HackTheBox Writeup — TwoMillion

Dicky Aditrianza
5 min readJul 16, 2023

--

Greetings, newbie’s trying to make write up again here as a part of learning process, with easy htb machine that actually brainfuck xD.

First, as usual I do nmap scanning I got two open ports which are 22 ssh and 80 http.

sudo nmap -p- -sC -sV -A --min-rate 5000 10.10.11.221

Let’s visit the http page, and see what are the feature that the web page has.

I found the login page, register page, but can’t do anything because if I want to register as a user I need to have an invite code which I don’t have, I’m not satisfied with what I got. Thus, I scanned the directory using feroxbuster.

After an hour looking at path, there is interisting file that I skipped need to be check which is /js/inviteapi.min.js

so the contents of this file are javascript functions, and one of them is makeInviteCode function, as the name suggests I would think I could generate invite code using this function. Let’s try it.

at the /invite page, I use inspect element console to trigger the function makeInviteCode().

Once it triggered, I can see that there is parameter named data contain encryption ROT13. Go ahead copy the data and decrypt it using online tools.

https://rot13.com/

After decrypt, there is an information that tells me to make a POST request at /api/v1/invite/generate to generate the code. To do that I use burpsuite community.

I intercept the web page, and send it to repeater. I got more information which is the parameter code containing encoding of base64. And then, I decode it using online tools again.

https://www.base64decode.org/

So the encoding data contain an invite code that I can use to register an account on the web page. Now I start to register the account.

After I logged in, I spent times to see what are the features that the web page has.

and I found this access page which I can download and regenerate vpn admin access.

Next, I intercept the “connection pack” the path to the endpoint redirect to /api/v1/user/generate .

After I play around with the burp repeater, I found out that the response endpoint /api/v1 shows path to check whether the user is admin or not.

On method GET /api/v1/admin/auth I see that the response is false because the user that I have created is not an admin.

On method POST /api/v1/admin/vpn/generate, no response.

On method PUT /api/v1/admin/settings/update, burp received response on parameter message said “invalid content type”.

Meaning that I need to add content type on my request. Add it to the request content-type: application/json

The parameter message said again I have missing the parameter email. Add it to the request using my user email.

Now the missing parameter is_admin, add it again to the request. Type of this parameter is boolean, so I set it to true.

Gosh…., now let’s change it to 1.

Now my account changed the role to admin, I can try to access again the endpoint /api/admin/vpn/generate

Missing parameter again this one username, just add it to the request.

Wow cool, it works, hmm a real hackerman might think this parameter has command injection, try it by reading /etc/passwd file

Nice it is command injection, now I can setup a listener, and add the reverse shell command to request.

I login as www-data, let’s enumerate so I can get higher privilege to read user.txt file.

I found .env file containing username and password for admin. Login as admin using that credentials.

Privilege Escalation

Using linpeas found juicy info at mail directory, I try to read it, and give me an information about OverlayFS/FUSE seems a name of the CVEs

I searched it on google, OverlayFS / FUSE is a CVE-2023–0386.

There is a POC of this vulnerability on github, without hesitation I clone the repository.

https://github.com/xkaneiki/CVE-2023-0386

I transfer the directory to target machine using scp command.

scp -r CVE-2023-0386 admin@10.10.11.221:/tmp

and run exploit based on the poc said. Boomm rooted.

Thank you for reading.

--

--