ~ VulnHub - CTF Walkthrough"
(Created page with "== Objective == Retrieve a flag located inside /root folder Source: https://www.vulnhub.com/entry/temple-of-doom-1,243/ VulnHub.com Status: [<span style="color:red">In P...") |
m (→Enumeration) |
||
| Line 29: | Line 29: | ||
=== Entry Point #1 - Port 666 (nodejs) === | === Entry Point #1 - Port 666 (nodejs) === | ||
==== Enumeration ==== | ==== Enumeration ==== | ||
| + | Hitting http://192.168.56.101:666 presents us with "under construction". Refreshing the page results in an interesting error. | ||
| + | <syntaxhighlight lang=javascript highlight="" line> | ||
| + | SyntaxError: Unexpected token F in JSON at position 79 | ||
| + | at JSON.parse (<anonymous>) | ||
| + | at Object.exports.unserialize (/home/nodeadmin/.web/node_modules/node-serialize/lib/serialize.js:62:16) | ||
| + | at /home/nodeadmin/.web/server.js:12:29 | ||
| + | at Layer.handle [as handle_request] (/home/nodeadmin/.web/node_modules/express/lib/router/layer.js:95:5) | ||
| + | at next (/home/nodeadmin/.web/node_modules/express/lib/router/route.js:137:13) | ||
| + | at Route.dispatch (/home/nodeadmin/.web/node_modules/express/lib/router/route.js:112:3) | ||
| + | at Layer.handle [as handle_request] (/home/nodeadmin/.web/node_modules/express/lib/router/layer.js:95:5) | ||
| + | at /home/nodeadmin/.web/node_modules/express/lib/router/index.js:281:22 | ||
| + | at Function.process_params (/home/nodeadmin/.web/node_modules/express/lib/router/index.js:335:12) | ||
| + | at next (/home/nodeadmin/.web/node_modules/express/lib/router/index.js:275:10) | ||
| + | </syntaxhighlight> | ||
| + | Upon further examiniation as to what could've triggered that behavior it became apparent that their service is setting a cookie '''profile''', containing some sort of '''base64''' encoded string | ||
| + | <syntaxhighlight lang=shell-session highlight="4" line> | ||
| + | eyJ1c2VybmFtZSI6IkFkbWluIiwiY3NyZnRva2VuIjoidTMydDRvM3RiM2dnNDMxZnMzNGdnZGdjaGp3bnphMGw9IiwiRXhwaXJlcz0iOkZyaWRheSwgMTMgT2N0IDIwMTggMDA6MDA6MDAgR01UIn0%3D</syntaxhighlight> | ||
| + | |||
| + | Which decodes to the following JSON object. | ||
<syntaxhighlight lang=shell-session highlight="" line> | <syntaxhighlight lang=shell-session highlight="" line> | ||
| − | + | '{"username":"Admin","csrftoken":"u32t4o3tb3gg431fs34ggdgchjwnza0l=","Expires=":Friday, 13 Oct 2018 00:00:00 GMT"}7' | |
</syntaxhighlight> | </syntaxhighlight> | ||
| − | + | As we can see, there are obvious typos which will break JSON interpreter. What is more important at this point is that we have '''Something that breaks!!!!''' and so let's try using it to our advantage! | |
| − | |||
| − | |||
| − | |||
=== Exploitation === | === Exploitation === | ||
Revision as of 07:38, 30 July 2018
Contents
Objective
Retrieve a flag located inside /root folder
Source: [VulnHub.com]
Status: [In Progress]
Methodology
Discovery
Setup some env vars to speed up our execution
$ export T=192.168.56.101Service discovery
# Nmap 7.70 scan initiated Wed Jul 18 07:39:40 2018 as: nmap -sV -sT -T5 -p- -o /media/sf_VM_Transfer/Pentesting/Temple_of_Doom//nmap.txt 192.168.56.101
Nmap scan report for 192.168.56.101
Host is up (0.0017s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.7 (protocol 2.0)
666/tcp open http Node.js Express framework
MAC Address: 08:00:27:BB:24:1C (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jul 18 07:40:19 2018 -- 1 IP address (1 host up) scanned in 38.75 secondsEntry Point #1 - Port 666 (nodejs)
Enumeration
Hitting http://192.168.56.101:666 presents us with "under construction". Refreshing the page results in an interesting error.
SyntaxError: Unexpected token F in JSON at position 79
at JSON.parse (<anonymous>)
at Object.exports.unserialize (/home/nodeadmin/.web/node_modules/node-serialize/lib/serialize.js:62:16)
at /home/nodeadmin/.web/server.js:12:29
at Layer.handle [as handle_request] (/home/nodeadmin/.web/node_modules/express/lib/router/layer.js:95:5)
at next (/home/nodeadmin/.web/node_modules/express/lib/router/route.js:137:13)
at Route.dispatch (/home/nodeadmin/.web/node_modules/express/lib/router/route.js:112:3)
at Layer.handle [as handle_request] (/home/nodeadmin/.web/node_modules/express/lib/router/layer.js:95:5)
at /home/nodeadmin/.web/node_modules/express/lib/router/index.js:281:22
at Function.process_params (/home/nodeadmin/.web/node_modules/express/lib/router/index.js:335:12)
at next (/home/nodeadmin/.web/node_modules/express/lib/router/index.js:275:10)Upon further examiniation as to what could've triggered that behavior it became apparent that their service is setting a cookie profile, containing some sort of base64 encoded string
eyJ1c2VybmFtZSI6IkFkbWluIiwiY3NyZnRva2VuIjoidTMydDRvM3RiM2dnNDMxZnMzNGdnZGdjaGp3bnphMGw9IiwiRXhwaXJlcz0iOkZyaWRheSwgMTMgT2N0IDIwMTggMDA6MDA6MDAgR01UIn0%3DWhich decodes to the following JSON object.
'{"username":"Admin","csrftoken":"u32t4o3tb3gg431fs34ggdgchjwnza0l=","Expires=":Friday, 13 Oct 2018 00:00:00 GMT"}7'As we can see, there are obvious typos which will break JSON interpreter. What is more important at this point is that we have Something that breaks!!!! and so let's try using it to our advantage!
Exploitation
xxx xxx xxx
xxx
xxxxxx
xxx
xxxFinal Notes
xxx
Appendix A: Vulnerability Detail and Mitigation
| Rating | High |
| Description | xxxx |
| Impact | xxxxxxxxxxxxxxxxxxxxxxxxxxxx |
| Remediation | xxxxxxxxxxxxxxxxx |