search

Code

hashtag
Enumeration

hashtag
Nmap

We can see it have ssh port open and a web service Gunicorn 20.0.4 open into 5000 port

Basic virtual hosting code.htb to this ip, add it into /etc/hosts

hashtag
Web

Python Code Editor... JUM...

So, i can try to senf a RCE of python use the https://www.revshells.com/arrow-up-right but... nothing of its work, we need search.

We need try break Python 3 eval protections... Before investigate i locate this website:

LogoBreaking Python 3 eval protectionsSam's Hacking Wonderlandchevron-right

hashtag
Explotation

With it we can see the subclasses used into this website

After search, read and speak with Chatgpt i can optain a way to get a revershell -->

hashtag
User Flag

With it we can optain the user flag into /home

Now, intro app-production we have a folder with name /app/instance and it contain a database.db

We can optain two user hashes, go to crackstationarrow-up-right for example -->

Both use MD5, and we can optains both passwod

martin:nafeelswordsmaster

hashtag
Root Flag

I need do the treatment of TTy

We can see the martin user can use /usr/bin/backy.sh who root, so, befoure execute it, it solicte us a task.json

I wil try to modify task.json and call the /root directory to do a backup of all directory

JUm... now it try to parh traversal -->

Execute and FAIL

We nee deleate into the code the carible exclude, give us problem -->

PreviousDogNextNocturnal

Last updated