Codify — Attack Chain (COMPLETE)

Full Path: Nmap → Web Enum → vm2 Identified (About page) → CVE-2023-30547 Sandbox Escape → RCE as svc → Rev Shell (wget + bash script) → SQLite DB (/var/www/contact/tickets.db) → joshua bcrypt hash → John crack (spongebob1) → SSH as joshua → User Flag → sudo mysql-backup.sh → Bash glob pattern brute-force → Root password (kljh12k3jhaskjh12kjh3) → su root → Root Flag

Branch Points

1. How to get code execution?

• Chosen: vm2 sandbox escape (CVE-2023-30547) — bypasses child_process/fs restrictions entirely

2. Reverse shell delivery

• Chosen: Hosted rev shell script on Python HTTP server, wget'd to target, executed with bash
• Why not direct: spawnSync doesn't interpret shell redirects — arguments passed as array, not through a shell

3. svc → joshua (lateral movement)

• Chosen: Found SQLite DB in /var/www/contact/tickets.db → cracked joshua's bcrypt hash with john + rockyou → SSH as joshua

4. joshua → root (privilege escalation)

• Chosen: sudo -l revealed (root) /opt/scripts/mysql-backup.sh → unquoted variable in [[ $DB_PASS == $USER_PASS ]] allows glob pattern matching → brute-forced root password character by character using ${char}* pattern → su root