HTB-Code Writeup


Enumeration:
We find a python code editor interestingly:
print(locals()) gave me the following output:
print(globals()) revealed a lot of details too ,but nothing interesting except a few functions.
I switched to burp and ran the run_code function where i noticed SQl Alchemy .(Ha ha some juicy stuff)
After running through some documentation I gave the following query :
users = User.query.all()
for user in users:
print(user.username)
print(user.password)
This gave me:
759b74ce43947f5f4c91aeddc3e5bad3
martin:3de6f30c4a09c27fc71932bfc68474be
Reversing these MD5 hashes we get :
There was nothing useful with user development!!! 😠. After spending a day I decide to move on to martin.
I used hashcat however it took forever.
I decided to use the rockyou.txt finally(My computer died plenty of times before it cracked the hash) and got password as nafeelswordsmaster
.
now ssh to martin and we get a nice shell.
Now I started looking around to find something interesting where I came across a directory named /backups
and an unusual file named /backy.sh
.
Searching around in backy.sh:
martin@code:~$ cat /usr/bin/backy.sh #!/bin/bash
if [[ $# -ne 1 ]]; then /usr/bin/echo "Usage: $0 <task.json>" exit 1 fi
json_file="$1"
if [[ ! -f "$json_file" ]]; then /usr/bin/echo "Error: File '$json_file' not found." exit 1 fi
allowed_paths=("/var/" "/home/")
updated_json=$(/usr/bin/jq '.directories_to_archive |= map(gsub("\.\./"; ""))' "$json_file")
/usr/bin/echo "$updated_json" > "$json_file"
directories_to_archive=$(/usr/bin/echo "$updated_json" | /usr/bin/jq -r '.directories_to_archive[]')
is_allowed_path() { local path="$1" for allowed_path in "${allowed_paths[@]}"; do if [[ "$path" == $allowed_path* ]]; then return 0 fi done return 1 }
for dir in $directories_to_archive; do if ! is_allowed_path "$dir"; then /usr/bin/echo "Error: $dir is not allowed. Only directories under /var/ and /home/ are allowed." exit 1 fi done
/usr/bin/backy "$json_file"
I realised that I needed to find a .json file .
Now in backups there was task.json with the following contents :
I ran task.json with backy.sh and found the following:
I found a .bz2 file , I extracted it and found the deployment code for the website. Nothing here was interesting , since we were way past the stage , yet I searched around.
Now I knew that I had to somehow modify this file to get a file . ( This was the hardest part among others, I generated so many versions and had to take a break and start again after a day.)
Modify task.json’s “directories_to_archive” field from/../app-production
to /../app
.This will create a zip file that you can extract using tar-xf
.(this took a while to figure out).
Extracting the .bz2 file will create a home directory in which you can get the user flag .
Now to obtain root I had to modify task.json plenty of times and I noticed that it removed “../” in directories_to_archives . My dumb ass took a while to figure out that I needed to modify exclude
field too . Even after that, it took me a while to get it right
Correct task.json to get root .bz2 file:
Now there’s a new .bz2 file with root in file name .
Extracting it will get you a root folder in which root.txt lies:
We pwned it YAYYY!!!!
I had gotten the root flag before the user flag , the user flag was harder to get to be honest. I remodified tasks.json and respawned the machine plenty of times to makes sure I didn’t miss out on the user flag (got better screenshots haha 🥲)and somehow managed to get root before user..
That said, this was a simple box yet finding ways to go around it took quite a while , I rate this a 5/10.
Thank you for reading . See you again!!
Subscribe to my newsletter
Read articles from Shreyas D R directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
