CodeTwo

- 3 mins read

Information Gathering

The server has two ports open:

  • 22
    • SSH is blocked by authentication
  • 8000
    • Running a simple webpage with a login, register, and download link
    • Login and register are not vulnerable to SQL injection
    • The download link downloads the code for the web application
    • After creating an account we see that you can input JavaScript code and run in on the application as well as download written code.

After downloading the app.zip from the web application we can read through app.py and other components of the application.

  • Looking at app.py , we see that it is using js2py.eval_js(code) to evaluate the JavaScript code in python.
    • From app.py we also see a secret flask key and that it is using a users.db.
    • The downloaded database is empty but perhaps we can use that later.

Exploitation

We want to exploit this code runner but we need to somehow escape the js2py function or exploit it. Luckily, there is a publicly known vulnerability: CVE-2024-28397 and an exploit written by Marvin11 on GitHub: https://github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape

We can simply paste the payload into the text box and change the command to a bash reverse shell and connect with netcat.

From here, we can read the previously discovered users.db and output the usernames and passwords. We then see that marco is the first user and his hash.

  • From reading app.py we saw that it is using MD5.
  • We can use a hash cracking program but dumping the hash to CrackStation is sufficient.

From here we can use the credentials to SSH to the machine and achieve the user flag.

Privilege Escalation

In home/marco we see a directory called ‘backups’ and ’npbackup.conf’.

  • Both files are owned by root and we cannot edit npbackup.conf. However, we can remove them! :3
    • Though I am not sure it was necessary to remove the file; as you can specify it in the following commands.

When pasting the config file into file that is owned by the user ‘marco’ and changing:

    backup_opts:
      paths:
        - /home/app/app/

to a directory of our choosing we can read any directory or file of our choosing we can read it!

  • We know that in CTFs, the flag is often in root/root.txt but we can output the entire root directory. When we do that we can see that we need to be quick with the next commands. This is because HTB is resetting the user directory to default for other users that are on the machine!

After editing the config we can run:

sudo /usr/local/bin/npbackup-cli -c npbackup.conf --backup

After running this command we are given a snapshot ID. Then use the command:

sudo /usr/local/bin/npbackup-cli -c npbackup.conf --dump ADD_THE_FILE_YOU_WANNA_READ --snapshot-id ADD_THE_SNAPSHOT_ID

These commands were found after a DuckDuckGo search on the GitHub page https://github.com/AliElKhatteb/npbackup-cli-priv-escalation?tab=readme-ov-file

Conclusion

While I didn’t technically gain full root access I think it is possible given we can read every file within root and capture the flag. In hindsight this was an easy box but sometimes it takes more time to find the vulnerabilities and exploits than we would like.