TwoMillion is a Linux machine hosting a web application with an API that has a command execution vulnerability. This vulnerability can be exploited to gain a shell on the system. During the enumeration process, a configuration file can be discovered that contains credentials for the admin
user which can be used to SSH into the system. An email in the /var/mail
directory provides a valuable hint indicating that the Linux kernel version on the machine is outdated and might be vulnerable to certain CVEs. Further investigation leads to the identification of CVE-2023-0386, a privilege escalation vulnerability that can be exploited to gain root
access on the system.
nmap
scan:
Ports open:
- 22 (SSH)
- 80 (HTTP)
Visiting the IP redirects to 2million.htb
, so I added that to /etc/hosts
2million.htb
led to an older version of the Hack The Box home page.
There's an invite code form which needs to be hacked in order to obtain a code.
After inspecting the code, I found an interesting script: /js/inviteapi.min.js
.
The page contained obfuscated javascript code.
js-beautify deobfuscated the code.
The code contains two functions, verifyInviteCode()
makes a POST
request to /api/v1/invite/verify
and makeInviteCode()
makes a POST
request to /api/v1/invite/how/to/generate
.
I sent a POST
request to /api/v1/invite/how/to/generate
which responded with data that was encrypted using ROT13.
The decrypted message said "In order to generate the invite code, make a POST request to /api/v1/invite/generate
"
After visiting that endpoint, a new code was generated encoded in base64.
Once it was decoded, a valid invite code was provided.
I used the code to sign up which brought me to a registration page.
Registered a new user.
Then, I logged in which redirected to the dashboard page.
I looked around the webpage, but didn't find anything too useful. So, next I tried visiting the /api/v1
endpoint which responded with a list of API endpoints.
/api/v1/user/auth
checks if a user is authenticated. This endpoint responded with my current user and also showed that the is_admin
parameter was set to 0
meaning that I wasn't an admin user.
But, there's another endpoint: /api/v1/admin/settings/update
which can update the admin settings for a user. This can be done with a PUT
request that provides email
and is_admin
parameters and also setting the Content-Type
to be application/json
The above PUT
request responded with "is_admin":1
, showing that my user has been updated to an admin user. I verified this by sending a GET
request to /api/v1/admin/auth
/api/v1/admin/vpn/generate
will generate a certificate to connect to the VPN. I sent a POST
request to this endpoint and provided a username
parameter.
I tested for command injection within the username
parameter to the /api/v1/admin/vpn/generate
route:
{
"username":"mike;whoami;"
}
The server responded with www-data
, showing successful command execution.
Next, I sent the following command to establish a shell.
I caught a shell on the system as www-data
Enumeration of the system led to the discovery of a username and password in a .env
file.
I viewed the /etc/passwd
file to see what users were on the system.
There's an admin
user listed, so I attempted to login with SSH using the username admin
and password SuperDuperPass123
This is where the user flag can be found (/home/admin
). Upon logging in, there's also a message saying You have mail
which seemed worth looking into.
A common place for mail within a Linux system is /var/mail
, so I went there and found an admin
file that contained the following email.
The message mentions that there have been a few serious Linux kernel CVEs already this year and mentions OverlayFS / FUSE specifically.
A google search for "overlayfs 2023" brought up the following article from Datadog about CVE-2023-0386, a local privilege escalation vulnerability in the Linux kernel:
The OverlayFS vulnerability CVE-2023-0386: Overview, detection, and remediation
The article states:
Checking the current OS info on the machine with uname -a
shows that the current Linux kernel is 5.15.70
.
The Datadog article contains a proof of concept exploit here
So, I cloned the repo and used tar
to compress it.
Started up a python http server.
From the target machine, I used wget
to download the archive and used tar
to extract it.
As stated on the PoC github page, the exploit takes three steps. First, the make
command to compile the code.
Next, I ran ./fuse ./ovlcap/lower ./gc
from one terminal.
I opened another terminal on the target machine and ran ./exp
After doing so, I got a root shell.
The root flag can be found in /root