Difficulty Rating:

Machine: Celestial
OS: Linux
IP: 10.10.10.85


The machine runs NodeJS Express Framework on port 3000 which is vulnerable to Deserialization exploit. Privilege escalation was done by exploiting root’s cron job.


  • Nmap
# Nmap 7.70 scan initiated Wed Jun  6 12:56:14 2018 as: nmap -p- -T4 -sV -oN celestial-full-scan.nmap -v 10.10.10.85
Warning: 10.10.10.85 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.10.10.85
Host is up (0.13s latency).
Not shown: 65471 closed ports, 63 filtered ports
PORT     STATE SERVICE VERSION
3000/tcp open  http    Node.js Express framework

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jun  6 13:16:46 2018 -- 1 IP address (1 host up) scanned in 1231.62 seconds

nodejs_vuln

nodejsshell_py

  • Base64 encode the reverseshell:

Payload

  • Start nc and get reverse-shell

reverse-shell

  • Find user flag

user-key

  • Home directory consists a file “output.txt” which is owned by root is updated after every few minutes. Looks like a cron job

root-owned-file

  • Check Documents direcotory

documents-directory

  • This script just prints “Script is running”. The same output provided by output.txt. This file must be run by root as a cron job. Let’s edit this file and get reverse shell.

priv-esc-payload

  • Start nc and listen on port 1234

reverse-shell

  • Get root key

root-key

User and root owned!!

Share the fun!