Tico

Information

This was an easy challenge if you knew where to look! Research skills have improved and I was able to exploit the target quickly.

Name

Tico

Difficulty

Hard

Community Rating

Very Hard

Enumerated Ports & Services

Port

Description

Protocol

vftpd 3.0.3

TCP (6)

SSH OpenSSH 7.6p1

TCP (6)

Webserver - Nginx 1.14.0

TCP (6)

8080

Web Server. Hosting NodeBB. (More likely nodejs project)

TCP (6)

11211

memcached 1.5.6

TCP (6)

27017

mongodb

TCP (6)

Findings

Port 8080 is hosting NodeBB web application. After researching with searchsploit for NodeBB I found two exploits:

The Account takeover exploit provides instructions on taking over the admin account after registering a regular user in the platform.

After visiting links I enumerated the user admin. I was allowed to register a user, qwerty:

CVE-2020-15149: Privilege escalation via account takeover nodebb

After creating the user, I was able to take over the account by intercepting the traffic with Burpsuite and capturing the password change process:

Then, I was able to take over the admin account by logging in to the account:

Privilege Escalation: Abritrary File Write

The second searchsploit result, NodeBB Plugin Emoji 3.2.1 - Arbitrary File Write worked with the admin credentials. I generated an SSH key, and used the exploit to insert the public key to root's authorized_keys file:

$ ssh-keygen -t rsa -t 4096

Note: Exploit code must be modified to your environment and admin credentials

After executing the exploit, I was able to login with full root privileges to the system and access to user's home directory which allowed me to capture the local.txt flag as well as root's proof.txt: