💸HTB Twomillion

This machine was special create to celebrate 2,000,000 HackTheBox members. That why this machine name was TwoMillion. Here my writeup for this machine.

Step 1 – Recon

As a first step, let scan port and directory.

From the above scanning port, we notice that it redirects to http//2million.htb. Let’s put into our host.

Let’s proceed to web page.

Step 2 – Invite Code Bypass

It appears to have an old Hack the Box interface. After looking around with the help result directory. This website has a login page, and we can register.

Unfortunately, it only accepts new registration with invite code only. Let’s check /invite code.

e

Don’t have any idea here since we never get invitation code. Checking the source code and js file.

We can put it into console to execute invite code.

Let decode the words.

We manage to get direct hints here. Let’s use burp suite to intercept the request.

We have invitation code here in base64. Decode it and get the plain text. Put into registration.

fake email :D

We now have access to dashboard. Since we already have result for directory. Let check api version here.

Step 3 – API penetration

This api use v1. Let see what directory it have.

We got 3 interesting directory that can be accessed by admin. What make interesting here, there have update for user setting. That means, we can assign ourselves as admin. HEHE.

Add content type to application/json.

e

Here I provide what is needed and finally we manage to assign myself as administrator. To proof it, visit /admin/auth

Step 4 – Gaining Access

Since we are admin, let’s see what admin can do. /vpn/generate. Provide data needed.

We manage to get all vpn type. It’s probably not PHP code that generates a VPN key, but rather some Bash tools that generate the necessary information for a VPN key. Here let try to proof it by putting some command injection in data.

We managed to execute command injection and now this is www-data.

Step 4 – User Access

Put our reverse shell in data. It must in bash script.

bash – c ‘shell here’

And see our listening We got access to shell. As usual, let stable it.

I notice one file .env. Open the file and we found credentials on it that been used. Let use that credentials to change user or can use ssh.

Step 5 – Privilege Escalation

Once we manage to login into admin account, we notice this admin got email. Let check the email.

From this email, I notice that they mention about Linux Kernel. Let check the kernel for this machine.

The lsb_release command prints certain LSB (Linux Standard Base) and Distribution information.

Looking around in internet. This Linux kernel appear to have CVE-2023-0386 where it able to FUSE filesystem low-privileged user privileges escalation.

Let see any POC to this CVE by looking at github.

Once we downloaded the file and transfer into victim machine. Let follow the instruction given

Let put this into machine by uploading through our machine.

Finally we got root privilege and the flag. Thank for reading

Learning

1. API penetration

2. Command Injection in json data

3. CVE-2023-0386