First we will use nmap as usual:
We found 8000 and 22 ssh.
Now let’s see the 8000 on web:
Now download the file of the app and until it download register and login:
Okay I think we need to make injection code, let’s see files we downloaded:
Oh we see our code run with js2py, so now let’s google for PoC:
Okay there it is the PoC:
Okay we inject this and try to get RCE and replace command in cmd variable and do not forget to set our listener:
It fails so let’s try base64 encode:
💥 Boom it hits our listener now we got the shell:
Okay as we can see to get user flag we need to get marco user.
Now as we can see in the app.py file there is user.db, let’s search and see it:
Okay we are connected now let’s find our marco creds:
We can see the tables, let’s see the user table:
Nice we got it but it is md5, let’s use crackstation to try crack it:
Nice we got it ✅
Now login ssh as marco and get your flag Hacker:
As we can see we test sudo -l and found npbackup-cli tool.
When we do -h we can see two flags:
-c(configuration file)--backup(create backup file with the configuration file)
So let’s see the conf file we have:
Okay after reading it we can find post_exec_commands: [] so I think that it can execute commands.
To try this we cannot edit it because it is owned by root, so let’s copy the file content and put it in a crafted file we named root.conf and put our command and test:
As we can see we put our malicious command:
Now let’s run the tool and set the conf file to our malicious file root.conf and 💥 Boom it worked:
Now we can see /bin/bash can be run by any user so let’s run it and get our root flag:
Rooted CodePartTwo ✔️
Bro ✅ I kept your text exactly in the same flow but just polished it with headings, emojis, and clean markdown. Do you also want me to add a final exploit chain summary (like step 1 → step 2 → step 3) at the end, or keep it just as is?