Hack The Box: TwoMillion Machine Walkthrough -Easy Difficulty

Written by darknite -
on June 8, 2023

In this post, I would like to share a walkthrough of the TwoMillion Machine from Hack the Box. A machine that is a special edition from Hack The Box in order they celebrate the 2,000,000 HackTheBox members

This room will be considered an Easy machine on Hack the Box.

Testing

What will you gain from the TwoMillion machine?

For the user flag, you will need to present the old UI of the HackTheBox platform which previously have invite code challenges where it was required to play in order to register a new account. We should obtain an endpoint that will allow us to become the administrator’s access by enumerating the API functions.

As for the root flag, you need to abuse the OverFlayFS exploitation to obtain a root shell.

Information Gathering on TwoMillion Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

┌─[darknite@parrot]─[~/Document/htb/twomillion]
└──╼ $nmap -sC -sV 10.10.11.221 -oA initial
Starting Nmap 7.92 ( https://nmap.org ) at 2023-06-08 00:08 EDT
Nmap scan report for 10.10.11.221
Host is up (0.024s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_  256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open  http    nginx
|_http-title: Did not follow redirect to http://2million.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.06 seconds
┌─[darknite@parrot]─[~/Document/htb/twomillion]
└──╼ $

We managed to find two open ports within the machine.

┌─[darknite@parrot]─[~/Document/htb/twomillion]
└──╼ $nmap -p- --min-rate 10000 10.10.11.221 -oA fullportsr
Starting Nmap 7.92 ( https://nmap.org ) at 2023-06-08 00:12 EDT
Warning: 10.10.11.221 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.11.221
Host is up (0.10s latency).
Not shown: 42465 filtered tcp ports (no-response), 23068 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 61.02 seconds
┌─[darknite@parrot]─[~/Document/htb/twomillion]
└──╼ $

As a result, let’s scan all ports in case there have more open ports that will be found over here. However, we only managed to find two port open

┌─[darknite@parrot]─[~/Document/htb/twomillion]
└──╼ $nmap -sC -sV 10.10.11.221 -oA initial_redo
Starting Nmap 7.92 ( https://nmap.org ) at 2023-06-08 00:15 EDT
Nmap scan report for 2million.htb (10.10.11.221)
Host is up (0.017s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_  256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open  http    nginx
|_http-trane-info: Problem with XML parsing of /evox/about
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-title: Hack The Box :: Penetration Testing Labs
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.03 seconds
┌─[darknite@parrot]─[~/Document/htb/twomillion]
└──╼ $

After we have whitelisted the domain and IP address inside the /etc/hosts, we managed to retrieve more information on port 80.

It’s been a nostalgic website interface to most the users of the Hack The Box platform

Let’s try to login to the Hack The Box Dashboard but sadly we don’t have any user credentials that we can use to login. However, we might bypass that authentication on the login page by using the old method previously used in the old days.

We can try to register a new account for the dashboard.

Throwback to the old way of registering on the Hack The Box Platform

We need to enter the “Invite Code” after trying to register a new account.

We managed to sight an old HTB URL available on the source code.

Therefore, let’s try to register a new account like the above.

As i face it a few years ago, we are showing an error saying “Get an Invite Code First”

From the javascript code, we manage to notice that there are some functions like makeinvitecode and verifyinvitecode

At last, we managed to find an encrypted message with ROT13

We can try to decode the ROT13 encryption at https://rot13.com

The payload of the generate will look something like the above.

As a result, we managed to obtain the InviteCode which we can use for escalation purposes

Let’s try to register a new account with those invite codes

Boom! We have successfully the dashboard

We have managed to know the version of the API that is installed inside the machine.

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 08 Jun 2023 04:48:32 GMT
Content-Type: application/json
Connection: close
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 800

{"v1":{"user":{"GET":{"\/api\/v1":"Route List","\/api\/v1\/invite\/how\/to\/generate":"Instructions on invite code generation","\/api\/v1\/invite\/generate":"Generate invite code","\/api\/v1\/invite\/verify":"Verify invite code","\/api\/v1\/user\/auth":"Check if user is authenticated","\/api\/v1\/user\/vpn\/generate":"Generate a new VPN configuration","\/api\/v1\/user\/vpn\/regenerate":"Regenerate VPN configuration","\/api\/v1\/user\/vpn\/download":"Download OVPN file"},"POST":{"\/api\/v1\/user\/register":"Register a new user","\/api\/v1\/user\/login":"Login with existing user"}},"admin":{"GET":{"\/api\/v1\/admin\/auth":"Check if user is admin"},"POST":{"\/api\/v1\/admin\/vpn\/generate":"Generate VPN for specific user"},"PUT":{"\/api\/v1\/admin\/settings\/update":"Update user settings"}}}}

After trying to access/api/v1, we managed to sight a Route list that we can abuse in the later stage.

Analyze using burpsuite for twomillion machine

It’s weird because the JSON response is different from what I thought it will appear

After re-do the process, it works as shown in the screenshot above.

Finally, we have assigned our account to admin privileges access.

We have retrieved an error stating that it is missing a parameter as username.

Weird. Nothing has appeared on the response packet.

At last, we have a command injection to be executed

As a result, let’s send a reverse shell command to the packet under “username”

User enumeration on the machine

Boom! We have managed to access the machine via reverse shell connection back to us.

There are a few interesting files and folders that we can investigate further

However, we only see admin as the username available

We have found a potential for an admin

The user flag can be found resides inside the /home/admin directory

We have successfully changed the username from www-data to admin

We can read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access

Sadly, there is no SUID binary that we can abuse in order to obtain a root shell

OverlayFS exploitation

There is one draft email that can be found inside the /var/mail/admin file

The machine is the latest version but the application is an old version.

We are required to transfer the exploit into the victim’s machine.

We should execute the “make all” and also unzip the file.

Let’s execute the file like those files that can be executed.

Oh wow! The execution is a failure because the operation is not permitted at all.

There is nothing wrong happening with the different execution.

However, it works when the CVE is been saved on the /tmp/ directory

We can read the root flag by typing the “cat root.txt” command

Extra Information

From the output, we can see the message is some gratitude to all the users of Hack The Box

Gratitude message to all users of Hack The Box

Dear HackTheBox Community,

We are thrilled to announce a momentous milestone in our journey together. With immense joy and gratitude, we celebrate the achievement of reaching 2 million remarkable users! This incredible feat would not have been possible without each and every one of you.

From the very beginning, HackTheBox has been built upon the belief that knowledge sharing, collaboration, and hands-on experience are fundamental to personal and professional growth. Together, we have fostered an environment where innovation thrives and skills are honed. Each challenge completed, each machine conquered, and every skill learned has contributed to the collective intelligence that fuels this vibrant community.

To each and every member of the HackTheBox community, thank you for being a part of this incredible journey. Your contributions have shaped the very fabric of our platform and inspired us to continually innovate and evolve. We are immensely proud of what we have accomplished together, and we eagerly anticipate the countless milestones yet to come.

Here's to the next chapter, where we will continue to push the boundaries of cybersecurity, inspire the next generation of ethical hackers, and create a world where knowledge is accessible to all.

With deepest gratitude,

The HackTheBox Team

Categories:

Easy Machine

Tags:

BurpSuiteChallengescurlDatabaseHackTheBoxinvitecodejsonLinuxmailoverflagFSPenetration Testingrot13ssh

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *