Here is the approach I used:
Step 1: discover the IP address of the box:
This can be done by running this command Arp-scan -l
Note: I am using VMware as my
Node:1 box in the same environment as my Kali Linux which is my favorite pen test distribution.
Now that we have a list of all interfaces present in the local network. We can scan the services running on the box by just using Nmap scan:
Nmap returned the above result meaning there are a total of 2 ports listening for a connection.
After running Nmap in verbose mode I noted the SSH running is up to date (version 7.2) and it was difficult to use it as my entry point. Therefore, I focused on port 3000.
I entered the IP address of the box and port 3000 into a web browser
I discovered a web application was running and so my next step was to enumerate the app to either find interesting directories or weak credential in use.
This took me some time but it opened a door for me since I managed to find an API call. My favorite tool to do this is DIRB
root@kali: ~# dirb http://192.168.56.101/ /usr/share/wordlists/dirb/common.txt
Through the help of this tool with a manual search I managed to find this interesting path:
API calls can have some credentials which are used for authentication. Therefore, I was convinced there was potential here and therefore loaded the URL:
To save time, I pasted those three hashes into an md5decryter and I managed to get the first two passwords: SpongeBob and snowflake.
The third one was not found meaning it was a strong password.
Unfortunately, none of these users were admins meaning the struggle continues.
NOW, WHAT NEXT!!
As usual, never give up on this, keep trying. I decided to enumerate the directories even more and I managed to discover yet another API call which had a more promising look.
I quickly entered this URL with a lot of hope.
Similar to what I got in the other API call, I managed to get 4 hashes .
Let’s try crack the first user hash using md5decrpter.
We were lucky the tool managed to crack this successfully and we have
Our password as Manchester
Login here using our new credentials:
After login we have this link to download some file
After downloading this file another problem arises. The file is encoded as base64 file.
Without wasting more time, I used fcrackzip and rockyou.txt which is a wordlist that comes with kali distribution.
This is the command I used to crack the file.
To unzip the file, I used the following command:
After extracting the file, I managed to find this interested file which I investigated and noted it was a MongoDB connection configuration file. The file belongs to mark meaning we can to SSH the box using the same credentials.
Now I try to SSH into the box using the credentials and see if it will work:
Finally, we have managed to SSH to the box as Mark.
Remember mark is not a super user but we can use his account for further enumeration.
So, lets try get the kernel version and see if it vulnerable
Great, we can use exploit (EDB-44298) since the kernel version running on the box is not patched
We are now root:
Root flag can be read from /root folder. 1722e99ca5f353b362556a62bd5e6be0
Node:1 remains one of the best labs to grow your pen test skills and also enlighten you on how an exposed API can be dangerous. Use of API as the entry point makes a lot of sense since APIs are a common occurrence in modern applications and if not well managed can open a hole to the system.