NodeJS

mark@seventeen:/var$ ll mail
total 12
drwxrwsr-x  2 root mail 4096 Mar 24  2022 ./
drwxr-xr-x 13 root root 4096 May 11  2022 ../
-rw-r--r--  1 kavi mail  740 Mar 14  2022 kavi

There is a mail came in to the kavi user. Interestingly, anyone is able to read the mail

mark@seventeen:/var$ cat mail/kavi
to: kavi@seventeen.htb
from: admin@seventeen.htb
subject: New staff manager application
 
Hello Kavishka,
 
Sorry I couldn't reach you sooner. Good job with the design. I loved it. 
 
I think Mr. Johnson already told you about our new staff management system. Since our old one had some problems, they are hoping maybe we could migrate to a more modern one. For the first phase, he asked us just a simple web UI to store the details of the staff members.
 
I have already done some server-side for you. Even though, I did come across some problems with our private registry. However as we agreed, I removed our old logger and added loglevel instead. You just have to publish it to our registry and test it with the application. 
 
Cheers,
Mike

The mail goes over the organization’s old staff management system being problematic and how it’s being migrated to a newer system. The sender also notes that he has already worked on the server-side and mentions private “registry” Additionally, the old logger was removed and “loglevel” was added.

While the mail being suggestive that there is an application in development, it doesn’t provide any solid evidence.

mark@seventeen:/$ ll opt
total 16
drwxr-xr-x  4 root root 4096 Mar 14  2022 ./
drwxr-xr-x 26 root root 4096 May 23  2022 ../
drwxr-xr-x  3 root root 4096 May 29  2022 app/
drwx--x--x  4 root root 4096 Feb 19  2022 containerd/
mark@seventeen:/$ ll opt/app
total 24
drwxr-xr-x  3 root root 4096 May 29  2022 ./
drwxr-xr-x  4 root root 4096 Mar 14  2022 ../
-rwxr-xr-x  1 root root  158 Mar 13  2022 index.html*
-rwxr-xr-x  1 root root  781 Mar 15  2022 index.js*
drwxr-xr-x 14 root root 4096 May 10  2022 node_modules/
-rwxr-xr-x  1 root root  465 May 29  2022 startup.sh*

Strolling through the system, I came across an interesting directory located at /opt/app The bash script inside was initially discovered by PEAS

startup.sh

mark@seventeen:/$ cat opt/app/startup.sh
#!/bin/bash
 
cd /opt/app
 
deps=('db-logger' 'loglevel')
 
for dep in ${deps[@]}; do
    /bin/echo "[=] Checking for $dep"
    o=$(/usr/bin/npm -l ls|/bin/grep $dep)
 
    if [[ "$o" != *"$dep"* ]]; then
        /bin/echo "[+] Installing $dep"
        /usr/bin/npm install $dep --silent
        /bin/chown root:root node_modules -R
    else
        /bin/echo "[+] $dep already installed"
 
    fi
done
 
/bin/echo "[+] Starting the app"
 
/usr/bin/node /opt/app/index.js

The bash script above does the following;

Changes the current directory to “/opt/app”.
Defines an array called deps with two elements: ‘db-logger’ and ‘loglevel’.
Iterates over each element in the deps array.
Checks if the current dependency is installed.
- If not installed, it installs the dependency using npm.
- If already installed, it skips the installation.
Changes ownership of the “node_modules” directory to the root user and group.
Starts the application using Node.js.

In summary, the script checks for the presence of two dependencies using npm and installs them if necessary. Then, it starts the application using Node.js

This bash script is certainly part of the application mentioned in the above mail as “db-logger” and “loglevel” are brought up

mark@seventeen:/opt/app$ ./startup.sh
[=] Checking for db-logger
npm ERR! error in /opt/app/node_modules/db-logger: EACCES: permission denied, open '/opt/app/node_modules/db-logger/package.json'
[+] db-logger already installed
[=] Checking for loglevel
npm ERR! error in /opt/app/node_modules/db-logger: EACCES: permission denied, open '/opt/app/node_modules/db-logger/package.json'
[+] Installing loglevel
/bin/chown: changing ownership of 'node_modules/bignumber.js/bignumber.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/bignumber.js/package.json': Operation not permitted
/bin/chown: changing ownership of 'node_modules/bignumber.js/bignumber.d.ts': Operation not permitted
/bin/chown: changing ownership of 'node_modules/bignumber.js/CHANGELOG.md': Operation not permitted
/bin/chown: changing ownership of 'node_modules/bignumber.js/LICENCE': Operation not permitted
/bin/chown: changing ownership of 'node_modules/bignumber.js/bignumber.min.js.map': Operation not permitted
/bin/chown: changing ownership of 'node_modules/bignumber.js/doc/API.html': Operation not permitted
/bin/chown: changing ownership of 'node_modules/bignumber.js/doc': Operation not permitted
/bin/chown: changing ownership of 'node_modules/bignumber.js/bignumber.min.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/bignumber.js/bignumber.mjs': Operation not permitted
/bin/chown: changing ownership of 'node_modules/bignumber.js/README.md': Operation not permitted
/bin/chown: changing ownership of 'node_modules/bignumber.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/util-deprecate/node.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/util-deprecate/package.json': Operation not permitted
/bin/chown: changing ownership of 'node_modules/util-deprecate/LICENSE': Operation not permitted
/bin/chown: changing ownership of 'node_modules/util-deprecate/browser.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/util-deprecate/History.md': Operation not permitted
/bin/chown: changing ownership of 'node_modules/util-deprecate/README.md': Operation not permitted
/bin/chown: changing ownership of 'node_modules/util-deprecate': Operation not permitted
/bin/chown: changing ownership of 'node_modules/isarray/package.json': Operation not permitted
/bin/chown: changing ownership of 'node_modules/isarray/.npmignore': Operation not permitted
/bin/chown: changing ownership of 'node_modules/isarray/Makefile': Operation not permitted
/bin/chown: changing ownership of 'node_modules/isarray/index.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/isarray/.travis.yml': Operation not permitted
/bin/chown: changing ownership of 'node_modules/isarray/test.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/isarray/component.json': Operation not permitted
/bin/chown: changing ownership of 'node_modules/isarray/README.md': Operation not permitted
/bin/chown: changing ownership of 'node_modules/isarray': Operation not permitted
/bin/chown: cannot read directory 'node_modules/db-logger': Permission denied
/bin/chown: changing ownership of 'node_modules/mysql/Readme.md': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/package.json': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/PoolNamespace.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/ConnectionConfig.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/PoolConfig.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/PoolSelector.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/PoolCluster.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/PoolConnection.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/SqlString.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/sequences/ChangeUser.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/sequences/Sequence.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/sequences/Statistics.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/sequences/Query.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/sequences/Ping.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/sequences/index.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/sequences/Handshake.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/sequences/Quit.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/sequences': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/constants/types.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/constants/server_status.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/constants/ssl_profiles.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/constants/charsets.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/constants/field_flags.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/constants/errors.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/constants/client.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/constants': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/BufferList.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/Auth.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/Protocol.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/Timer.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/PacketHeader.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/PacketWriter.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/packets/HandshakeInitializationPacket.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/packets/RowDataPacket.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/packets/ComStatisticsPacket.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/packets/SSLRequestPacket.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/packets/LocalDataFilePacket.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/packets/AuthSwitchResponsePacket.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/packets/FieldPacket.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/packets/EmptyPacket.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/packets/ResultSetHeaderPacket.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/packets/OkPacket.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/packets/ComQueryPacket.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/packets/ComChangeUserPacket.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/packets/ComQuitPacket.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/packets/OldPasswordPacket.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/packets/ClientAuthenticationPacket.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/packets/index.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/packets/EofPacket.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/packets/ComPingPacket.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/packets/ErrorPacket.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/packets/UseOldPasswordPacket.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/packets/LocalInfileRequestPacket.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/packets/StatisticsPacket.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/packets/Field.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/packets/AuthSwitchRequestPacket.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/packets': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/ResultSet.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol/Parser.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/protocol': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/Connection.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib/Pool.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/lib': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/index.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/Changes.md': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql/License': Operation not permitted
/bin/chown: changing ownership of 'node_modules/mysql': Operation not permitted
/bin/chown: changing ownership of 'node_modules/inherits/package.json': Operation not permitted
/bin/chown: changing ownership of 'node_modules/inherits/LICENSE': Operation not permitted
/bin/chown: changing ownership of 'node_modules/inherits/inherits.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/inherits/inherits_browser.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/inherits/README.md': Operation not permitted
/bin/chown: changing ownership of 'node_modules/inherits': Operation not permitted
/bin/chown: changing ownership of 'node_modules/core-util-is/package.json': Operation not permitted
/bin/chown: changing ownership of 'node_modules/core-util-is/LICENSE': Operation not permitted
/bin/chown: changing ownership of 'node_modules/core-util-is/lib/util.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/core-util-is/lib': Operation not permitted
/bin/chown: changing ownership of 'node_modules/core-util-is/README.md': Operation not permitted
/bin/chown: changing ownership of 'node_modules/core-util-is': Operation not permitted
/bin/chown: changing ownership of 'node_modules/process-nextick-args/readme.md': Operation not permitted
/bin/chown: changing ownership of 'node_modules/process-nextick-args/package.json': Operation not permitted
/bin/chown: changing ownership of 'node_modules/process-nextick-args/index.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/process-nextick-args/license.md': Operation not permitted
/bin/chown: changing ownership of 'node_modules/process-nextick-args': Operation not permitted
/bin/chown: changing ownership of 'node_modules/string_decoder/package.json': Operation not permitted
/bin/chown: changing ownership of 'node_modules/string_decoder/LICENSE': Operation not permitted
/bin/chown: changing ownership of 'node_modules/string_decoder/lib/string_decoder.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/string_decoder/lib': Operation not permitted
/bin/chown: changing ownership of 'node_modules/string_decoder/.travis.yml': Operation not permitted
/bin/chown: changing ownership of 'node_modules/string_decoder/README.md': Operation not permitted
/bin/chown: changing ownership of 'node_modules/string_decoder': Operation not permitted
/bin/chown: changing ownership of 'node_modules/readable-stream/CONTRIBUTING.md': Operation not permitted
/bin/chown: changing ownership of 'node_modules/readable-stream/package.json': Operation not permitted
/bin/chown: changing ownership of 'node_modules/readable-stream/writable.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/readable-stream/LICENSE': Operation not permitted
/bin/chown: changing ownership of 'node_modules/readable-stream/readable.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/readable-stream/lib/_stream_writable.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/readable-stream/lib/_stream_transform.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/readable-stream/lib/_stream_duplex.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/readable-stream/lib/_stream_passthrough.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/readable-stream/lib/_stream_readable.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/readable-stream/lib/internal/streams/BufferList.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/readable-stream/lib/internal/streams/stream-browser.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/readable-stream/lib/internal/streams/destroy.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/readable-stream/lib/internal/streams/stream.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/readable-stream/lib/internal/streams': Operation not permitted
/bin/chown: changing ownership of 'node_modules/readable-stream/lib/internal': Operation not permitted
/bin/chown: changing ownership of 'node_modules/readable-stream/lib': Operation not permitted
/bin/chown: changing ownership of 'node_modules/readable-stream/duplex-browser.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/readable-stream/.travis.yml': Operation not permitted
/bin/chown: changing ownership of 'node_modules/readable-stream/doc/wg-meetings/2015-01-30.md': Operation not permitted
/bin/chown: changing ownership of 'node_modules/readable-stream/doc/wg-meetings': Operation not permitted
/bin/chown: changing ownership of 'node_modules/readable-stream/doc': Operation not permitted
/bin/chown: changing ownership of 'node_modules/readable-stream/writable-browser.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/readable-stream/duplex.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/readable-stream/readable-browser.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/readable-stream/transform.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/readable-stream/GOVERNANCE.md': Operation not permitted
/bin/chown: changing ownership of 'node_modules/readable-stream/README.md': Operation not permitted
/bin/chown: changing ownership of 'node_modules/readable-stream/passthrough.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/readable-stream': Operation not permitted
/bin/chown: changing ownership of 'node_modules/safe-buffer/package.json': Operation not permitted
/bin/chown: changing ownership of 'node_modules/safe-buffer/LICENSE': Operation not permitted
/bin/chown: changing ownership of 'node_modules/safe-buffer/index.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/safe-buffer/index.d.ts': Operation not permitted
/bin/chown: changing ownership of 'node_modules/safe-buffer/README.md': Operation not permitted
/bin/chown: changing ownership of 'node_modules/safe-buffer': Operation not permitted
/bin/chown: changing ownership of 'node_modules/sqlstring/package.json': Operation not permitted
/bin/chown: changing ownership of 'node_modules/sqlstring/LICENSE': Operation not permitted
/bin/chown: changing ownership of 'node_modules/sqlstring/lib/SqlString.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/sqlstring/lib': Operation not permitted
/bin/chown: changing ownership of 'node_modules/sqlstring/index.js': Operation not permitted
/bin/chown: changing ownership of 'node_modules/sqlstring/HISTORY.md': Operation not permitted
/bin/chown: changing ownership of 'node_modules/sqlstring/README.md': Operation not permitted
/bin/chown: changing ownership of 'node_modules/sqlstring': Operation not permitted
/bin/chown: changing ownership of 'node_modules': Operation not permitted
[+] Starting the app
module.js:549
    throw err;
    ^
 
Error: Cannot find module 'loglevel'
    at Function.Module._resolveFilename (module.js:547:15)
    at Function.Module._load (module.js:474:25)
    at Module.require (module.js:596:17)
    at require (internal/module.js:11:18)
    at Object.<anonymous> (/opt/app/index.js:5:14)
    at Module._compile (module.js:652:30)
    at Object.Module._extensions..js (module.js:663:10)
    at Module.load (module.js:565:32)
    at tryModuleLoad (module.js:505:12)
    at Function.Module._load (module.js:497:3)

Attempting to execute the bash script exits out with an error as the called npm instance was unable to locate the loglevel package for installation and the application wouldn’t start as the index.js file requires it loglevel is a barebones logging JS library

index.js

mark@seventeen:/opt/app$ cat index.js
const http = require('http')
const port = 8000
const fs = require('fs')
//var logger = require('db-logger')
var logger = require('loglevel')
 
const server = http.createServer(function(req, res) {
    res.writehead(200, {'content-type': 'text/html'})
    fs.readFile('index.html', function(error, data){
        if (error) {
            res.writeHead(404)
            res.write('error: File Not Found')
            logger.debug(`info: Reuqest from ${req.connection.remoteAddress} to /`)
 
        } else {
            res.write(data)
        }
    res.end()
    })
})
 
server.listen(port, function(error) {
    if (error) {
        logger.warn(`error: Error occured while starting the server : ${e}`)
    } else {
        logger.log("info:  Server running on port " + port)
    }
})

This JS script starts the logging application on the port 8000 The content is read from the index.html file

This comment line must be the old version

index.html

mark@seventeen:/opt/app$ cat index.html
<!DOCTYPE html>
<html>
<head>
<title>Under Construction</title>
</head>
<body>
<p>This page is under construction. Please come back soon!</p>
</body>
</html>

Just a static html

node_modules

mark@seventeen:/opt/app$ ll node_modules/
total 56
drwxr-xr-x 14 root root 4096 May 10  2022 ./
drwxr-xr-x  3 root root 4096 May 29  2022 ../
drwxr-xr-x  3 root root 4096 May 10  2022 bignumber.js/
drwxr-xr-x  3 root root 4096 May 10  2022 core-util-is/
drwxr-x---  2 root root 4096 May 10  2022 db-logger/
drwxr-xr-x  2 root root 4096 May 10  2022 inherits/
drwxr-xr-x  2 root root 4096 May 10  2022 isarray/
drwxr-xr-x  3 root root 4096 May 10  2022 mysql/
drwxr-xr-x  2 root root 4096 May 10  2022 process-nextick-args/
drwxr-xr-x  4 root root 4096 May 10  2022 readable-stream/
drwxr-xr-x  2 root root 4096 May 10  2022 safe-buffer/
drwxr-xr-x  3 root root 4096 May 10  2022 sqlstring/
drwxr-xr-x  3 root root 4096 May 10  2022 string_decoder/
drwxr-xr-x  2 root root 4096 May 10  2022 util-deprecate/

Checking the node_modules directory indeed reveals that loglevel package isn’t locally available Interestingly, only the/db-logger directory is unreadable

InfoSec LAB

Explorer

Seventeen_NodeJS

NodeJS

startup.sh

index.js

index.html

node_modules

Interactive Graph View

Table of Contents

Backlinks