HackTheBox - TwoMillion

00:00 - Intro 00:18 - Start of nmap, scanning all ports with min-rate 02:35 - Browsing to the web page and taking a trip down memory lane with the HackTheBox v1 page 04:00 - Attempting to enumerate usernames 05:10 - Solving the HackTheBox Invite Code Challenge 05:50 - Sending the code to JS-Beautify 06:45 - Sending a curl request to /api/v1/invite/how/to/generate to see how to generate an invite code 10:40 - Creating an account and logging into the platform then identifying what we can do 16:50 - Discovering hitting /api/v1/ provides a list of API Routes, going over them and identifying any dangerous ones 17:50 - Attempting a mass assignment vulnerability upon logging in now that we know there is an is_admin flag 22:30 - Playing with the /api/v1/admin/settings/update route and discovering we can hit this as our user and change our role to admin 24:30 - Now that we are admin, playing with /api/v1/admin/vpn/generate and finding a command injection vulnerability 26:15 - Got a shell on the box, finding a password in an environment variable and attempting to crack the user passwords 30:00 - Re-using the database password to login as admin, discovering mail that hints at using a kernel privesc 32:00 - Searching for the OverlayFS Kernel Exploit 35:00 - Finding a proof of concept for CVE-2023-0386, seems sketchy but GCC is on the HTB Machine so i don't feel bad about running it 37:27 - Running the exploit and getting Root, finding an extra challenge thank_you.json, which is can be done pretty much in CyberChef 42:20 - Looking deeper at the invite code challenge to see if it was vulnerable to Type Juggling (it was back in the day but not anymore) 43:30 - Testing for command injection with a poisoned username 47:20 - Didn't work, looking at the source code and discovering it had sanitized usernames on the non-admin function