Im lost for root. I cant find any obvious privesc paths. I should be able to run javascript files in the /usr/local/scripts directory but I cant figure out that angle of attack. I can’t create or read any js files in that directory. Tips?
Take a look at this, it really helped me to root it.
You’re absolutely right, it is not possible to read almost any of the files in the directory you mentioned. Nevertheless, if you pay careful attention to what you run those .js files with you’ll be able to consult a VERY known GetThe****Out site which proliferates with scripts at your disposal, at which point you simply have to craft it as a file. You then simply have to read the quote from socks that I embedded in this answer, it’s the last sentence.
2 Likes
Finally rooted. Was a real pain figuring out how to get the GTFO script into JS format.
This was a fun box with a few skill stretches for beginners. Remember to check your content types!
Looking for some help with login bypass. Used vhosts fuzzing to find the subdomain, whatweb/wappalyzer to determine web framework and that there was likely a NoSQL injection. Determined username to try from main website. watched ippsec Shoppy video, tried several attempts with burp intruder using PayloadsAllTheThings/NoSQL.txt at master · swisskyrepo/PayloadsAllTheThings · GitHub , but still not having much luck. Appreciate any help!
** Update: Nevermind, gave a few more example tries from the README using JSON and that managed to bypass the login.
Got both flags… dont hesitate to message me if you need a nudge
thnx for this, but i still don’t understand that why we have place our exploit in /tmp folder ??
and how you manage to get that " /var/www/dev/index.js " click.
can place it home/angoose too
there will be no benefit of placing it there because as a user we have full access to our directory but we want to execute the file as root.
Get content of the nginx configuration first using payload <iframe height='1070' width='800' src='file:///etc/nginx/nginx.conf'></iframe>. At the very end, you will see the root folder for the Node.js app and its default files.
Hi! I know how to extract files from the file system (tested against /etc/passwd), but I cannot locate interesting config files in the www-directory (googled a lot for the directory structure for the framework used but no files I tested have turned up anything). Can someone give me a hint what I am missing?