[HTB] Celestial writeup13 min read

Welcome back in Exploitnetworking for see the writeup of Hack The Box Celestial machine. In this machine there is a nodejs service exploitable in a easy and direct way. And for privilege escalation there is a simple trick with python.

Copy to Clipboard

We can see that there is only one port open: 3000 with Node.js Express framework. Open a browser and see the web page:

There is 404 error, but reloading the page:

Copy to Clipboard

Interesting. Let’s try to open Burp for see what happened in the request:

Note that there is a cookie called “profile”:

Copy to Clipboard

This same a base64 encode, try to decode it for see what is it:

Copy to Clipboard

Yep, there are some information about an account with username “Dummy”. Now let’s try to modify some value of this cookie starting with username:

Copy to Clipboard

The response of web server is:

Copy to Clipboard

Uhm, yeah we can manipulate the response with cookie. Note that “22” seems a concatenation of “2”, we try to modify “2” value for see what happening:

Copy to Clipboard

The response is:

Copy to Clipboard

Maybe there is some trick for concatenate “42” value. We try with some values different to a number:

Copy to Clipboard

The response is:

Copy to Clipboard

Yeah, there is a eval function! With eval function we can execute code with cookie manipulation! Let’s try to change the cookie by inserting a reverse shell in javascript:

Copy to Clipboard

Listen with netcat on port 2222 and try to send it:

Copy to Clipboard

Yeah! We have opened a reverse shell! Get flag in Documents/user.txt and we try with privilege escalation. In Documents there is another interesting file:

Copy to Clipboard

The content of that script is:

Copy to Clipboard

And in home directory there is a file called “output.txt” with this content:

Copy to Clipboard

where the owner of this file is root. Maybe there is a root’s crontask that run script.py for write in output.txt. For see if there is this cronjob, we write a bash script for find new processes on the system:

Copy to Clipboard

Run this script in server:

Copy to Clipboard

after some minutes we can see that there is a root’s crontask that run the python script and replace it with another script.py. Now we can simply modify script.py and insert inside a python reverse shell. We insert this code to open a reverse shell:

Copy to Clipboard

Listen with netcat on port 2224 and after some minutes:

Copy to Clipboard

Recent Tweets

For privacy reasons Twitter needs your permission to be loaded.
I Accept
2018-08-25T19:56:40+00:00

About the Author:

Leave A Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.