Tico
Information
This was an easy challenge if you knew where to look! Research skills have improved and I was able to exploit the target quickly.
Difficulty
Hard
Community Rating
Very Hard
Enumerated Ports & Services
21
vftpd 3.0.3
TCP (6)
22
SSH OpenSSH 7.6p1
TCP (6)
80
Webserver - Nginx 1.14.0
TCP (6)
8080
Web Server. Hosting NodeBB. (More likely nodejs project)
TCP (6)
11211
memcached 1.5.6
TCP (6)
27017
mongodb
TCP (6)
Findings
Port 8080 is hosting NodeBB web application. After researching with searchsploit for NodeBB I found two exploits:
The Account takeover exploit provides instructions on taking over the admin account after registering a regular user in the platform.
After visiting links I enumerated the user admin. I was allowed to register a user, qwerty:
CVE-2020-15149: Privilege escalation via account takeover nodebb
After creating the user, I was able to take over the account by intercepting the traffic with Burpsuite and capturing the password change process:
Then, I was able to take over the admin account by logging in to the account:
Privilege Escalation: Abritrary File Write
The second searchsploit result, NodeBB Plugin Emoji 3.2.1 - Arbitrary File Write worked with the admin credentials. I generated an SSH key, and used the exploit to insert the public key to root's authorized_keys file:
After executing the exploit, I was able to login with full root privileges to the system and access to user's home directory which allowed me to capture the local.txt flag as well as root's proof.txt:
Final Notes
Getting better at enumeration and exploit research. This challenge proved that my skills in finding and exploiting vulnerabilities are improving.
References
Last updated