Port enumeration

Using nmap I found 2 open ports, 22 and 5000. 6089ddc9209ccf0a02e02bbcbaec40f3.png In port 5000, I found a Node.js instance. e4224e26b3acd55ecc63948355bf2bc2.png

Web enumeration

In this web page I only found a login form. 7e784a2063bf3576ab2c6234c5be7f8e.png

NoSQLInjection

After some time, I decided to change the form encoded type, by default, uses x-www-form-urlencoded, but also accepts json. 7a2a8a03337459f5bee3609b92152357.png 6ffb951ec7496271ce33219c8731380d.png Using this json, I can execute nosql injection to bypass the login form. 4cd1707ec05757577acea130f2dbb7a3.png

Dashboard enumeration

This page allows me to upload articles into the server. 45fb62e3085ee327f49c0838a6ab88a2.png The page needs a XML document. ab0a5b77cd8894b991d8849fdb5c1fdf.png

XEE

I created a malicious xml document. aadeecfb9dfae9729a1496bd5fe2ce46.png And it works. 5186ea04bc932546992343ecddc11c1a.png With this, we can idetify the user admin, but I didn't found keys or credentials, so, it looks like a rabit hole.

Insecure Deserialization to RCE

After some enumeration I found that this version have a insecure deserialization vulnerability in the function deserialize(). 0efb7c67c87d32d330cc140a8b395fee.png Reading the main.js code, I found that this function is been used. 31f35f719017f1c7f66da615f7064860.png With a bit more enumeration, I found the unserialized code in the cookie auth. a1afdb8cc2e6e197a729c5e0fa622d77.png With this cookie, I delivered the payload with a reverse shell. 7fc1f8923d67038539ef61021024dbed.png 32053a915f49b03db4d9987a2b4a3c46.png

Local machine enumeration

Inside the mongodb I found the admin user password. faed26135057f8344776af2108a188a3.png Admin is a sudogroup user, so, I just used sudo su to get a root shell. a70aa8aebc542f9d7f70dafbe5dc16fe.png 945a644de7a4c0820df5a5bf3b33f722.png