Codify
Last updated
Last updated
Had to edit the host file to get the Webpage
Checking out their About Us page
whoami shows us the svc
user. Also looking at /etc/passwd
we see an additional user, joshua
Trying to run Hydra against the user joshua for a password
joshua:spongebob1
Running it normally didn't work so I encoded it
Full command
We have shell as svc
Seeing what permissions we have
After getting into shell from the SVC user, I got Joshuas password with hydra.
User flag: c53cdd4688463871ba3f4020ab6f3ccb
We have run the note of "User joshua may run the following commands on codify: (root) /opt/scripts/mysql-backup.sh" So looking at the shell file
Running that as root as get
Root pass: kljh12k3jhaskjh12kjh3
Root flag: 4e43f866588b3b3433196af3cef8b768
Looking around for VM2 CVE's, found about RCE with VM2 after seeing a couple others. Testing the other PoC's I didn't get anywhere until I found this one. We can run commands on the host bypassing the VM.
Working to get a shall as svc. Looking around for reverse shell, I found .
Get Initiate another SSH session. Get pspy64 onto the target machine, run it, then run the /opt/scripts/mysql-backup.sh
script