Celestial hint

@Pisedoff @Killll Just type on google Node JS exploit ,you will found a good resurse ,and try to use a python tool for regenerate payload

After getting the user flag I am struggling to stay connected to Celestial server. Is there anything I can do to improve stability on my my connection with this ■■■■■■ server?

once you have enumerated enough

patience is the key with this one with priv esc !!

@sh4nk i use LinEnum.sh …but i dont see nothing intresting …maybe i need some documentation

check for scheduled tasks @T3jv1l … there’s something suspicious being executed

If you are getting “An error occurred…invalid username type” named error message, you can try to listener method. and hint priv. esc. ??

Anyone got a hint on editing the file that writes to the other file? Can’t get the command to run properly when the time rolls round again?

@svensen said:
Anyone got a hint on editing the file that writes to the other file? Can’t get the command to run properly when the time rolls round again?

I wrote the file on my local machine, put in on the RHOST. I managed to go from boot to root in 1 hour 20 mins, very happy with this box.

Got root flag. Can someone pm and explain why I had to edit that thing? i.e. where was the thing being called? I feel like I knew what to do the whole time, and eventually just guessed and got it but didn’t learn anything in priv esc.

Anyone able to PM on where I may be going wrong here with response to my payload:

SyntaxError: Unexpected token

at Object.parse (native)
at Object.exports.unserialize (/home/sun/node_modules/node-serialize/lib/serialize.js:62:16)
at /home/sun/server.js:11:24
at Layer.handle [as handle_request] (/home/sun/node_modules/express/lib/router/layer.js:95:5)
at next (/home/sun/node_modules/express/lib/router/route.js:137:13)
at Route.dispatch (/home/sun/node_modules/express/lib/router/route.js:112:3)
at Layer.handle [as handle_request] (/home/sun/node_modules/express/lib/router/layer.js:95:5)
at /home/sun/node_modules/express/lib/router/index.js:281:22
at Function.process_params (/home/sun/node_modules/express/lib/router/index.js:335:12)
at next (/home/sun/node_modules/express/lib/router/index.js:275:10)

Any Help much appreciated!

Ignore, got it.

If you need a hint check out /var/log/syslog

Just got user and root both in two hours, this is one of the easiest box, i am not able to understand why deren rook made such an easy box, atleast the privesc should have had something :frowning:

Anyone mind PMing me on this? I think I have the right idea, I just wanted to pass some ideas.

Stuck on the payload. Following the article, but I guess the code needs to be modified. I think I am missing something. Can anyone PM me please?

It consumed me days to figure out hw to get user. It is the most interesting part.
Although got the root.txt, I dont feel so well to say “own root”.

I don’t know what happened, just started executing binaries and doing stuff and got the flag without being root by just asking cat nicely to print it to me xD.

Hey everyone 3ndG4me author of Celestial here.

This is an amazing thread, save for any spoilers that have been weeded out. I am so glad many of you have been learning from Celestial and having fun with it!

For those who have not, try harder :wink:

Since Celestial has been out for some time now, I did want to offer some advice based on this thread. Hopefully it will steer those on the brink of an initial shell in the right direction. Don’t focus so much on googling for “NodeJS exploit” or finding the article everyone in this thread references. While that information is close it could lead you to bashing your head against the wall. Instead I suggest using that information as a tip, and instead pay very close attention to any error messages you may get back.

As for priv esc…enumerate, pay attention, and try harder :slight_smile:

Hope you all enjoy Celestial!!!

Could someone please PM me with a hint for privesc? I see the file, i see the script and i see the job running it, but i can’t seem to figure out how to make it behave as i want…

Can someone PM me about the exploit? I was able to get it work last week before I took off for the weekend but getting no luck on the reverse shell. I’ve already got the user hash and everything, but can’t figure out why I’m failing now. I can send my code to whomever PM’s me as well.

Stuck on the reverse shell part… Need a nudge over PM please.