In this post, I would like to share a walkthrough of the Codify Machine from Hack the Box
This room will be considered an Easy machine on Hack the Box
What will you gain from the Codify machine?
For the user flag, you will need to escape and run a command on the host system, using that to get a reverse shell. Then I’ll find a hash in an SQLite database and crack it to get the next user.
As for the root flag, you need a script tasked with database backup management that will be targeted for exploitation. I’ll demonstrate two methods to exploit this script by manipulating a Bash glob within an unquoted variable comparison.
For those who want to learan or improve CyberSecurity skills especially Red Teaming and Blue Team, You can use the link https://affiliate.hackthebox.com/gnfp67dzy7p0 to support me
Academy link can be found https://affiliate.hackthebox.com/wanmohdariffwanmohdrosdi6259Information Gathering on Codify Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start
┌─[darknite@parrot]─[~/Documents/htb/codify]
└──╼ $nmap -sC -sV 10.10.11.239 -oA initial
Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-06 05:34 -02
Nmap scan report for 10.10.11.239
Host is up (0.012s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 96071cc6773e07a0cc6f2419744d570b (ECDSA)
|_ 256 0ba4c0cfe23b95aef6f5df7d0c88d6ce (ED25519)
80/tcp open http Apache httpd 2.4.52
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Did not follow redirect to http://codify.htb/
3000/tcp open http Node.js Express framework
|_http-title: Codify
Service Info: Host: codify.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.71 seconds
┌─[darknite@parrot]─[~/Documents/htb/codify]
└──╼ $Let’s access the website interface
There is not much to investigate except for the button “Try it now” and the “limitations” link.
We have redirected to an editor page when we click the “Try it now” button
Therefore, let’s include some code that executes the command injection
This is what it looks like on the Burpsuite version
Let’s start our listener
Let’s modify our code by replacing the “id” with our reverse shell command
At last, we managed to retrieve the reverse shell connection
However, there’s no user flag on this user. Therefore let’s investigate the /var/www directory
After a while, I found some useful files inside the contact directory
I notice that tickets.db is a SQLite database
As a result, let’s access the database with the SQLite command
There are only tickets and user tables inside the database.
Nothing much on the tickets
However, we managed to find the users hash which belongs to Joshua
Finally, we can obtain the password by using hashcat
We also can also cracked the hash using john the ripper
Boom! We have finally accessed the machine via Joshua’s credentials
We can read the user flag by typing the “cat user.txt” command
Escalate to Root Privileges Access
As usual, we can find the binary by executing the “sudo -l” command
The source code will look something as shown above
After a while, we managed to obtain the password for root access
We can read the root flag by typing the “cat root.txt” command
No responses yet