Table of Contents
- Technologies
- Enumeration
- Identification
- Exploitation
- URL Encoding
- Globals
- Debrief
Technologies
Expected technologies I used:
nmap
xss
wappalyzer
burpsuite
foxyproxy
URL encoding
node.js
Handlebars
Special Mentions: Linux, SMB, Web, JS, SSTI
Enumeration
nmap
- sC: Performs a script scan using the default set of scripts
- -sV: Version detection
- -v: Increases the verbosity level
Upon visiting port 80, Itry various methods to exploit the site but then focus on a this reflected output after we submitted a fake contact email. Potential XSS exploit.
I use wappalyzer to scan the site for information to assist with XSS. Wappalyzer is installed as a browser extension so we just reload the main page.
Node.js and Python web backend servers often make use of a software called “Template Engines”
With Node.js websites there is a good possibility that a Template Engine is being used to reflect the email.
Identification
Here I use plan to use a exploit called SSTI that I found on Hacktricks for this particular Template Engine.
https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection
I focus on this exploit since the input is mainly plaintext and it focuses on email input validation possibly.
Here I see that it worked
Thanks to this error message I find out that at parser.parse the Template Engine being used is Handlebars and it is located in the /root/backend directory.
Exploitation
I open burpsuite to capture a POST and edit it to deliver the payload using the same exploit from before that caused the error message
I first send the http packet to the repeater module
URL Encoding
Then using the hacktricks given exploit under Handlebars (NodeJS), I copy the exploit and URL encode it in order for the web server to read it
Note: there is already a URL encoded if you copy paste it, so be sure to delete it or use it
And of course you paste it here exactly after email= and before &action
The response was pretty disheartening as the payload is erroring out
Apparently, require is a keyword in javascript/node.js and it is used to load code from other modules or files, thus it will not allow me to execute our payload
Globals
The best site to use for this would be
nodejs.org
It listed all of the information I needed in order to make this exploit work, specifically process
Doing the exact same thing as before and substituting the require set command with just the command process
Touchdown
I need to keep pushing in order to be able execute my child_process so I focus on the code and notice it had an object process which could be used as an exploit.
Reading through nodejs.org I find that the object process has a maindmodule, which is a good sign as it can get us the foothold we need in order to execute our payload properly
Although the page listed the process.maindolue as deprecated, I still attempt it as it will give me the results I need
I do the same steps as before and use the newly found commands with the exploit
It did not actually tell me whoami but I try to run a command as root to see it it will execute a different command as it comepltely just deleted the object process []
I got the other linux commands to execute as root nonetheless so I began to dig for the root directory to get the flag
At this point all I did was execute cat in order to view the flag.txt
Debrief
For the most part, the technologies have already been outlined this is just my personal say on this box
Very fun box and just loved the use of burpsuite and node.js in this one so much.
This was a very excellent starting point box and I thoroughly enjoyed my time as always