Celestial
Celestial - 10.10.10.85
Target Enumeration:
OS: Linux
IP: 10.10.10.85
User: 9a093cd22ce86b7f41db4116e80d0b0f
Root: ba1d0019200a54e370ca151007a8095a
Ports / Services / Software Versions Running
3000/tcp open http Node.js Express framework
Vulnerability Exploited:
Nodejs Deserialization bug
Privilege Escalation:
Python script running as root in the users documents folder
Exploiting the host:
Nmap
Visiting in browser:
Decoding the cookie gives you:
Checking for vulnerabilities in node.js we found
Download nodejsshell.py and run
Copy this to a file and modify to replicate this whole string as per the guide on the link:
Encode this in base64 and replace the cookie.
Set up a nc listener on 443 and send the request
Your listener will now spawn a shell.
Located in the documents folder is script.py
This appears to run every 5 mins and overwrites itself so you are unable to inject a reverse python shell without it breaking. Also found is output.txt.
This holds the output from the script.py and while we have not found a crontab for root we can assume that it will execute every 5 minutes what ever is in the script.py file as the root user as it overwrites output.txt.
So append to the end of the file:
And set up a listener on 444 and wait around 5 minutes to get the root shell.
Checking roots crontab shows that they are overwriting the file every 5 minutes
Last updated