HTB: TwoMillion Walkthrough

Writeup — TwoMillion By Araiz Naqvi


Prepared By Araiz Naqvi.
In case you’re not able to view the entire writeup, visit my personal blog to view it fully.

Overview

- Difficulty: Easy
- Operating System: Linux
- Objective: Understand potential breaking points in twomillion machine.
- Tools Used: nmap, nc, curl, ffuf, burpsuite, de4js, cyberchef, SSH

I tend to start enumerating as much basic information as I need before dwelving deeper.

Scanning with Nmap

I first start to check for what ports are open via a stealth scan:

I see that ports 22 and 80 seem to be open.
Let’s go ahead and run service and default script scans for these two ports specifically:

Banner Grabbing

Let’s continue with grabbing banners for SSH and HTTP, maybe getting some more important information.

For SSH, I used nc command with the -nv flag:

For HTTP, I used curl with the -IL flag:

Ffuf and Gobuster Enumeration

Both Gobuster and Ffuf enumerations failed to enumerate any hidden subdomains and files.
With Ffuf as follows:

With Gobuster as follows:

Browsing 2million.htb

First, I start to browse the website 2million.htb to find if anything stands out.

Clearly looks like a dummy HackTheBox page. Upon scrolling through I did not really find anything visually except for the login page and the invite page.

So, let’s begin by messing around with the login page:

I tried a couple of combinations like:
- admin@hackthebox.eu : admin
- admin : admin
- root@hackthebox.eu : root
- admin’ : admin
- ‘ OR ‘1’=’1 : 

But nothing really seemed to work. It simply said user not found.

Now, let’s try our luck on the invite page.

I try popping in random text, but nothing works.
So I decided to go through the source code and if you check

Scrolling down, and indeed! There is a script that uses the form request trigger:

Let’s go to the endpoint at http://2million.htb/js/inviteapi.min.js:

This looks like its obfuscated. So, let’s go ahead and deobfuscate via de4js:

After deobfuscation, we get the following which I saved as file locally:

The way I see it as per first impressions is that makeInviteCode() is responsible for invite code gen and verifyInviteCode() takes this code parameter to confirm whether it’s correct or not.

If you notice in makeInviteCode() there’s this API endpoint /api/v1/invite/how/to/generate which I like an idiot completely ignore its a post request and go visit the page which obviously shows nothing.
(Saving you the time)

I now used curl with the -X POST flag to reach out to the endpoint:

And, kaboom! This is an encrypted code which is encrypted in ROT13.
Needless to say, we will straight up go to cyberchef and drag and drop ROT13 and enter the text Va beqre gb trarengr gur vaivgr pbqr, znxr n CBFG erdhrfg gb /ncv/i1/vaivgr/trarengr:

So far what I percieve is that we just get to know how to generate the code via what we just did and this new endpoint is what will actually get us the code.
So, let’s repeat the use of curl making a POST request to get the code:

There is our code. Let’s try and use this on the invite page.

This is not the final code yet. This after me scratching my head for a couple of minutes straight figure that this is encoded which needs to be decoded and then used mostly.

Upon asking chatgpt, it turns out to be base64.
So, let’s quickly store the code in a file and decode it. Once created, go ahead and decode it:

Now, let’s go ahead and check whether we’re in or not:

and we’re in!

Let’s go ahead create an account:
- username: ghost
- email: ghost@ghost.com
- ghosty123
- ghosty123

And once done, login to your account.

Getting Admin Access

Upon viewing the page, there’s honestly nothing much that intriguing.
But when you come to the access page specifically.
I ran burpsuite while clicking on connection pack:

On burpsuite:

Now on trying different iterations, when you reach endpoint /api/v1 it takes you to this page:

Particularly the admin PUT request allows you to change the user the settings for a certain user to admin, so this is where we’re going to try to update our level.

So, on doing this as per the API requirements, we see it still comes with an error message.
Since we also see that the content-type being returned is application/json, so we will set content-type as:
content-type: application/json.
But to do that right-click > Change Request Method (until it gets to POST), then replace POST with PUT and add the correct content-type.

Looks like progress, let’s go ahead and use the email we used before along with adding another parameter is_admin:1:

Now, let’s send a GET request to the endpoint that tells us whether we’re admin or not which is /api/v1/admin/auth:

Now, for the next steps quite precisely there is one way to go and that is to use the admin POST request and see whether something sticks out there.

Similarly, let’s change the content-type:application/json:

Once got over that, let’s add our username as:

This is a whole bunch of non-sense, nothing that really worked here.
So, next I’m going to be quite honest using the hint it hinted of a Code Injection, so upon trying:

So, I get right to business:

Voila! We get the credentials, which we will try to use on SSH which we found during our Nmap scans.

SSH’ing into 2million.htb

Using credentials:

Let’s list content and see what’s up:

There’s the user flag.
Now, after a little bit of scanning around in different directories you stumble upon /var/mail/admin which contains a mail:

CVE-2023–0386

So, from the email it seems they are talking about fixing this OverlayFS vulnerability.
Let’s exploit before they can fix, so go to google and search `OverlayFS vulnerability` which should lead you to a link https://securitylabs.datadoghq.com/articles/overlayfs-cve-2023-0386/ which upon scrolling will take you to https://github.com/DataDog/security-labs-pocs/blob/main/proof-of-concept-exploits/overlayfs-cve-2023-0386/poc.c which is the Proof of Concept.

Now, here I copied the entire poc.c into /tmpand followed exactly as was written in the POC:

Voila! We’re root!
Let’s move to the root directory and search for the root flag:

There it is!

Comments

Post a Comment

Popular posts from this blog

HTB: Nibbles Walkthrough

Image
  Writeup — Nibbles By Araiz Naqvi Overview Difficulty: Easy - Operating System: Linux - Objective: Understand potential breaking points in nibble machine. - Tools Used: nmap , nc , whatweb , searchsploit , metasploit , gobuster , SecsList , linpeas Prepared by Araiz Naqvi Starting Enumeration with Nmap The very first step is to get an idea of the open ports and services running. To do this we will start with nmap scans: Nmap Scanning for open ports Here, two ports are open, SSH and HTTP which also show that the target is running Linux Ubuntu 2.2 version and an Apache httpd 2.4.18 server. But, before we go deeper into these open ports, let’s run an all ports TCP scan and leave it in the background cause usually it takes forever to happen. Leaving the everlong TCP all port scan in the background I actually did some banner grabbing in the meanwhile, but for consistency sake, I also immediately did a few other nmap scans to try and get as much information as p...
Read more

HTB: Crocodile Walkthrough

Image
Writeup — Crocodile By Araiz Naqvi Prepared By Araiz Naqvi . Overview - Difficulty : Easy - Operating System: Linux - Objective : Find a way to break in. - Tools Used : nmap , FTP , curl , gobuster I tend to start enumerating as much basic information as I need before dwelving deeper. Performing Nmap Scans As usual the very first step is to figure out what ports and hence what services are actually open. This will set the stage for how we will try to break in. Let’s start with a stealth scan with disabled arp pings to figure out what ports are open: It is clear that the following ports are open: - 21 ~ FTP - 80 ~ HTTP Now, let’s move further and scan for service versions and run the default scripts on these three ports: From this I interpreted the following information: - FTP runs on 21 exposing a ProFTPD server which allows for anonymous login - This FTP server is also giving unrestricted access to two what seem to be important files holding credentials. - HTTP runs o...
Read more

HTB: Cap Walkthrough

Image
  Writeup — Cap By Araiz Naqvi Overview - Difficulty: Easy - Operating System: Linux - Objective: Capture User and Root flag. - Tools Used: nmap , ftp , sshclient , whatweb , gunicorn , wireshark , openvpn , python3 If you’re unable to view it fully due to Medium Subscriptions, you can view it at  Nmap Scanning As in most times the first step is to scan the target IP to check for open ports and service and service versions running on them: Nmap Scan As can be seen the services running are FTP , SSH and HTTP . Also, Linux seems to be running on the target. Trying Logging in FTP and SSH Let’s try to use anonymous login for FTP : FTP Login Attempt Does not allow anonymous login. Similarly, even SSH was not accepting common usernames and passwords. Clearly, I might find credentials somewhere. This is really valuable information, but let’s still get information on other aspects of the target. Let’s continue by Web Fingerprinting . Enumerating Web Fingerprint ...
Read more