HackTheBox - Celestial

aS6z4NgRysU/default.jpg

00:58 - Begin of Recon
03:00 - Looking at the web application and finding the Serialized Cookie
04:38 - Googling for Node JS Deserialization Exploits
06:30 - Start of building our payload
07:10 - Examining Node-Serialize to see what the heck _$$ND_FUNC$$_ is
09:10 - Moving our serialized object to "Name", hoping to get to read stdout
11:30 - Really busing the deserialize function by removing the Immediately Invokked Expression (IIFE)
13:25 - Failing to convert an object (stdout) to string.
14:02 - Verifying code execution via ping
15:32 - Code execution verified, gaining a shell
(Get a shell via NodeJSShell at end of video)
18:49 - Reverse shell returned, running LinEnum.sh
21:26 - Examining logs to find the Cron Job running as root
22:09 - Privesc by placing a python root shell in script.py
24:15 - Going back and getting a shell with NodeJSShell

aS6z4NgRysU/default.jpg
HackTheBox - Celestial HackTheBox - Celestial Reviewed by Anonymous on August 25, 2018 Rating: 5