@eransh10 said:
Ok - first - this may be a spoiler so take it into consideration.
Now - I managed (using burp suite) to fin the following: "username":"******","country":"********","city":"*********","num":"*******"
Question is - where do I enter this username and these creds? ?
i have this,but now what,i thnik i have the id,now how i can send this to the request.
After getting the user flag I am struggling to stay connected to Celestial server. Is there anything I can do to improve stability on my my connection with this bloody server?
@svensen said:
Anyone got a hint on editing the file that writes to the other file? Can't get the command to run properly when the time rolls round again?
I wrote the file on my local machine, put in on the RHOST. I managed to go from boot to root in 1 hour 20 mins, very happy with this box.
Got root flag. Can someone pm and explain why I had to edit that thing? i.e. where was the thing being called? I feel like I knew what to do the whole time, and eventually just guessed and got it but didn't learn anything in priv esc.
Anyone able to PM on where I may be going wrong here with response to my payload:
SyntaxError: Unexpected token
at Object.parse (native)
at Object.exports.unserialize (/home/sun/node_modules/node-serialize/lib/serialize.js:62:16)
at /home/sun/server.js:11:24
at Layer.handle [as handle_request] (/home/sun/node_modules/express/lib/router/layer.js:95:5)
at next (/home/sun/node_modules/express/lib/router/route.js:137:13)
at Route.dispatch (/home/sun/node_modules/express/lib/router/route.js:112:3)
at Layer.handle [as handle_request] (/home/sun/node_modules/express/lib/router/layer.js:95:5)
at /home/sun/node_modules/express/lib/router/index.js:281:22
at Function.process_params (/home/sun/node_modules/express/lib/router/index.js:335:12)
at next (/home/sun/node_modules/express/lib/router/index.js:275:10)
Just got user and root both in two hours, this is one of the easiest box, i am not able to understand why deren rook made such an easy box, atleast the privesc should have had something
I don't know what happened, just started executing binaries and doing stuff and got the flag without being root by just asking cat nicely to print it to me xD.
This is an amazing thread, save for any spoilers that have been weeded out. I am so glad many of you have been learning from Celestial and having fun with it!
For those who have not, try harder
Since Celestial has been out for some time now, I did want to offer some advice based on this thread. Hopefully it will steer those on the brink of an initial shell in the right direction. Don't focus so much on googling for "NodeJS exploit" or finding the article everyone in this thread references. While that information is close it could lead you to bashing your head against the wall. Instead I suggest using that information as a tip, and instead pay very close attention to any error messages you may get back.
As for priv esc...enumerate, pay attention, and try harder
Could someone please PM me with a hint for privesc? I see the file, i see the script and i see the job running it, but i can't seem to figure out how to make it behave as i want....
Can someone PM me about the exploit? I was able to get it work last week before I took off for the weekend but getting no luck on the reverse shell. I've already got the user hash and everything, but can't figure out why I'm failing now. I can send my code to whomever PM's me as well.
Just got root on this one. I know I had tried what finally worked last week but it never gave me a shell. Worked first time I tried tonight. Getting the initial shell was much more interesting than getting root. Just a matter of patience in the end.
As @3ndG4me says, the vulnerability is very similar to the one mentioned in the article but is not the same.
Try feeding it different data types and see what happens. Once you understand what the code is doing, is really easy to make the exploit work.
Comments
If anyone needs a little nudge, feel free to PM me
okay so edited the file and got the root shell. can someone pm me/reply what actually triggered the file? still kinda confused
btw got it. thanks!
i need little bit help with priv esc ...i found python script and txt file in home dir
i have this,but now what,i thnik i have the id,now how i can send this to the request.
I have the Json,but now what?,can i send this with bursp?
Need help with the Payload! Please PM me.
@Pisedoff @Killll Just type on google Node JS exploit ,you will found a good resurse ,and try to use a python tool for regenerate payload
After getting the user flag I am struggling to stay connected to Celestial server. Is there anything I can do to improve stability on my my connection with this bloody server?
once you have enumerated enough
patience is the key with this one with priv esc !!
@sh4nk i use LinEnum.sh ...but i dont see nothing intresting ...maybe i need some documentation
check for scheduled tasks @T3jv1l ... there's something suspicious being executed
If you are getting "An error occurred...invalid username type" named error message, you can try to listener method. and hint priv. esc. ??
Anyone got a hint on editing the file that writes to the other file? Can't get the command to run properly when the time rolls round again?
I wrote the file on my local machine, put in on the RHOST. I managed to go from boot to root in 1 hour 20 mins, very happy with this box.
Got root flag. Can someone pm and explain why I had to edit that thing? i.e. where was the thing being called? I feel like I knew what to do the whole time, and eventually just guessed and got it but didn't learn anything in priv esc.
Anyone able to PM on where I may be going wrong here with response to my payload:
SyntaxError: Unexpected token
Any Help much appreciated!
Ignore, got it.
If you need a hint check out /var/log/syslog
Just got user and root both in two hours, this is one of the easiest box, i am not able to understand why deren rook made such an easy box, atleast the privesc should have had something
Anyone mind PMing me on this? I think I have the right idea, I just wanted to pass some ideas.
Stuck on the payload. Following the article, but I guess the code needs to be modified. I think I am missing something. Can anyone PM me please?
OSCP
It consumed me days to figure out hw to get user. It is the most interesting part.
Although got the root.txt, I dont feel so well to say "own root".
CISSP
++Repect If you think I help =]
I don't know what happened, just started executing binaries and doing stuff and got the flag without being root by just asking
catnicely to print it to me xD.Hey everyone 3ndG4me author of Celestial here.
This is an amazing thread, save for any spoilers that have been weeded out. I am so glad many of you have been learning from Celestial and having fun with it!
For those who have not, try harder
Since Celestial has been out for some time now, I did want to offer some advice based on this thread. Hopefully it will steer those on the brink of an initial shell in the right direction. Don't focus so much on googling for "NodeJS exploit" or finding the article everyone in this thread references. While that information is close it could lead you to bashing your head against the wall. Instead I suggest using that information as a tip, and instead pay very close attention to any error messages you may get back.
As for priv esc...enumerate, pay attention, and try harder
Hope you all enjoy Celestial!!!
Could someone please PM me with a hint for privesc? I see the file, i see the script and i see the job running it, but i can't seem to figure out how to make it behave as i want....
Can someone PM me about the exploit? I was able to get it work last week before I took off for the weekend but getting no luck on the reverse shell. I've already got the user hash and everything, but can't figure out why I'm failing now. I can send my code to whomever PM's me as well.
OSCP
Just got root on this one. I know I had tried what finally worked last week but it never gave me a shell. Worked first time I tried tonight. Getting the initial shell was much more interesting than getting root. Just a matter of patience in the end.
As @3ndG4me says, the vulnerability is very similar to the one mentioned in the article but is not the same.
Try feeding it different data types and see what happens. Once you understand what the code is doing, is really easy to make the exploit work.
Nvm. I was focused too much on getting a root shell than actually get root.txt