Monday, May 30, 2022

HTB Walkthrough - Celestial

 Celestial


Okay, so let’s get going into another of the boxes. This time we are going to hack “Celestial”

Celestial is a medium rated box running on Linux. So, let’s see what’s interesting.


As usual, we start with a nmap scan.



As we can see we have port 3000 open and it’s the only port that’s open and it’s running the NodeJS Express framework.


After I go into the page, I can’t see anything. However, after I refresh it again; I see this:


It says, ‘Hey Dummy’. So, I think Dummy is our name and is being passed around in some form.

So, I decided to look at our cookies using burp and just as I thought.



Our cookie contains a base64 encoded variable. I’m guessing this when decoded, contains our value. So I proceeded to decode this.


Exactly as I had guessed;

It is a json variable encoded into base64. Also, we know from the nmap scan that it’s using the express framework. 

I’m clearly looking at a deserialization vulnerability right here. I just need to replace the username with my own value which will get deserialized. I found later that the username will display error when it detects the type of username variable is not string but runs the command anyway. So with a few tweaks here and there I created a perfect string that goes in the username variable. 

Well, might be a bit hard for the eyes to see; but that’s part of the game if you want to replicate this ;)


So, I encode this into base64 and send it.



Just as I had hoped, the ‘a’ returned and everything else ran as command. I should have received a reverse shell into my nc listener.


Bam, there you go!


Now time to get root.


I see a peculiar output.txt in the home folder for the sun user.  Upon inspection, I see



Seems like some sort of script is running and producing this output.


After I try and look for the user.txt file, I find it inside Documents alongside another file.



Okay so, seems like the output from this script was being redirected to output.txt

So there definitely is a cron job happening behind the scenes. So investigate further I use pspy to see what’s happening.



Okay, so root runs script.py then immediately chowns it to the sun user. That means I can replace my own script.py which does some work as root. So I decided to just copy /bin/sh and set the setuid bit on it.



Then it’s the waiting game. Aaand Boom, I get the setuid shell in /tmp. I run the file with /tmp/sh -p and I am root!



Done!
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Easy shellcode encryption and decryption using AES in C/C++

 I'm writing this blog post as I came across this problem myself while trying to encrypt and decrypt my shellcode while writing malware....