Node-RED
The Node-RED instance is confirmed to be running under the security context of the sahay user
www-data@frolic:/home/sahay$ ll
total 48K
4.0K drwx------ 3 sahay sahay 4.0K Sep 9 2022 .cache
4.0K drwxr-xr-x 3 root root 4.0K Sep 9 2022 .config
12K drwxr-xr-x 316 sahay sahay 12K Sep 9 2022 .npm
4.0K drwxr-xr-x 3 root root 4.0K Sep 9 2022 .local
4.0K drwxr-xr-x 4 root root 4.0K Sep 9 2022 .node-red
4.0K drwxr-xr-x 7 sahay sahay 4.0K Sep 9 2022 .
4.0K drwxr-xr-x 4 root root 4.0K Sep 9 2022 ..
0 lrwxrwxrwx 1 root root 9 Sep 9 2022 .bash_history -> /dev/null
4.0K -rw-r--r-- 1 sahay sahay 220 Sep 23 2018 .bash_logout
4.0K -rw-r--r-- 1 sahay sahay 3.7K Sep 23 2018 .bashrc
4.0K -rw-r--r-- 1 sahay sahay 655 Sep 23 2018 .profileChecking the home directory of the sahay user reveals the .node-red directory
www-data@frolic:/home/sahay$ cd .node-red ; ll
total 56K
4.0K drwxr-xr-x 4 root root 4.0K Sep 9 2022 .
4.0K drwxr-xr-x 3 root root 4.0K Sep 9 2022 lib
4.0K drwxr-xr-x 2 root root 4.0K Sep 9 2022 node_modules
4.0K drwxr-xr-x 7 sahay sahay 4.0K Sep 9 2022 ..
12K -rw-r--r-- 1 root root 12K Sep 23 2018 settings.js
12K -rw-r--r-- 1 root root 11K Sep 23 2018 .config.json
12K -rw-r--r-- 1 root root 11K Sep 23 2018 .config.json.backup
4.0K -rw-r--r-- 1 root root 120 Sep 23 2018 package.jsonThere are a few files to check
package.json
www-data@frolic:/home/sahay/.node-red$ cat package.json
{
"name": "node-red-project",
"description": "A Node-RED Project",
"version": "0.0.1",
"private": true
The package.json file shows that the version is 0.0.1
The version information seems to be tampered
.config.json
www-data@frolic:/home/sahay/.node-red$ cat .config.json
{
"nodes": {
"node-red": {
"name": "node-red",
"version": "0.19.4",
"local": false,
"nodes": {
"sentiment": {
"name": "sentiment",
"types": [
"sentiment"
],
[...REDACTED...]
"_credentialsecret": "46e43b7222a93bc2b3b5d4aad74d7ad009057e9913549e52ebba6632b96ec850",
"users": {
"_": {
"editor": {
"view": {
"view-grid-size": 20,
"view-node-status": true,
"view-show-tips": true
}
}
}
}
}The .config.json file shows a different version information; 0.19.4
Additionally, there is also the _credentialSecret attribute
Version
www-data@frolic:/home/sahay/.node-red$ heahead /usr/local/lib/node_modules/node-red/CHANGELOG.md
/CHANGELOG.mdal/lib/node_modules/node-red
#### 0.19.4: Maintenance Release
- Fix race condition in non-cache lfs context Fixes #1888
- LocalFileSystem Context: Remove extra flush code
- Prevent race condition in caching mode of lfs context (#1889)
- Allow context store name to be provided in the key
- Switch node: only use promises when absolutely necessary
- Fix dbl-click handling on webkit-based browsers
- Ensure context.flow/global cannot be deleted or enumerated
- Handle context.get with multiple levels of unknown key Fixes #1883The version seems to be 0.19.4
settings.js
www-data@frolic:/home/sahay/.node-red$ cat settings.js | grep -v '//';
/**
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
**/
module.exports = {
uiport: process.env.PORT || 1880,
mqttreconnecttime: 15000,
serialreconnecttime: 15000,
debugmaxlength: 1000,
adminauth: {
type: "credentials",
users: [{
username: "admin",
password: "$2a$08$M6GkqpR1GdCDkQYXsR4zGOCl4gA/vWgNBSNKzCRr2RFKyYJNf08q.",
permissions: "*"
}]
},
functionglobalcontext: {
},
logging: {
console: {
level: "info",
metrics: false,
audit: false
}
},
editortheme: {
projects: {
enabled: false
}
},
}I will grab the credential hash
Password Cracking
┌──(kali㉿kali)-[~/archive/htb/labs/frolic]
└─$ hashcat -a 0 -m 3200 admin.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344386
* Bytes.....: 139921519
* Keyspace..: 14344386
$2a$08$M6GkqpR1GdCDkQYXsR4zGOCl4gA/vWgNBSNKzCRr2RFKyYJNf08q.:password
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix))
Hash.Target......: $2a$08$M6GkqpR1GdCDkQYXsR4zGOCl4gA/vWgNBSNKzCRr2RFK...Nf08q.
Time.Started.....: Wed Oct 11 12:00:56 2023 (0 secs)
Time.Estimated...: Wed Oct 11 12:00:56 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 392 H/s (5.01ms) @ Accel:6 Loops:16 Thr:1 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 36/14344386 (0.00%)
Rejected.........: 0/36 (0.00%)
Restore.Point....: 0/14344386 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:240-256
Candidate.Engine.: Device Generator
Candidates.#1....: 123456 -> liverpool
Hardware.Mon.#1..: Util: 21%
Started: Wed Oct 11 12:00:49 2023
Stopped: Wed Oct 11 12:00:58 2023hashcat cracked the password hash
The cracked password is password
However, authentication still hangs
No Authentication
While realizing that the /usr/local/lib/node_modules/node-red directory is indeed the home directory of the Node-RED instance, there is also the settings.js file
www-data@frolic:/usr/local/lib/node_modules/node-red$ cat settings.js | grep -v '//'
module.exports = {
uiport: process.env.PORT || 1880,
mqttreconnecttime: 15000,
serialreconnecttime: 15000,
debugmaxlength: 1000,
functionglobalcontext: {
},
logging: {
console: {
level: "info",
metrics: false,
audit: false
}
},
editortheme: {
projects: {
enabled: false
}
},
}There is no credential part that was present in the installation package earlier This appears to be the deadend