Verdaccio
During the network enumeration, I find that this one appears to be the most strange out of all the listening sockets.
mark@seventeen:/dev/shm$ nc 127.0.0.1 4873
qwe
HTTP/1.1 400 Bad Request
connection: closeLooks like a web server based on the response
mark@seventeen:/dev/shm$ curl http://localhost:4873
<!DOCTYPE html>
<html lang="en-us">
<head>
<meta charset="utf-8">
<base href="http://localhost:4873/">
<title>Verdaccio</title>
<link rel="icon" href="http://localhost:4873/-/static/favicon.ico"/>
<meta name="viewport" content="width=device-width, initial-scale=1" />
<script>
window.__verdaccio_basename_ui_options={"darkmode":false,"basename":"/","base":"http://localhost:4873/","primaryColor":"#4b5e40","version":"5.6.0","pkgManagers":["yarn","pnpm","npm"],"login":true,"logo":"","title":"Verdaccio","scope":"","language":"es-US"}
</script>
</head>
<body class="body">
<div id="root"></div>
<script defer="defer" src="http://localhost:4873/-/static/runtime.06493eae2f534100706f.js"></script><script defer="defer" src="http://localhost:4873/-/static/vendors.06493eae2f534100706f.js"></script><script defer="defer" src="http://localhost:4873/-/static/main.06493eae2f534100706f.js"></script>
</body>
</html>Checking it with curl reveals that it’s a Verdaccio instance
It’s using verdaccio 5.6.0
verdaccio is a lightweight private npm proxy registry built in Node.js. Much like Python’s pypiserver, which is used to host a private package repo.
This must be the “registry” mentioned in the mail because Verdaccio promotes itself as a “proxy registry” rather than a “private repo”
mark@seventeen:/dev/shm$ find / -name verdaccio -ls 2>/dev/null
393988 4 dr-------- 5 root root 4096 Mar 14 2022 /etc/verdaccioI don’t see any accessible file or directory within the host system. It’s likely running off of a Docker container
Nevertheless, I’d need to tunnel the socket in order to access the GUI
SSH Tunneling
┌──(kali㉿kali)-[~/archive/htb/labs/seventeen]
└─$ sshpass -p2020bestyearofmylife ssh -L 127.0.0.1:4873:127.0.0.1:4873 -N -f mark@$IP Done
It should now be available locally on Kali’s loopback on the port4873
Web
Webroot
The footer reveals the version information; 5.6.0
it has no known vulnerabilities
It seems that I might be able to create an account and publish a custom package
adduser
mark@seventeen:/dev/shm$ npm adduser --registry http://localhost:4873/
Username: test
Password: qwe123
Email: (this IS public) test@test.test
npm ERR! Linux 4.15.0-177-generic
npm ERR! argv "/usr/bin/node" "/usr/bin/npm" "adduser" "--registry" "http://localhost:4873/"
npm ERR! node v8.10.0
npm ERR! npm v3.5.2
npm ERR! code E409
npm ERR! user registration disabled : -/user/org.couchdb.user:test/-rev/undefined
npm ERR!
npm ERR! If you need help, you may report this error at:
npm ERR! <https://github.com/npm/npm/issues>
npm ERR! Linux 4.15.0-177-generic
npm ERR! argv "/usr/bin/node" "/usr/bin/npm" "adduser" "--registry" "http://localhost:4873/"
npm ERR! node v8.10.0
npm ERR! npm v3.5.2
npm ERR! path npm-debug.log.2973111489
npm ERR! code EACCES
npm ERR! errno -13
npm ERR! syscall open
npm ERR! Error: EACCES: permission denied, open 'npm-debug.log.2973111489'
npm ERR! { Error: EACCES: permission denied, open 'npm-debug.log.2973111489'
npm ERR! errno: -13,
npm ERR! code: 'EACCES',
npm ERR! syscall: 'open',
npm ERR! path: 'npm-debug.log.2973111489' }
npm ERR!
npm ERR! Please try running this command again as root/Administrator.
npm ERR! Please include the following file with any support request:
npm ERR! /opt/app/npm-debug.logAttempting to creating a new user fails. either the privilege limit or registration disabled
search
As I was not as familiar with npm, I decided to look through the documentation.
Much like any package manager, npm has the search flag to list out the registry (repository)
Additionally, I can specify the registry with the --registry flag
mark@seventeen:/dev/shm$ npm search --registry http://localhost:4873/
npm WARN Building the local index for the first time, please be patient
▐ ╢░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░╟
NAME DESCRIPTION AUTHOR DATE VERSION KEYWORDS
bignumber.js A library for arbitrary-precision decimal and non-decimal… =mikemcl 2022-04-08 9.0.2 arbitrary precision arithmetic big num
core-util-is The `util.is*` functions introduced in Node v0.12. =isaacs 2022-04-08 1.0.3 util isBuffer isArray isNumber isStrin
db-logger Log data to a database =kavigihan 2022-03-15 1.0.1 log
inherits Browser-friendly inheritance fully compatible with standard… =isaacs 2022-04-08 2.0.4 inheritance class klass oop object-ori
isarray Array#isArray for older browsers =juliangruber 2022-04-08 2.0.5 browser isarray array
loglevel Minimal lightweight logging for JavaScript, adding reliable… =pimterry 2022-05-11 1.8.0 log logger logging browser
mysql A node.js driver for mysql. It is written in JavaScript,… =dougwilson… 2022-04-08 2.18.1
process-nextick-args process.nextTick but always with args =cwmma 2022-04-08 2.0.1
readable-stream Streams3, a user-land copy of the stream library from… =cwmma =isaacs… 2022-04-08 3.6.0 readable stream pipe
safe-buffer Safer Node.js Buffer API =feross =mafintosh 2022-04-08 5.2.1 buffer buffer allocate node security s
sqlstring Simple SQL escape and format for MySQL =sidorares… 2022-04-08 2.3.3 sqlstring sql escape sql escape
string_decoder The string_decoder module from Node core =cwmma… 2022-04-08 1.3.0 string decoder browser browserify Doing so pointing to the Verdaccio instance reveals the whole registry
It contains the db-logger package as well. This was hidden away behind the privilege limit
install
mark@seventeen:/dev/shm$ npm install db-logger --registry http://localhost:4873/
/dev/shm
└─┬ db-logger@1.0.1
└─┬ mysql@2.18.1
├── bignumber.js@9.0.0
├─┬ readable-stream@2.3.7
│ ├── core-util-is@1.0.3
│ ├── inherits@2.0.4
│ ├── isarray@1.0.0
│ ├── process-nextick-args@2.0.1
│ ├── string_decoder@1.1.1
│ └── util-deprecate@1.0.2
├── safe-buffer@5.1.2
└── sqlstring@2.3.1
npm WARN enoent ENOENT: no such file or directory, open '/dev/shm/package.json'
npm WARN shm No description
npm WARN shm No repository field.
npm WARN shm No README data
npm WARN shm No license field.
mark@seventeen:/dev/shm$ ll
total 3976
drwxrwxrwt 6 root root 200 Jun 20 09:40 ./
drwxr-xr-x 19 root root 3880 Jun 20 02:19 ../
-rwxr-xr-x 1 mark mark 836054 Jun 20 05:09 linpeas.sh*
drwxrwxr-x 2 mark mark 40 Jun 20 09:40 node_modules/
-rwxr-xr-x 1 mark mark 3104768 Jun 20 05:09 pspy64*I can then use the install flag to pull db-logger to the current working directory under the sub-directory; /node_modules/
The rest of the packages come along as they are dependencies
db-logger
mark@seventeen:/dev/shm$ cd node_modules/db-logger/ ; ll
total 8
drwxrwxr-x 2 mark mark 80 jun 20 09:43 ./
drwxrwxr-x 14 mark mark 280 jun 20 09:43 ../
-rw-rw-r-- 1 mark mark 508 Mar 12 2022 logger.js
-rw-rw-r-- 1 mark mark 1282 jun 20 09:43 package.jsonThere is the package file with the metadata file
package.json
mark@seventeen:/dev/shm/node_modules/db-logger$ cat package.json
{
"_args": [
[
"db-logger",
"/dev/shm"
]
],
"_from": "db-logger@latest",
"_id": "db-logger@1.0.1",
"_inCache": true,
"_installable": true,
"_location": "/db-logger",
"_nodeVersion": "8.10.0",
"_npmUser": {},
"_npmVersion": "3.5.2",
"_phantomChildren": {},
"_requested": {
"name": "db-logger",
"raw": "db-logger",
"rawSpec": "",
"scope": null,
"spec": "latest",
"type": "tag"
},
"_requiredBy": [
"#USER"
],
"_resolved": "http://localhost:4873/db-logger/-/db-logger-1.0.1.tgz",
"_shasum": "cad3ace58207506616e098c622f50a0ba22ba6d0",
"_shrinkwrap": null,
"_spec": "db-logger",
"_where": "/dev/shm",
"author": {
"name": "kavigihan"
},
"contributors": [],
"dependencies": {
"mysql": "2.18.1"
},
"description": "Log data to a database",
"devDependencies": {},
"dist": {
"shasum": "cad3ace58207506616e098c622f50a0ba22ba6d0",
"tarball": "http://localhost:4873/db-logger/-/db-logger-1.0.1.tgz"
},
"keywords": [
"log"
],
"license": "ISC",
"main": "logger.js",
"name": "db-logger",
"optionalDependencies": {},
"readme": "ERROR: No README data found!",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"version": "1.0.1"
}It contains the metadata.
Nothing special to it other than the fact that it was written by kavigihan, which is the kavi user
logger.js
mark@seventeen:/dev/shm/node_modules/db-logger$ cat logger.js
var mysql = require('mysql');
var con = mysql.createConnection({
host: "localhost",
user: "root",
password: "IhateMathematics123#",
database: "logger"
});
function log(msg) {
con.connect(function(err) {
if (err) throw err;
var date = Date();
var sql = `INSERT INTO logs (time, msg) VALUES (${date}, ${msg});`;
con.query(sql, function (err, result) {
if (err) throw err;
console.log("[+] Logged");
});
});
};
module.exports.log = logThe package file contains a CLEARTEXT DB credential hard-coded
root:IhateMathematics123
mark@seventeen:/dev/shm/node_modules/db-logger$ mysql -uroot -pIhateMathematics123
mysql: [Warning] Using a password on the command line interface can be insecure.
error 1698 (28000): Access denied for user 'root'@'localhost'
mark@seventeen:/dev/shm/node_modules/db-logger$ su root
password: IhateMathematics123
su: Authentication failureThe credential doesn’t work against both the mysql instance and system However, I should also test it for password reuse against the other user