In this post, I would like to share a walkthrough of the TwoMillion Machine from Hack the Box. A machine that is a special edition from Hack The Box in order they celebrate the 2,000,000 HackTheBox members
This room will be considered an Easy machine on Hack the Box.
- What will you gain from the TwoMillion machine?
- Information Gathering on TwoMillion Machine
- Throwback to the old way of registering on the Hack The Box Platform
- Analyze using burpsuite for twomillion machine
- User enumeration on the machine
- Escalate to Root Privileges Access
- OverlayFS exploitation
- Extra Information
- Gratitude message to all users of Hack The Box
What will you gain from the TwoMillion machine?
For the user flag, you will need to present the old UI of the HackTheBox platform which previously have invite code challenges where it was required to play in order to register a new account. We should obtain an endpoint that will allow us to become the administrator’s access by enumerating the API functions.
As for the root flag, you need to abuse the OverFlayFS exploitation to obtain a root shell.
Information Gathering on TwoMillion Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
┌─[darknite@parrot]─[~/Document/htb/twomillion]
└──╼ $nmap -sC -sV 10.10.11.221 -oA initial
Starting Nmap 7.92 ( https://nmap.org ) at 2023-06-08 00:08 EDT
Nmap scan report for 10.10.11.221
Host is up (0.024s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_ 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open http nginx
|_http-title: Did not follow redirect to http://2million.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.06 seconds
┌─[darknite@parrot]─[~/Document/htb/twomillion]
└──╼ $
We managed to find two open ports within the machine.
┌─[darknite@parrot]─[~/Document/htb/twomillion]
└──╼ $nmap -p- --min-rate 10000 10.10.11.221 -oA fullportsr
Starting Nmap 7.92 ( https://nmap.org ) at 2023-06-08 00:12 EDT
Warning: 10.10.11.221 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.11.221
Host is up (0.10s latency).
Not shown: 42465 filtered tcp ports (no-response), 23068 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 61.02 seconds
┌─[darknite@parrot]─[~/Document/htb/twomillion]
└──╼ $
As a result, let’s scan all ports in case there have more open ports that will be found over here. However, we only managed to find two port open
┌─[darknite@parrot]─[~/Document/htb/twomillion]
└──╼ $nmap -sC -sV 10.10.11.221 -oA initial_redo
Starting Nmap 7.92 ( https://nmap.org ) at 2023-06-08 00:15 EDT
Nmap scan report for 2million.htb (10.10.11.221)
Host is up (0.017s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_ 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open http nginx
|_http-trane-info: Problem with XML parsing of /evox/about
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-title: Hack The Box :: Penetration Testing Labs
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.03 seconds
┌─[darknite@parrot]─[~/Document/htb/twomillion]
└──╼ $
After we have whitelisted the domain and IP address inside the /etc/hosts, we managed to retrieve more information on port 80.
It’s been a nostalgic website interface to most the users of the Hack The Box platform
Let’s try to login to the Hack The Box Dashboard but sadly we don’t have any user credentials that we can use to login. However, we might bypass that authentication on the login page by using the old method previously used in the old days.
We can try to register a new account for the dashboard.
Throwback to the old way of registering on the Hack The Box Platform
We need to enter the “Invite Code” after trying to register a new account.
We managed to sight an old HTB URL available on the source code.
Therefore, let’s try to register a new account like the above.
As i face it a few years ago, we are showing an error saying “Get an Invite Code First”
From the javascript code, we manage to notice that there are some functions like makeinvitecode and verifyinvitecode
At last, we managed to find an encrypted message with ROT13
We can try to decode the ROT13 encryption at https://rot13.com
The payload of the generate will look something like the above.
As a result, we managed to obtain the InviteCode which we can use for escalation purposes
Let’s try to register a new account with those invite codes
Boom! We have successfully the dashboard
We have managed to know the version of the API that is installed inside the machine.
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 08 Jun 2023 04:48:32 GMT
Content-Type: application/json
Connection: close
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 800
{"v1":{"user":{"GET":{"\/api\/v1":"Route List","\/api\/v1\/invite\/how\/to\/generate":"Instructions on invite code generation","\/api\/v1\/invite\/generate":"Generate invite code","\/api\/v1\/invite\/verify":"Verify invite code","\/api\/v1\/user\/auth":"Check if user is authenticated","\/api\/v1\/user\/vpn\/generate":"Generate a new VPN configuration","\/api\/v1\/user\/vpn\/regenerate":"Regenerate VPN configuration","\/api\/v1\/user\/vpn\/download":"Download OVPN file"},"POST":{"\/api\/v1\/user\/register":"Register a new user","\/api\/v1\/user\/login":"Login with existing user"}},"admin":{"GET":{"\/api\/v1\/admin\/auth":"Check if user is admin"},"POST":{"\/api\/v1\/admin\/vpn\/generate":"Generate VPN for specific user"},"PUT":{"\/api\/v1\/admin\/settings\/update":"Update user settings"}}}}
After trying to access/api/v1, we managed to sight a Route list that we can abuse in the later stage.
Analyze using burpsuite for twomillion machine
It’s weird because the JSON response is different from what I thought it will appear
After re-do the process, it works as shown in the screenshot above.
Finally, we have assigned our account to admin privileges access.
We have retrieved an error stating that it is missing a parameter as username.
Weird. Nothing has appeared on the response packet.
At last, we have a command injection to be executed
As a result, let’s send a reverse shell command to the packet under “username”
User enumeration on the machine
Boom! We have managed to access the machine via reverse shell connection back to us.
There are a few interesting files and folders that we can investigate further
However, we only see admin as the username available
We have found a potential for an admin
The user flag can be found resides inside the /home/admin directory
We have successfully changed the username from www-data to admin
We can read the user flag by typing the “cat user.txt” command
Escalate to Root Privileges Access
Sadly, there is no SUID binary that we can abuse in order to obtain a root shell
OverlayFS exploitation
There is one draft email that can be found inside the /var/mail/admin file
The machine is the latest version but the application is an old version.
We are required to transfer the exploit into the victim’s machine.
We should execute the “make all” and also unzip the file.
Let’s execute the file like those files that can be executed.
Oh wow! The execution is a failure because the operation is not permitted at all.
There is nothing wrong happening with the different execution.
However, it works when the CVE is been saved on the /tmp/ directory
We can read the root flag by typing the “cat root.txt” command
Extra Information
From the output, we can see the message is some gratitude to all the users of Hack The Box
Gratitude message to all users of Hack The Box
Dear HackTheBox Community,
We are thrilled to announce a momentous milestone in our journey together. With immense joy and gratitude, we celebrate the achievement of reaching 2 million remarkable users! This incredible feat would not have been possible without each and every one of you.
From the very beginning, HackTheBox has been built upon the belief that knowledge sharing, collaboration, and hands-on experience are fundamental to personal and professional growth. Together, we have fostered an environment where innovation thrives and skills are honed. Each challenge completed, each machine conquered, and every skill learned has contributed to the collective intelligence that fuels this vibrant community.
To each and every member of the HackTheBox community, thank you for being a part of this incredible journey. Your contributions have shaped the very fabric of our platform and inspired us to continually innovate and evolve. We are immensely proud of what we have accomplished together, and we eagerly anticipate the countless milestones yet to come.
Here's to the next chapter, where we will continue to push the boundaries of cybersecurity, inspire the next generation of ethical hackers, and create a world where knowledge is accessible to all.
With deepest gratitude,
The HackTheBox Team
No responses yet