Hack The Box - TwoMillion

June 13, 2023

TwoMillion is a Linux machine hosting a web application with an API that has a command execution vulnerability. This vulnerability can be exploited to gain a shell on the system. During the enumeration process, a configuration file can be discovered that contains credentials for the admin user which can be used to SSH into the system. An email in the /var/mail directory provides a valuable hint indicating that the Linux kernel version on the machine is outdated and might be vulnerable to certain CVEs. Further investigation leads to the identification of CVE-2023-0386, a privilege escalation vulnerability that can be exploited to gain root access on the system.

nmap scan:

Ports open:

22 (SSH)
80 (HTTP)

Visiting the IP redirects to 2million.htb, so I added that to /etc/hosts

2million.htb led to an older version of the Hack The Box home page.

There's an invite code form which needs to be hacked in order to obtain a code.

After inspecting the code, I found an interesting script: /js/inviteapi.min.js.

The page contained obfuscated javascript code.

js-beautify deobfuscated the code.

The code contains two functions, verifyInviteCode() makes a POST request to /api/v1/invite/verify and makeInviteCode() makes a POST request to /api/v1/invite/how/to/generate.

I sent a POST request to /api/v1/invite/how/to/generate which responded with data that was encrypted using ROT13.

The decrypted message said "In order to generate the invite code, make a POST request to /api/v1/invite/generate"

After visiting that endpoint, a new code was generated encoded in base64.

Once it was decoded, a valid invite code was provided.

I used the code to sign up which brought me to a registration page.

Registered a new user.

Then, I logged in which redirected to the dashboard page.

I looked around the webpage, but didn't find anything too useful. So, next I tried visiting the /api/v1 endpoint which responded with a list of API endpoints.

/api/v1/user/auth checks if a user is authenticated. This endpoint responded with my current user and also showed that the is_admin parameter was set to 0 meaning that I wasn't an admin user.

But, there's another endpoint: /api/v1/admin/settings/update which can update the admin settings for a user. This can be done with a PUT request that provides email and is_admin parameters and also setting the Content-Type to be application/json

The above PUT request responded with "is_admin":1, showing that my user has been updated to an admin user. I verified this by sending a GET request to /api/v1/admin/auth

/api/v1/admin/vpn/generate will generate a certificate to connect to the VPN. I sent a POST request to this endpoint and provided a username parameter.

I tested for command injection within the username parameter to the /api/v1/admin/vpn/generate route:

{
    "username":"mike;whoami;"
}

The server responded with www-data, showing successful command execution.

Next, I sent the following command to establish a shell.

I caught a shell on the system as www-data

Enumeration of the system led to the discovery of a username and password in a .env file.

I viewed the /etc/passwd file to see what users were on the system.

There's an admin user listed, so I attempted to login with SSH using the username admin and password SuperDuperPass123

This is where the user flag can be found (/home/admin). Upon logging in, there's also a message saying You have mail which seemed worth looking into.

A common place for mail within a Linux system is /var/mail, so I went there and found an admin file that contained the following email.

The message mentions that there have been a few serious Linux kernel CVEs already this year and mentions OverlayFS / FUSE specifically.

A google search for "overlayfs 2023" brought up the following article from Datadog about CVE-2023-0386, a local privilege escalation vulnerability in the Linux kernel:

The OverlayFS vulnerability CVE-2023-0386: Overview, detection, and remediation

The article states: