HackTheBox Writeup — TwoMillion
Greetings, newbie’s trying to make write up again here as a part of learning process, with easy htb machine that actually brainfuck xD.
First, as usual I do nmap scanning I got two open ports which are 22 ssh and 80 http.
sudo nmap -p- -sC -sV -A --min-rate 5000 10.10.11.221
Let’s visit the http page, and see what are the feature that the web page has.
I found the login page, register page, but can’t do anything because if I want to register as a user I need to have an invite code which I don’t have, I’m not satisfied with what I got. Thus, I scanned the directory using feroxbuster.
After an hour looking at path, there is interisting file that I skipped need to be check which is /js/inviteapi.min.js
so the contents of this file are javascript functions, and one of them is makeInviteCode function, as the name suggests I would think I could generate invite code using this function. Let’s try it.
at the /invite page, I use inspect element console to trigger the function makeInviteCode().
Once it triggered, I can see that there is parameter named data contain encryption ROT13. Go ahead copy the data and decrypt it using online tools.
After decrypt, there is an information that tells me to make a POST request at /api/v1/invite/generate to generate the code. To do that I use burpsuite community.
I intercept the web page, and send it to repeater. I got more information which is the parameter code containing encoding of base64. And then, I decode it using online tools again.
So the encoding data contain an invite code that I can use to register an account on the web page. Now I start to register the account.
After I logged in, I spent times to see what are the features that the web page has.
and I found this access page which I can download and regenerate vpn admin access.
Next, I intercept the “connection pack” the path to the endpoint redirect to /api/v1/user/generate .
After I play around with the burp repeater, I found out that the response endpoint /api/v1 shows path to check whether the user is admin or not.
On method GET /api/v1/admin/auth I see that the response is false because the user that I have created is not an admin.
On method POST /api/v1/admin/vpn/generate, no response.
On method PUT /api/v1/admin/settings/update, burp received response on parameter message said “invalid content type”.
Meaning that I need to add content type on my request. Add it to the request content-type: application/json
The parameter message said again I have missing the parameter email. Add it to the request using my user email.
Now the missing parameter is_admin, add it again to the request. Type of this parameter is boolean, so I set it to true.
Gosh…., now let’s change it to 1.
Now my account changed the role to admin, I can try to access again the endpoint /api/admin/vpn/generate
Missing parameter again this one username, just add it to the request.
Wow cool, it works, hmm a real hackerman might think this parameter has command injection, try it by reading /etc/passwd file
Nice it is command injection, now I can setup a listener, and add the reverse shell command to request.
I login as www-data, let’s enumerate so I can get higher privilege to read user.txt file.
I found .env file containing username and password for admin. Login as admin using that credentials.
Privilege Escalation
Using linpeas found juicy info at mail directory, I try to read it, and give me an information about OverlayFS/FUSE seems a name of the CVEs
I searched it on google, OverlayFS / FUSE is a CVE-2023–0386.
There is a POC of this vulnerability on github, without hesitation I clone the repository.
I transfer the directory to target machine using scp command.
scp -r CVE-2023-0386 admin@10.10.11.221:/tmp
and run exploit based on the poc said. Boomm rooted.
Thank you for reading.