https://old.frang4.tech/tags/web/ Recent content in Web on Hugo en-us Sat, 14 Jun 2025 03:38:50 -0300 https://old.frang4.tech/posts/htb-machines/code/writeup/ Sat, 14 Jun 2025 03:38:50 -0300 https://old.frang4.tech/posts/htb-machines/code/writeup/ <p><code>Code</code> is a Hack The Box machine released on 22 Mar 2025</p> <h2 id="summary-how">Summary (How?)</h2> <p>We’re presented with a Python-based code editor exposed via a web application, allowing users to write, save, and execute Python scripts. However, execution is limited by a blacklist of restricted keywords, making direct command execution impossible at first glance. The first part of the challenge involves bypassing these restrictions to achieve Remote Code Execution (RCE).</p> <p>To do so, we leverage <strong>object-oriented introspection</strong> to enumerate loaded Python subclasses and locate the index of the <code>sys</code> module. With access to <code>sys.modules</code>, we enumerate all loaded modules and identify one that exposes a <code>call</code> function—specifically, <code>subprocess.call()</code>—which enables us to execute system commands and obtain a reverse shell.</p>