Celestial hint



  • If anyone needs a little nudge, feel free to PM me

  • edited May 2018

    okay so edited the file and got the root shell. can someone pm me/reply what actually triggered the file? still kinda confused

  • @mxchai said:
    If anyone needs a little nudge, feel free to PM me

    btw got it. thanks!

  • edited May 2018

    i need little bit help with priv esc ...i found python script and txt file in home dir

  • @eransh10 said:
    Ok - first - this may be a spoiler so take it into consideration.
    Now - I managed (using burp suite) to fin the following: "username":"******","country":"********","city":"*********","num":"*******"
    Question is - where do I enter this username and these creds? ?

    i have this,but now what,i thnik i have the id,now how i can send this to the request.

  • I have the Json,but now what?,can i send this with bursp?

  • Need help with the Payload! Please PM me.

  • @Pisedoff @Killll Just type on google Node JS exploit ,you will found a good resurse ,and try to use a python tool for regenerate payload

  • After getting the user flag I am struggling to stay connected to Celestial server. Is there anything I can do to improve stability on my my connection with this bloody server?


  • once you have enumerated enough

    patience is the key with this one with priv esc !!

  • @sh4nk i use LinEnum.sh ...but i dont see nothing intresting ...maybe i need some documentation

  • check for scheduled tasks @T3jv1l ... there's something suspicious being executed

  • edited May 2018

    If you are getting "An error occurred...invalid username type" named error message, you can try to listener method. and hint priv. esc. ??


  • Anyone got a hint on editing the file that writes to the other file? Can't get the command to run properly when the time rolls round again?

  • @svensen said:
    Anyone got a hint on editing the file that writes to the other file? Can't get the command to run properly when the time rolls round again?

    I wrote the file on my local machine, put in on the RHOST. I managed to go from boot to root in 1 hour 20 mins, very happy with this box.

  • Got root flag. Can someone pm and explain why I had to edit that thing? i.e. where was the thing being called? I feel like I knew what to do the whole time, and eventually just guessed and got it but didn't learn anything in priv esc.

  • Anyone able to PM on where I may be going wrong here with response to my payload:

    SyntaxError: Unexpected token

    at Object.parse (native)
    at Object.exports.unserialize (/home/sun/node_modules/node-serialize/lib/serialize.js:62:16)
    at /home/sun/server.js:11:24
    at Layer.handle [as handle_request] (/home/sun/node_modules/express/lib/router/layer.js:95:5)
    at next (/home/sun/node_modules/express/lib/router/route.js:137:13)
    at Route.dispatch (/home/sun/node_modules/express/lib/router/route.js:112:3)
    at Layer.handle [as handle_request] (/home/sun/node_modules/express/lib/router/layer.js:95:5)
    at /home/sun/node_modules/express/lib/router/index.js:281:22
    at Function.process_params (/home/sun/node_modules/express/lib/router/index.js:335:12)
    at next (/home/sun/node_modules/express/lib/router/index.js:275:10)

    Any Help much appreciated!

  • edited May 2018

    Ignore, got it.

    If you need a hint check out /var/log/syslog

  • Just got user and root both in two hours, this is one of the easiest box, i am not able to understand why deren rook made such an easy box, atleast the privesc should have had something :(

  • Anyone mind PMing me on this? I think I have the right idea, I just wanted to pass some ideas.


  • Stuck on the payload. Following the article, but I guess the code needs to be modified. I think I am missing something. Can anyone PM me please?


  • It consumed me days to figure out hw to get user. It is the most interesting part.
    Although got the root.txt, I dont feel so well to say "own root".

    Hack The Box
    ++Repect If you think I help =]

  • I don't know what happened, just started executing binaries and doing stuff and got the flag without being root by just asking cat nicely to print it to me xD.

  • edited June 2018

    Hey everyone 3ndG4me author of Celestial here.

    This is an amazing thread, save for any spoilers that have been weeded out. I am so glad many of you have been learning from Celestial and having fun with it!

    For those who have not, try harder ;)

    Since Celestial has been out for some time now, I did want to offer some advice based on this thread. Hopefully it will steer those on the brink of an initial shell in the right direction. Don't focus so much on googling for "NodeJS exploit" or finding the article everyone in this thread references. While that information is close it could lead you to bashing your head against the wall. Instead I suggest using that information as a tip, and instead pay very close attention to any error messages you may get back.

    As for priv esc...enumerate, pay attention, and try harder :)

    Hope you all enjoy Celestial!!!

  • Could someone please PM me with a hint for privesc? I see the file, i see the script and i see the job running it, but i can't seem to figure out how to make it behave as i want....

  • Can someone PM me about the exploit? I was able to get it work last week before I took off for the weekend but getting no luck on the reverse shell. I've already got the user hash and everything, but can't figure out why I'm failing now. I can send my code to whomever PM's me as well.

  • edited June 2018
    Stuck on the reverse shell part.... Need a nudge over PM please.


  • Just got root on this one. I know I had tried what finally worked last week but it never gave me a shell. Worked first time I tried tonight. Getting the initial shell was much more interesting than getting root. Just a matter of patience in the end.

  • As @3ndG4me says, the vulnerability is very similar to the one mentioned in the article but is not the same.
    Try feeding it different data types and see what happens. Once you understand what the code is doing, is really easy to make the exploit work.

  • Nvm. I was focused too much on getting a root shell than actually get root.txt

Sign In to comment.