In this post, I would like to share a walkthrough of the Codify Machine from Hack the Box
This room will be considered an Easy machine on Hack the Box

What will you gain from the Codify machine?
For the user flag, you will need to escape and run a command on the host system, using that to get a reverse shell. Then I’ll find a hash in an SQLite database and crack it to get the next user.
As for the root flag, you need a script tasked with database backup management that will be targeted for exploitation. I’ll demonstrate two methods to exploit this script by manipulating a Bash glob within an unquoted variable comparison.
For those who want to learan or improve CyberSecurity skills especially Red Teaming and Blue Team, You can use the link https://affiliate.hackthebox.com/gnfp67dzy7p0 to support me
Academy link can be found https://affiliate.hackthebox.com/wanmohdariffwanmohdrosdi6259
Information Gathering on Codify Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start
┌─[darknite@parrot]─[~/Documents/htb/codify]
└──╼ $nmap -sC -sV 10.10.11.239 -oA initial
Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-06 05:34 -02
Nmap scan report for 10.10.11.239
Host is up (0.012s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 96071cc6773e07a0cc6f2419744d570b (ECDSA)
|_ 256 0ba4c0cfe23b95aef6f5df7d0c88d6ce (ED25519)
80/tcp open http Apache httpd 2.4.52
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Did not follow redirect to http://codify.htb/
3000/tcp open http Node.js Express framework
|_http-title: Codify
Service Info: Host: codify.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.71 seconds
┌─[darknite@parrot]─[~/Documents/htb/codify]
└──╼ $
Let’s access the website interface

There is not much to investigate except for the button “Try it now” and the “limitations” link.

We have redirected to an editor page when we click the “Try it now” button

Therefore, let’s include some code that executes the command injection


This is what it looks like on the Burpsuite version

Let’s start our listener

Let’s modify our code by replacing the “id” with our reverse shell command

At last, we managed to retrieve the reverse shell connection

However, there’s no user flag on this user. Therefore let’s investigate the /var/www directory

After a while, I found some useful files inside the contact directory

I notice that tickets.db is a SQLite database

As a result, let’s access the database with the SQLite command

There are only tickets and user tables inside the database.

Nothing much on the tickets

However, we managed to find the users hash which belongs to Joshua


Finally, we can obtain the password by using hashcat

We also can also cracked the hash using john the ripper

Boom! We have finally accessed the machine via Joshua’s credentials

We can read the user flag by typing the “cat user.txt” command
Escalate to Root Privileges Access

As usual, we can find the binary by executing the “sudo -l” command

The source code will look something as shown above


After a while, we managed to obtain the password for root access


We can read the root flag by typing the “cat root.txt” command