Celestial hint

Anyone got a hint on editing the file that writes to the other file? Can’t get the command to run properly when the time rolls round again?

@svensen said:
Anyone got a hint on editing the file that writes to the other file? Can’t get the command to run properly when the time rolls round again?

I wrote the file on my local machine, put in on the RHOST. I managed to go from boot to root in 1 hour 20 mins, very happy with this box.

Got root flag. Can someone pm and explain why I had to edit that thing? i.e. where was the thing being called? I feel like I knew what to do the whole time, and eventually just guessed and got it but didn’t learn anything in priv esc.

Anyone able to PM on where I may be going wrong here with response to my payload:

SyntaxError: Unexpected token

at Object.parse (native)
at Object.exports.unserialize (/home/sun/node_modules/node-serialize/lib/serialize.js:62:16)
at /home/sun/server.js:11:24
at Layer.handle [as handle_request] (/home/sun/node_modules/express/lib/router/layer.js:95:5)
at next (/home/sun/node_modules/express/lib/router/route.js:137:13)
at Route.dispatch (/home/sun/node_modules/express/lib/router/route.js:112:3)
at Layer.handle [as handle_request] (/home/sun/node_modules/express/lib/router/layer.js:95:5)
at /home/sun/node_modules/express/lib/router/index.js:281:22
at Function.process_params (/home/sun/node_modules/express/lib/router/index.js:335:12)
at next (/home/sun/node_modules/express/lib/router/index.js:275:10)

Any Help much appreciated!

Ignore, got it.

If you need a hint check out /var/log/syslog

Just got user and root both in two hours, this is one of the easiest box, i am not able to understand why deren rook made such an easy box, atleast the privesc should have had something :frowning:

Anyone mind PMing me on this? I think I have the right idea, I just wanted to pass some ideas.

Stuck on the payload. Following the article, but I guess the code needs to be modified. I think I am missing something. Can anyone PM me please?

It consumed me days to figure out hw to get user. It is the most interesting part.
Although got the root.txt, I dont feel so well to say “own root”.

I don’t know what happened, just started executing binaries and doing stuff and got the flag without being root by just asking cat nicely to print it to me xD.

Hey everyone 3ndG4me author of Celestial here.

This is an amazing thread, save for any spoilers that have been weeded out. I am so glad many of you have been learning from Celestial and having fun with it!

For those who have not, try harder :wink:

Since Celestial has been out for some time now, I did want to offer some advice based on this thread. Hopefully it will steer those on the brink of an initial shell in the right direction. Don’t focus so much on googling for “NodeJS exploit” or finding the article everyone in this thread references. While that information is close it could lead you to bashing your head against the wall. Instead I suggest using that information as a tip, and instead pay very close attention to any error messages you may get back.

As for priv esc…enumerate, pay attention, and try harder :slight_smile:

Hope you all enjoy Celestial!!!

Could someone please PM me with a hint for privesc? I see the file, i see the script and i see the job running it, but i can’t seem to figure out how to make it behave as i want…

Can someone PM me about the exploit? I was able to get it work last week before I took off for the weekend but getting no luck on the reverse shell. I’ve already got the user hash and everything, but can’t figure out why I’m failing now. I can send my code to whomever PM’s me as well.

Stuck on the reverse shell part… Need a nudge over PM please.

Just got root on this one. I know I had tried what finally worked last week but it never gave me a shell. Worked first time I tried tonight. Getting the initial shell was much more interesting than getting root. Just a matter of patience in the end.

As @3ndG4me says, the vulnerability is very similar to the one mentioned in the article but is not the same.
Try feeding it different data types and see what happens. Once you understand what the code is doing, is really easy to make the exploit work.

Nvm. I was focused too much on getting a root shell than actually get root.txt

Any particular reason my code would work one day and not now? I see others have had trouble with this and eventually got this, but I’ve tried at least once a day the past few days with the same exact code.

Nevermind. Backspace is the death of me.

Machine get’s down 50% of the time and this is really annoying(
I think that I totally lost on privesc, could someone DM me please?