Temple of Doom: 1

[ vulnhub  ctf  walkthrough  ]

Goal

root

Download

https://www.vulnhub.com/entry/temple-of-doom-1,243/

Walkthrough

nmap
alt text

default 666 page
alt text

refreshing the page we see express node.js with error
alt text

burpe shows encoded cookie
alt text

sending to decoder, it’s passing username/token
alt text

we find the error; a quote missing before Friday; adding and encoding again
alt text

sending updated cookie, page works and we’re greated with the username
alt text

after much searching, this post seems like node.js deserialization is the right track
as in the post, nodejsshell is used to create reverse shell
alt text

creating the payload as in the post, we then encode
alt text

using repeater, we get our reverse shell as user nodeadmin
alt text

another user does exist, fireman
alt text

it’s found that ss-manager is being run as fireman by root
alt text

after some searching, this post shows a bug and how to execute commands on ss-manager
using this information, another reverse shell is created as user fireman
alt text

we find that some commands using sudo can be run with no passwords
alt text

after some searching, this post shows how to run commands with sudo and tcpdump
using this information, a script is crafted for another reverse shell as root
alt text

from here we get flag, game over
alt text

Written on July 18, 2018
Share on: