HackTheBox - TwoMillion

Published: 07 June 2023
on channel: IppSec

42,855

802

00:00 - Intro
00:18 - Start of nmap, scanning all ports with min-rate
02:35 - Browsing to the web page and taking a trip down memory lane with the HackTheBox v1 page
04:00 - Attempting to enumerate usernames
05:10 - Solving the HackTheBox Invite Code Challenge
05:50 - Sending the code to JS-Beautify
06:45 - Sending a curl request to /api/v1/invite/how/to/generate to see how to generate an invite code
10:40 - Creating an account and logging into the platform then identifying what we can do
16:50 - Discovering hitting /api/v1/ provides a list of API Routes, going over them and identifying any dangerous ones
17:50 - Attempting a mass assignment vulnerability upon logging in now that we know there is an is_admin flag
22:30 - Playing with the /api/v1/admin/settings/update route and discovering we can hit this as our user and change our role to admin
24:30 - Now that we are admin, playing with /api/v1/admin/vpn/generate and finding a command injection vulnerability
26:15 - Got a shell on the box, finding a password in an environment variable and attempting to crack the user passwords
30:00 - Re-using the database password to login as admin, discovering mail that hints at using a kernel privesc
32:00 - Searching for the OverlayFS Kernel Exploit
35:00 - Finding a proof of concept for CVE-2023-0386, seems sketchy but GCC is on the HTB Machine so i don't feel bad about running it
37:27 - Running the exploit and getting Root, finding an extra challenge thank_you.json, which is can be done pretty much in CyberChef
42:20 - Looking deeper at the invite code challenge to see if it was vulnerable to Type Juggling (it was back in the day but not anymore)
43:30 - Testing for command injection with a poisoned username
47:20 - Didn't work, looking at the source code and discovering it had sanitized usernames on the non-admin function

Watch video HackTheBox - TwoMillion online, duration hours minute second in high quality that is uploaded to the channel IppSec 07 June 2023. Share the link to the video on social media so that your subscribers and friends will also watch this video. This video clip has been viewed 42,855 times and liked it 802 visitors.

443