TryHackMe - ExfilNode

-

 



The ExfilNode challenge on TryHackMe is a medium-difficulty room that focuses on exploiting a Node.js application to gain initial access, followed by a clever lateral movement and privilege escalation involving sensitive data exfiltration.





1. Enumeration

The process begins with a standard network scan. You’ll find a web server running a Node.js application. By exploring the site and its source code (or through directory brute-forcing), you identify an endpoint that allows for file uploads or processes user input in a way that is vulnerable to Command Injection.


2. Initial Foothold

Vulnerability: The application fails to properly sanitize input before passing it to a system shell.

Exploitation: By injecting a reverse shell payload (e.g., using bash or python), you gain a shell as a low-privileged user (typically www-data).

Stabilization: Use Python's pty module to upgrade your shell to a fully interactive TTY.


3. Lateral Movement

Once inside, you discover a second user on the system.

Discovery: Searching the filesystem or checking running processes reveals a Node.js-based backup or monitoring script.

Exfiltration: The challenge gets its name here. You often have to find a way to "exfiltrate" credentials or SSH keys. This might involve intercepting local traffic or reading a configuration file that contains the password for the next user.


4. Privilege Escalation to Root

The final step usually involves exploiting Sudo permissions or a misconfigured binary.

The Hook: In ExfilNode, the user may have the ability to run node or a similar runtime with sudo privileges without a password.

Root Shell: By using a "GTFOBins" style exploit, you can use the Node.js child_process module to spawn a root shell:

sudo node -e 'child_process.spawn("/bin/sh", {stdio: [0, 1, 2]})'

Conclusion: Capture the root flag located in /root/root.txt.

Comments

Post a Comment

Popular posts from this blog

TryHackMe - Typo Snare Threat Hunter Simulator (medium level)

-
Image
  Threat Hunt Walkthrough The "Typo Snare" scenario on TryHackMe is a fantastic real-world simulation of a sophisticated, multi-stage attack. It starts with a simple mistake and escalates to a full domain compromise, culminating in ransomware. This post will walk you through the entire attack chain, phase by phase, showing you how to find each piece of evidence using Elastic KQL queries. Phase 1: Initial Access & Execution What Happened: The attack began when the user perry.parsons on workstation WKSTN-03 needed a 7-Zip tool. He googled it, clicked a typosquatted link ( 7zipp.org ), and downloaded a trojanized installer. This installer executed a PowerShell script ( 7z.ps1 ) directly from the attacker's server to establish the initial foothold. How to Find It: You are looking for a PowerShell process that was likely spawned by a browser and contains a command to download and execute a script ( iwr for Invoke-WebRequest and iex for Invoke-Expression ). KQL Query...
Read more

TryHackMe - Threat Hunting Simulator - Health Hazard

-
Image
  Scenario overview After months of juggling content calendars and caffeine-fueled brainstorming, co-founder Tom Whiskers finally carved out time to build the company’s first website. It was supposed to be simple: follow a tutorial, install a few packages, and bring the brand to life with lightweight JavaScript magic.   But between sleepless nights and copy-pasted code, Tom started feeling off. Not sick exactly, just off. The terminal scrolled with reassuring green text, the site loaded fine, and everything looked normal.   Then, a strange file appeared on the system. No one could say where it came from. It wasn’t part of the tutorial, didn’t match any known dependencies, and didn’t even run.   It just waited.   Scenario objectives Determine how a threat actor first gained a foothold on the system. Identify suspicious activity that may point to the initial compromise method. Investigate signs of malicious execution following the initial access. Analyse the logs ...
Read more

TryHackmMe Side Quest AOC 2025 - Scheme Catcher (Insane Level)

-
Image
  Second Side Quest (Scheme Catcher) started with discovering the key in the Advent of Cyber Day 9 room and using it to remove the firewall on the target machine. Afterwards, fuzzing a web application on the target for directories we were able to discover a file with a binary inside and analyzing the binary we discovered another endpoint. Checking out this endpoint we discovered the application running on another port and reverse enginering it we discovered a Use-After-Free vulnerability and with a heap exploitation exploit we were able to get remote code execution and a shell inside a container. Inside the container we discovered a SSH key which we used to get a shell on the host and reverse engineering and exploiting a vulnerable kernel module we were able to escalate to root and complete the room. Python Script : #!/usr/bin/env python3 from pwn import * import io_file context . update ( arch = " amd64 " , os = " linux " , log_level = " error "...
Read more