abc
An interesting process has been identified; /usr/bin/node dist/server.js
There appears to be a Node application running
barney@b3dr0ck:~$ find / -name server.js -type f 2>/dev/null
/usr/share/abc/dist/server.jsIt’s located under the /usr/share/abc directory
barney@b3dr0ck:/usr/share/abc$ ll
total 32
drwxrwxr-x 8 root root 4096 Apr 29 2022 ./
drwxr-xr-x 119 root root 4096 Apr 10 2022 ../
drwxrwxr-x 2 root root 4096 Apr 29 2022 art/
drwxrwxr-x 2 root root 4096 Apr 29 2022 bin/
drwxrwxr-x 2 root root 4096 Apr 30 2022 certs/
drwxrwxr-x 2 root root 4096 Apr 30 2022 dist/
drwxrwxr-x 18 root root 4096 Apr 10 2022 node_modules/
drwxrwxr-x 2 root root 4096 Apr 10 2022 public/This might be the custom application encountered earlier
barney@b3dr0ck:/usr/share/abc$ ll dist/
total 24
drwxrwxr-x 2 root root 4096 Apr 30 2022 ./
drwxrwxr-x 8 root root 4096 Apr 29 2022 ../
-rw-rw-r-- 1 root root 3522 Apr 29 2022 certs.js
-rw-rw-r-- 1 root root 8499 Apr 30 2022 server.jsI will check the server.js file
server.js
The server.js file has base64-encoded credentials of both fred and barney users hard-coded into it
┌──(kali㉿kali)-[~/archive/thm/b3dr0ck]
└─$ echo 'V1dGaVltRkVZV0ppWVVRd01EQXdJUW89Cg==' | base64 -d
WWFiYmFEYWJiYUQwMDAwIQo=
┌──(kali㉿kali)-[~/archive/thm/b3dr0ck]
└─$ echo 'V1dGaVltRkVZV0ppWVVRd01EQXdJUW89Cg==' | base64 -d | base64 -d
YabbaDabbaD0000!It’s double encoded in base64
The decoded value is YabbaDabbaD0000!
Validation will be made against the SSH server