HackTheBox - Celestial

IppSec · Intermediate ·🛡️ AI Safety & Ethics ·7y ago

Skills: AI Security90%Defensive AI80%

00:58 - Begin of Recon 03:00 - Looking at the web application and finding the Serialized Cookie 04:38 - Googling for Node JS Deserialization Exploits 06:30 - Start of building our payload 07:10 - Examining Node-Serialize to see what the heck _$$ND_FUNC$$_ is 09:10 - Moving our serialized object to "Name", hoping to get to read stdout 11:30 - Really busing the deserialize function by removing the Immediately Invokked Expression (IIFE) 13:25 - Failing to convert an object (stdout) to string. 14:02 - Verifying code execution via ping 15:32 - Code execution verified, gaining a shell (Get a shell via NodeJSShell at end of video) 18:49 - Reverse shell returned, running LinEnum.sh 21:26 - Examining logs to find the Cron Job running as root 22:09 - Privesc by placing a python root shell in script.py 24:15 - Going back and getting a shell with NodeJSShell

Watch on YouTube ↗ (saves to browser)

Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 53 of 60

← Previous Next →

HHC2016 - Analytics

HHC2016 - Analytics

HackTheBox - October

HackTheBox - October

HackTheBox - Arctic

HackTheBox - Arctic

HackTheBox - Brainfuck

HackTheBox - Brainfuck

HackTheBox - Bank

HackTheBox - Bank

HackTheBox - Joker

HackTheBox - Joker

HackTheBox - Lazy

HackTheBox - Lazy

Camp CTF 2015 - Bitterman

Camp CTF 2015 - Bitterman

HackTheBox - Devel

HackTheBox - Devel

Reversing Malicious Office Document (Macro) Emotet(?)

Reversing Malicious Office Document (Macro) Emotet(?)

HackTheBox - Granny and Grandpa

HackTheBox - Granny and Grandpa

HackTheBox - Pivoting Update: Granny and Grandpa

HackTheBox - Pivoting Update: Granny and Grandpa

HackTheBox - Optimum

HackTheBox - Optimum

HackTheBox - Charon

HackTheBox - Charon

HackTheBox - Sneaky

HackTheBox - Sneaky

HackTheBox - Holiday

HackTheBox - Holiday

HackTheBox - Europa

HackTheBox - Europa

Introduction to tmux

Introduction to tmux

HackTheBox - Blocky

HackTheBox - Blocky

HackTheBox - Nineveh

HackTheBox - Nineveh

HackTheBox - Jail

HackTheBox - Jail

HackTheBox - Blue

HackTheBox - Blue

HackTheBox - Calamity

HackTheBox - Calamity

HackTheBox - Shrek

HackTheBox - Shrek

HackTheBox - Mirai

HackTheBox - Mirai

HackTheBox - Shocker

HackTheBox - Shocker

HackTheBox - Mantis

HackTheBox - Mantis

HackTheBox - Node

HackTheBox - Node

HackTheBox - Kotarak

HackTheBox - Kotarak

HackTheBox - Enterprise

HackTheBox - Enterprise

HackTheBox - Sense

HackTheBox - Sense

HackTheBox - Minion

HackTheBox - Minion

VulnHub - Sokar

VulnHub - Sokar

VulnHub - Pinkys Palace v2

VulnHub - Pinkys Palace v2

HackTheBox - Inception

HackTheBox - Inception

Vulnhub - Trollcave 1.2

Vulnhub - Trollcave 1.2

HackTheBox - Ariekei

HackTheBox - Ariekei

HackTheBox - Flux Capacitor

HackTheBox - Flux Capacitor

HackTheBox - Jeeves

HackTheBox - Jeeves

HackTheBox - Tally

HackTheBox - Tally

HackTheBox - CrimeStoppers

HackTheBox - CrimeStoppers

HackTheBox - Fulcrum

HackTheBox - Fulcrum

HackTheBox - Chatterbox

HackTheBox - Chatterbox

HackTheBox - Falafel

HackTheBox - Falafel

How To Create Empire Modules

How To Create Empire Modules

HackTheBox - Nightmare

HackTheBox - Nightmare

HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions

HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions

HackTheBox - Bart

HackTheBox - Bart

HackTheBox - Aragog

HackTheBox - Aragog

HackTheBox - Valentine

HackTheBox - Valentine

HackTheBox - Silo

HackTheBox - Silo

HackTheBox - Rabbit

HackTheBox - Rabbit

HackTheBox - Celestial

HackTheBox - Celestial

HackTheBox - Stratosphere

HackTheBox - Stratosphere

HackTheBox - Poison

HackTheBox - Poison

HackTheBox - Canape

HackTheBox - Canape

HackTheBox - Olympus

HackTheBox - Olympus

HackTheBox - Sunday

HackTheBox - Sunday

HackTheBox - Fighter

HackTheBox - Fighter

HackTheBox - Bounty

HackTheBox - Bounty

More on: AI Security

View skill →

Managing Threat Intelligence with Cortex XSOAR

SECURE Your App with Roles and Permissions in Spring Security!

SECURE Your App with Roles and Permissions in Spring Security!

TheCodeAlchemist

Pete Bryan - Scaling Jupyter Notebooks for global scale security analysis | JupyterCon 2020

Pete Bryan - Scaling Jupyter Notebooks for global scale security analysis | JupyterCon 2020

Warning! Python Remote Keylogger (this is really too easy!)

Warning! Python Remote Keylogger (this is really too easy!)

Episode 9: Automating Single-Turn Attacks with PyRIT | AI Red Teaming 101

Episode 9: Automating Single-Turn Attacks with PyRIT | AI Red Teaming 101

Microsoft Developer

Secure Agent Authorization with OAuth 2.0 | Amazon Bedrock AgentCore | Amazon Web Services

Secure Agent Authorization with OAuth 2.0 | Amazon Bedrock AgentCore | Amazon Web Services

Amazon Web Services

Related AI Lessons

AI Age Estimation: Ethics and Implications at the Border - SmarterArticles S1E10

Explore the ethics and implications of AI age estimation at borders and its potential consequences

Dev.to · Tim Green

Generative AI Regulatory Compliance: 7 Critical Mistakes to Avoid

Avoid 7 critical mistakes to ensure generative AI regulatory compliance and prevent costly retrofits, fines, and reputational damage

Generative AI Regulatory Compliance: Comparing Top Implementation Strategies

Learn how to choose the right compliance strategy for generative AI implementation in your organization and navigate unique challenges around explainability, bias, and evolving regulatory requirements

Generative AI Regulatory Compliance: A Developer's Starting Guide

Learn how to navigate generative AI regulatory compliance as a developer and ensure your AI systems meet evolving regulations and ethical standards

Chapters (14)

0:58 Begin of Recon

3:00 Looking at the web application and finding the Serialized Cookie

4:38 Googling for Node JS Deserialization Exploits

6:30 Start of building our payload

7:10 Examining Node-Serialize to see what the heck _$$ND_FUNC$$_ is

9:10 Moving our serialized object to "Name", hoping to get to read stdout

11:30 Really busing the deserialize function by removing the Immediately Invokked Ex

13:25 Failing to convert an object (stdout) to string.

14:02 Verifying code execution via ping

15:32 Code execution verified, gaining a shell

18:49 Reverse shell returned, running LinEnum.sh

21:26 Examining logs to find the Cron Job running as root

22:09 Privesc by placing a python root shell in script.py

24:15 Going back and getting a shell with NodeJSShell

shadow AI is terrifying