Celestial Writeup

Enumeration

nmap -A 10.10.10.85 shows a node.js server running on TCP 3000. Navigating to this server in the web browser and inspecting the headers reveals that is further using the Express framework and we are using a single .profile cookie that appears to be the only point of sending input to the server, maybe there is trust in that data that we can abuse. A quick Google search shows that there is a deserialization bug that can lead to remote code execution. This sounds promising as we can execute a reverse shell to connect back to a netcat listener on my Kali box. Details on the exploit that I found useful can be found at https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/.

The Plan

After reading the article linked, I believe that we can follow the same methodology to achieve shell access to the server. No sense in reinventing the wheel here, so I pull down the nodejsshell.py script used in the article and generate a payload with the correct server and port numbers. I start a netcat listener on the port that the payload is going to connect back on and start up Burp to catch and modify the cookie value before it sends to the server. With Burp’s proxy on, I refresh my connection to the server and see the request hanging in the proxy window where I replace the cookie value with my payload. Forwarding the rest of the traffic as normal, I check back and see that my netcat has opened up a connection. Sweet. A quick python -c ‘import pty; pty.spawn(“/bin/sh”)’ later and I have an interactive shell worth playing in.

Post Exploitation Recon

Now that we are in, it’s time to look around for a way to move up to root. Taking a look at the home directory for our current user we see one file of note, output.txt. Catting it out simply shows “The script is running”, interesting but not very useful yet. We do know that there is a script somewhere that can run and output this file. The output is in our home directory so lets take a look for script files under our home directory that might be the easy find for this. Using the find command, I search for anything with common script extensions like .rb, .pl or .py

find ~/ -name *.py 2>/dev/null finds script.py, which upon inspection outputs the same line as we saw in output.txt. It’s a good chance that since this file is writable to us, and the output.txt is owned by root, that this script is going to be our ticket. Now I suspect we could script out reading the flag file and dumping the contents into output.txt to achieve our goal here, since I already have a python reverse shell script I’ll just transfer that over and catch it in netcat where I have interactive root.

As I suspected, our malicious script.py reverse shell executes as root and gives me the goods. I grab the flag and run.

Securing the System

  1. Exploits leading to owning root include but not limited to:
    • The “x-powered-by” header disclosed usage of the Express framework which aided in our ability to find an existing exploit. This header can be disabled, and I recommend doing so.
    • Trusting the cookie data and passing it into a deserialize function which uses eval() internally allowed us to get RCE and our initial foothold. Sanitation of all data being received from the client is necessary, and avoid uses of the eval() when possible. If it’s a must, sanitize the input. Also sanitize everything.
    • Cron jobs as root should not be executing scripts that are writeable by non privileged users. They should also not be running all scripts in a directory where a non privileged user can write new scripts to. Apply the least privilege model to cron jobs.

If you found this content helpful, please consider donating your favorite cryptocurrency below.

  • Bitcoin
  • Ethereum
  • Cardano
  • Xrp
  • Litecoin
  • Stellar
  • Bitcoin cash
  • Dogecoin
  • Usdcoin
  • Aave
  • Uniswap
  • Wrappedbitcoin
  • Eos
  • Cosmos
  • Synthetix
  • Dash
  • Maker
  • Dai
  • Ethereum classic
Scan to Donate Bitcoin to 3ENZABkzJ8V2u3ewaHGFmsWx3i7pdy47Nr

Donate Bitcoin to this address

Scan the QR code or copy the address below into your wallet to send some Bitcoin

Scan to Donate Ethereum to 0x0a7B929203F77353DDBF9419Fc0d50a50932010c

Donate Ethereum to this address

Scan the QR code or copy the address below into your wallet to send some Ethereum

Scan to Donate Cardano to DdzFFzCqrhsuy6avGUazSq2S5VKEBS6rTxo1Cy71DKwozED8nXFwtzAZda4u5GbE3B4oKFwKVNw3fbAfCrkRdpv8pma83rsgokDk1CTy

Donate Cardano to this address

Scan the QR code or copy the address below into your wallet to send some Cardano

Scan to Donate Xrp to rw2ciyaNshpHe7bCHo4bRWq6pqqynnWKQg:::ucl:::2447425404

Donate Xrp to this address

Scan the QR code or copy the address below into your wallet to send some Xrp

Scan to Donate Litecoin to LXQcKbXSemXnF3VNH5Ez7n4SDUFTkh1uJp

Donate Litecoin to this address

Scan the QR code or copy the address below into your wallet to send some Litecoin

Scan to Donate Stellar to GDQP2KPQGKIHYJGXNUIYOMHARUARCA7DJT5FO2FFOOKY3B2WSQHG4W37:::ucl:::639763260

Donate Stellar to this address

Scan the QR code or copy the address below into your wallet to send some Stellar

Scan to Donate Bitcoin cash to 17iu6o47bdYRbGoxV3WeWUCUBcYZsrXYeG

Donate Bitcoin cash to this address

Scan the QR code or copy the address below into your wallet to send some Bitcoin cash

Scan to Donate Dogecoin to DNserpUCc77Q9EvoU2BePPMnB2nJzJcbRW

Donate Dogecoin to this address

Scan the QR code or copy the address below into your wallet to send some Dogecoin

Scan to Donate Usdcoin to 0xC8354d47Df616EbEb9E91b65C64F352Ce2457215

Donate Usdcoin to this address

Scan the QR code or copy the address below into your wallet to send some Usdcoin

Scan to Donate Aave to 0x268a1fc2eF33c37c0f6D593C17886c2105456f7C

Donate Aave to this address

Scan the QR code or copy the address below into your wallet to send some Aave

Scan to Donate Uniswap to 0xf83FA7Ef077fDA536029EC1F6B73CC87d1D33a54

Donate Uniswap to this address

Scan the QR code or copy the address below into your wallet to send some Uniswap

Scan to Donate Wrappedbitcoin to 0xac7C2A4a700a3c6B341658960C7e99BcC7A93387

Donate Wrappedbitcoin to this address

Scan the QR code or copy the address below into your wallet to send some Wrappedbitcoin

Scan to Donate Eos to coinbasebase:::ucl:::2151882130

Donate Eos to this address

Scan the QR code or copy the address below into your wallet to send some Eos

Scan to Donate Cosmos to cosmos1scwcfre6h4c7epkyrdfegpeaz8umqldl50gn8w

Donate Cosmos to this address

Scan the QR code or copy the address below into your wallet to send some Cosmos

Tag/Note:- 102476592
Scan to Donate Synthetix to 0x89Ee88FdD6B30f72a8e6E6BF3F948Ac3B45e16A8

Donate Synthetix to this address

Scan the QR code or copy the address below into your wallet to send some Synthetix

Scan to Donate Dash to XoMHNXYDx37sDq4bij96cTEpcBznLsbaab

Donate Dash to this address

Scan the QR code or copy the address below into your wallet to send some Dash

Scan to Donate Maker to 0xF72Ace0DdCa3b8e2F691700d8a78282b5d628E12

Donate Maker to this address

Scan the QR code or copy the address below into your wallet to send some Maker

Scan to Donate Dai to 0x22675f754c285bCD7fF8D411Eca32348021a4162

Donate Dai to this address

Scan the QR code or copy the address below into your wallet to send some Dai

Scan to Donate Ethereum classic to 0x03DC1DeFBaFD17Ebf77827faEAc5E50AB90e3b52

Donate Ethereum classic to this address

Scan the QR code or copy the address below into your wallet to send some Ethereum classic

Leave a Reply