Sws101_vulnnet
Topic : VulnNet: Node - TryHackMe Walkthrough
Introduction:
In this journal entry, I will be reflecting on my experience completing the VulnNet: Node CTF is another TryHackMe walk through. This CTF was good fun and provided a good level of complexity to tackle issues with web application security, privileges, and systems.
Walkthrough:
My first step was to scan the target network, which said there is web application running in the port 8080 using Node. js and Express platform It is therefore important to clearly understand and define the following components of js and the Express framework. If I had reviewed the source of the web app, I would have discovered a dummy login page with no server-side interaction and a session cookie comprised of base64 and JSON.
Considering the further testing of JSON data and trying to fake it, I found out that passing invalid JSON led to an exception being thrown which refers to the usage of the node-serialize library. Everything found during the research of this library revealed a severe security concern that may cause remote code execution through deserialization.
To achieve that, I built a payload based on a reverse shell and set it as the session cookie. I was ready, then I refreshed the page and got my nc -lvtp listener working, with the result of getting a reverse shell with www user. However, the user. But as you may have noted the txt flag was not available at this stage.
As you can see from the linpeas output, and further investigation, I learned that I could run npm as the serv-manage user. So, using GTFOBins, I created a package suitable for my goals. One test had injectable commands in the preinstall section of a . json file and opened a shell as part of the test. If I were to type npm install as the serv-manage, it meant that I was unlocking their account and retrieving the user. txt flag.
The last activity was to grant the highest access level, specifically root. I discovered I could run specific systemctl commands to do so as root. By modifying the vulnnet-auto. timer and vulnnet-job. present in greater numbers to perform services files to run more frequently and to duplicate the root. uploading /tmp/root. txt to /home/user with correct permissions got me the root flag after running the proper systemctl commands
Conclusion:
The VulnNet: It was a real experience of vulnerabilities that could be seen in web applications and even in systems configurations the best was provided by Node CTF. It emphasized that enumeration should be done properly and the technology should be understood and weaknesses should be found on the network so as to gain unauthorized access. This CTF solidified the importance of not only keeping up with the latest research but also knowing what threats can arise when using external/3rd party libraries. It also exposed systemd timers and services as very useful in escalating privileges whenever there is a configuration loophole.
Its interesting that I was able to complete this CTF individually; the process helped me to use most of the knowledge I have and the skills I have acquired as well. It challenged me to innovate and develop access strategies for the different tactics that I wanted to implement. Overall, the VulnNet: Overall Node CTF proved out to be practical exposure for members studying web application security along with other important areas like privilege escalation and system exploitation. It BOB stressed the importance of keeping learning from such incidents by updating one’s knowledge as well as staying alert with the perpetually changing realities in cyber security.