GLITCH | TryHackMe Walkthrough
Initial access
After deploying the machine and performing a simple Nmap scan, we can see Nginx running on port 80.
Accessing the website, there is not much going on. The only thing we find is a glitch image. Checking out the source code, a JavaScript function named getAccess is declared but never called. The function makes a GET request to /api/access and logs the response to the console.
We can execute the function using the developer tools. It logs out an object with token propriety.
That string is BASE64 encoded. Let’s decode it with CyberChef.
Now, taking a look at our cookies, a token with a default value is already set. Changing it to our value gives us access to the next page.
Path to RCE
Inspecting the page, there is not much user interaction either, just a VHS aesthetic themed website with a few buttons, but we observe that the source code links to a JavaScript file.
This code makes a GET request to /api/items and displays a few boxes on the page, then adds a filtering functionality to it. Since the API is the only interesting thing here, we can try to play with it.
Sending an unauthenticated GET request works.
Let’s try sending a POST request instead.
It responds with the message: “there_is_a_glitch_in_the_matrix”. To investigate this endpoint further, let’s try fuzzing for parameters.
We get a different response for cmd.
Reading through the error message, the application is trying to pass our argument to the eval function which evaluates JavaScript in Node.js.
Now we know that we got RCE on the box. Searching for ways to exploit it, the first Google result is this medium post. We can get a reverse shell using the exploit shown in the article.
Getting root
If we list the files in our user’s home directory, we find a Firefox profile folder.
With firefox_decrypt on our local attacker machine, the password for the user v0id is extracted.
Enumerating further, there are no special privileges, no scripts, or left out binaries, the only interesting thing out there is doas, a less bloated sudo alternative. This allows us to execute commands as root.
Conclusion
This was an easy box centered around that POST parameter which leads to RCE. I intend to create other challenges too, not so straightforward. I thought the Node.js RCE would be a nice thing to bring in a beginner web challenge. Thank you for your time and have fun hacking!
