HTB CodeTwo

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://0xdf.gitlab.io/2026/01/31/htb-codetwo.html
• Blog Title: HTB: CodeTwo
• Suggested Section: Pentesting Web -> (new page) Js2Py sandbox escape (CVE-2024-28397) / Python-backed JavaScript sandboxes OR Generic Methodologies & Resources -> Python Sandbox Escape & Pyscript (if positioning it as a Python sandbox escape via Js2Py)

🎯 Content Summary

What this post covers
Walkthrough of Hack The Box CodeTwo (Linux, Easy): a Flask + Gunicorn web app provides an authenticated “developer sandbox” that executes user-supplied JavaScript via Js2Py. The core issue is that evaluating attacker-controlled JS through Js2Py can be escaped to Python and then to OS command execution using CVE-2024-28397.

End-to-end chain described by the author:
1) Enumerate services (SSH + web app on 8000).
2) Register/login and obser...

🔧 Technical Details

Js2Py sandbox escape (CVE-2024-28397): If an application evaluates attacker-controlled JavaScript using js2py.eval_js(...), an attacker can escape the intended sandbox even when js2py.disable_pyimport() is enabled by abusing Python object internals exposed through Js2Py wrappers. A practical chain is: obtain a Python-backed object via Object.getOwnPropertyNames({}) (observed as dict_keys([])), grab .__getattribute__, use it to access "__class__", pivot to the Python base object via .__base__, enumerate object.__subclasses__(), and search for dangerous classes like subprocess.Popen (__module__ == "subprocess" and __name__ == "Popen"). Instantiating Popen(cmd, ...) and calling .communicate() yields OS command execution and output, resulting in RCE inside the hosting Python process.

Reproduction/debugging trick: Use uv to quickly recreate the exact vulnerable environment with pinned versions and a compatible interpreter: `uv run --with js2py==0.74 ...

🤖 Agent Actions

Summary:

• Added a dedicated page detailing the Js2Py sandbox escape (CVE-2024-28397) with full exploitation chain, PoC payload, reproduction steps, and web-sandbox considerations.
• Linked the new Js2Py escape guide from the Python sandbox bypass index for discoverability.

Tests:

• Not run (documentation-only changes).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://0xdf.gitlab.io/2026/01/31/htb-codetwo.html

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web -> (new page) Js2Py sandbox escape (CVE-2024-28397) / Python-backed JavaScript sandboxes OR Generic Methodologies & Resources -> Python Sandbox Escape & Pyscript (if positioning it as a Python sandbox escape via Js2Py)".

Repository Maintenance:

• MD Files Formatting: 945 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0