3000/tcp open http Node.js Express framework
Nodejs Deserialization bug
Python script running as root in the users documents folder
Visiting in browser:
Decoding the cookie gives you:
Checking for vulnerabilities in node.js we found
Download nodejsshell.py and run
Copy this to a file and modify to replicate this whole string as per the guide on the link:
Encode this in base64 and replace the cookie.
Set up a nc listener on 443 and send the request
Your listener will now spawn a shell.
Located in the documents folder is script.py
This appears to run every 5 mins and overwrites itself so you are unable to inject a reverse python shell without it breaking. Also found is output.txt.
This holds the output from the script.py and while we have not found a crontab for root we can assume that it will execute every 5 minutes what ever is in the script.py file as the root user as it overwrites output.txt.
So append to the end of the file:
And set up a listener on 444 and wait around 5 minutes to get the root shell.
Checking roots crontab shows that they are overwriting the file every 5 minutes