In this post, I would like to share a walkthrough of the Codify Machine from Hack the Box


This room will be considered an Easy machine on Hack the Box

What will you gain from the Codify machine?


For the user flag, you will need to escape and run a command on the host system, using that to get a reverse shell. Then I’ll find a hash in an SQLite database and crack it to get the next user.


As for the root flag, you need a script tasked with database backup management that will be targeted for exploitation. I’ll demonstrate two methods to exploit this script by manipulating a Bash glob within an unquoted variable comparison.

For those who want to learan or improve CyberSecurity skills especially Red Teaming and Blue Team, You can use the link https://affiliate.hackthebox.com/gnfp67dzy7p0 to support me

Academy link can be found https://affiliate.hackthebox.com/wanmohdariffwanmohdrosdi6259

Information Gathering on Codify Machine


Once we have started the VPN connection which requires a download from Hackthebox, we can start

┌─[darknite@parrot]─[~/Documents/htb/codify]
└──╼ $nmap -sC -sV 10.10.11.239 -oA initial 
Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-06 05:34 -02
Nmap scan report for 10.10.11.239
Host is up (0.012s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 96071cc6773e07a0cc6f2419744d570b (ECDSA)
|_  256 0ba4c0cfe23b95aef6f5df7d0c88d6ce (ED25519)
80/tcp   open  http    Apache httpd 2.4.52
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Did not follow redirect to http://codify.htb/
3000/tcp open  http    Node.js Express framework
|_http-title: Codify
Service Info: Host: codify.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.71 seconds
┌─[darknite@parrot]─[~/Documents/htb/codify]
└──╼ $

Let’s access the website interface


There is not much to investigate except for the button “Try it now” and the “limitations” link.

A screenshot of a computer

Description automatically generated

We have redirected to an editor page when we click the “Try it now” button

A screenshot of a computer

Description automatically generated

Therefore, let’s include some code that executes the command injection

A screenshot of a computer

Description automatically generated
A screenshot of a computer screen

Description automatically generated

This is what it looks like on the Burpsuite version


Let’s start our listener

A screenshot of a computer

Description automatically generated

Let’s modify our code by replacing the “id” with our reverse shell command

A black screen with a white stripe

Description automatically generated

At last, we managed to retrieve the reverse shell connection

A computer screen with blue text

Description automatically generated

However, there’s no user flag on this user. Therefore let’s investigate the /var/www directory


After a while, I found some useful files inside the contact directory


I notice that tickets.db is a SQLite database

A screen shot of a computer

Description automatically generated

As a result, let’s access the database with the SQLite command

A screen shot of a computer screen

Description automatically generated

There are only tickets and user tables inside the database.

A black background with green text

Description automatically generated

Nothing much on the tickets


However, we managed to find the users hash which belongs to Joshua

A screenshot of a computer

Description automatically generated
A screenshot of a computer program

Description automatically generated

Finally, we can obtain the password by using hashcat

A computer screen with green text

Description automatically generated

We also can also cracked the hash using john the ripper


Boom! We have finally accessed the machine via Joshua’s credentials

A computer code with green and blue text

Description automatically generated

We can read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access

A green text on a black background

Description automatically generated

As usual, we can find the binary by executing the “sudo -l” command


The source code will look something as shown above

A screenshot of a computer error

Description automatically generated


After a while, we managed to obtain the password for root access



We can read the root flag by typing the “cat root.txt” command