hello hacker just wanted to share with you a simple walkthrough from hack the box seasonal III active machine.
codify is simple easy machine from HTB seasonal III which is found running a node.js editor which is made of vm2 and which is vulnerable to remote code execution.
Here is how i solved the box.
nmap reviel two sensitive port (port 22 and 80).From
From nmap we can see that we have 2 ports open where by port 22 we don't have credentials to login with, but port 80 is a web service running but also we can see we that it has domain.
domain: codify.htb (i added it to /etc/hosts)
From here we can see that it is running a node.js if you click (Try it now) I found a node.js text editor since we didn't have much information about the node.js we can decided to check other functionalities.
It seems child_process is restricted but also fs that one was awersome. Check this one out if child_process & fs was maybe enabled it was a very very easy to get a rce from the text editor.
Upon moving found this interested text on the About Us page.
vm2(virtual machine 2) is a library that provides a secure and sandboxed environment for executing JavaScript code, primarily used in server-side environments such as Node. js.
if you view the source code you will find the it is v3.9.16
From here I have already know with what am dealing so far my another step was to google for CVE if is available
And i found this PoC how to exploit it PoC
time for a reverse shell just replace the IP with yours and your fav port number and remember to start a listener on your terminal
And i got a shell on my terminal
Since I got a reverse shell I stibilized it like a pro and moved on to my next phase
From here now we have many options such uploading linpeas or pspy64 and let them help us do some more analysis with our target. But i just go straight.
We can now try to check the number of user with shells so that we can know what were dealing with inside this server
users with shells are
NOTE: all this information we can also get from linpeas it good in finding users details and common bugs.
Normally my next stop was to try to check in the /var/www directory and see if I can find any juice information.
As we see in the contacts we find a tickets.db file which inside it we can see some username and password hash
The hash type is browfish and its mode is 3200 so we can use hashcat or john to do this simple as that, i have already cracked the hash
username:joshua
password:spongebob1
Time now to login to the server as user joshua with our creds
With privilege escalation, first of all i usually try to check for the vulnerable kernels but to be frankly open only this technique of me only works for 80% tryhackme and PwnTillDown machines(thats y i slowdown even doing them coz it even works for insane and hard machines,many of them are vulnelable to kernel so i usually find my self easy to root dispite is no the right way to do the machine)
Oky this machine was not even vulnerable to kernel exploit.
Since my first approach didn't work i moved on with "sudo -l" and will work as long as you have password for joshua
Now we can see that user joshua may run mysql-backup.sh script as root
We can do more analysis about script lets give it a visit from its location a little bit and see what it has fun there.
In order to get root access we have to understand the script first
Its a bash script writen in bash, it begin by initilizing the DB_USER as 'root',after that the script then initilize the DB_PASS with a location which is located in root directory, but also the script set the path where the mysql BACKUP should be created.
After that the script then prompt the user the password and then compare it with the one present in the /root/.creds when password matches it display "Password confirmed!" and proceed to the next phase where it tried to create mysql backup and then unzip it and send it to the "BACKUP_DIR/db.sql.gz" as a ziped file.
That was a litle simple overview of the script but the script does a bunch of stuffs so on your own time just give. forexample with the scipt it is possible to list the databases with an invalid DB_PASS os take your time and read the script well.
From the script when it reads the user pass it doesn't provide any filtering and with linux is that it possible to execute something else that provides the same properties.
Now create another session with user joshua and from the first session upload pspy64 binary
N/B: pspy64 is good in analysing what is going on with every interesting process on the computer
While pspy64 was running on the second session i decided to try running the script with sudo
I tried with password as '*' and Boom i got juice info
From the second session If we take a close look we will find something like this
Now from here we can see that it is trying to run mysql with user 'root' and password as 'kljh12k3jhaskjh12kjh3', since the backup was successful created means that password was this one which was required.
The machine was really interesting and what I love from HTB is that i usually learn something new every pentesting I do, We are almost done with SEASONAL IV (savage land) current its fun and tough here this seasonal with windows machines