Hack the Box: Node

I ran NMAP.

nmap -vv -Pn -sS -A -sC -p- -T 3 -script-args=unsafe=1 -oA detailed_scan -n 10.10.10.58

 

Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-17 02:20 EST

Nmap scan report for 10.10.10.58

Host is up, received user-set (0.28s latency).

Scanned at 2018-02-17 02:20:14 EST for 791s

Not shown: 65533 filtered ports

Reason: 65533 no-responses

PORT     STATE SERVICE REASON         VERSION

22/tcp   open  ssh     syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey:

|   2048 dc:5e:34:a6:25:db:43:ec:eb:40:f4:96:7b:8e:d1:da (RSA)

| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwesV+Yg8+5O97ZnNFclkSnRTeyVnj6XokDNKjhB3+8R2I+r78qJmEgVr/SLJ44XjDzzlm0VGUqTmMP2KxANfISZWjv79Ljho3801fY4nbA43492r+6/VXeer0qhhTM4KhSPod5IxllSU6ZSqAV+O0ccf6FBxgEtiiWnE+ThrRiEjLYnZyyWUgi4pE/WPvaJDWtyfVQIrZohayy+pD7AzkLTrsvWzJVA8Vvf+Ysa0ElHfp3lRnw28WacWSaOyV0bsPdTgiiOwmoN8f9aKe5q7Pg4ZikkxNlqNG1EnuBThgMQbrx72kMHfRYvdwAqxOPbRjV96B2SWNWpxMEVL5tYGb

|   256 6c:8e:5e:5f:4f:d5:41:7d:18:95:d1:dc:2e:3f:e5:9c (ECDSA)

| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKQ4w0iqXrfz0H+KQEu5D6zKCfc6IOH2GRBKKkKOnP/0CrH2I4stmM1C2sGvPLSurZtohhC+l0OSjKaZTxPu4sU=

|   256 d8:78:b8:5d:85:ff:ad:7b:e6:e2:b5:da:1e:52:62:36 (EdDSA)

|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB5cgCL/RuiM/AqWOqKOIL1uuLLjN9E5vDSBVDqIYU6y

3000/tcp open  http    syn-ack ttl 63 Node.js Express framework

| hadoop-datanode-info:

|_  Logs: /login

|_hadoop-jobtracker-info:

| hadoop-tasktracker-info:

|_  Logs: /login

|_hbase-master-info:

|_http-favicon: Unknown favicon MD5: 30F2CC86275A96B522F9818576EC65CF

| http-methods:

|_  Supported Methods: GET HEAD POST OPTIONS

|_http-title: MyPlace

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

OS fingerprint not ideal because: Missing a closed TCP port so results incomplete

Aggressive OS guesses: Linux 3.2 - 4.8 (92%), Linux 3.10 - 4.8 (90%), Linux 3.12 (90%), Linux 3.13 (90%), Linux 3.13 or 4.2 (90%), Linux 3.16 (90%), Linux 3.16 - 4.6 (90%), Linux 3.18 (90%), Linux 3.8 - 3.11 (90%), Linux 4.4 (90%)

No exact OS matches for host (test conditions non-ideal).

TCP/IP fingerprint:

SCAN(V=7.60%E=4%D=2/17%OT=22%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=5A87DAC5%P=i686-pc-linux-gnu)

SEQ(SP=FF%GCD=1%ISR=FB%TI=Z%II=I%TS=8)

OPS(O1=M508ST11NW7%O2=M508ST11NW7%O3=M508NNT11NW7%O4=M508ST11NW7%O5=M508ST11NW7%O6=M508ST11)

WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)

ECN(R=Y%DF=Y%TG=40%W=7210%O=M508NNSNW7%CC=Y%Q=)

T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=)

T2(R=N)

T3(R=N)

T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)

U1(R=N)

IE(R=Y%DFI=N%TG=40%CD=S)



Uptime guess: 0.014 days (since Sat Feb 17 02:13:15 2018)

Network Distance: 2 hops

TCP Sequence Prediction: Difficulty=255 (Good luck!)

IP ID Sequence Generation: All zeros

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel



TRACEROUTE (using port 22/tcp)

HOP RTT       ADDRESS

1   301.92 ms 10.10.14.1

2   302.66 ms 10.10.10.58



NSE: Script Post-scanning.

NSE: Starting runlevel 1 (of 2) scan.

Initiating NSE at 02:33

Completed NSE at 02:33, 0.00s elapsed

NSE: Starting runlevel 2 (of 2) scan.

Initiating NSE at 02:33

Completed NSE at 02:33, 0.00s elapsed

Read data files from: /usr/bin/../share/nmap

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 794.34 seconds

           Raw packets sent: 131581 (5.793MB) | Rcvd: 467 (21.244KB)

I checked port 3000 running in Express Node.js.

While browsing the pages I noticed a page that showed user information such as ID, username, password hash and if the user is an admin or not.

Continue reading “Hack the Box: Node”