Gitlab CVE_2023_7028 vulnerability has the ability to allow unauthorized users to take over user accounts, without any interaction from the victim. The vulnerability was found by asterion04 and was assigned the severity Critical.
Topology is a hackthebox machine that has a website showing information about a topology group. The group have a project which is a latex equation generation. The subdomain that is running the project accepts latex equations as inputs and generates a png image of that equation. However the project is vulnerable to latex injection and we can read files. One of those files, .htpassword, contains credentials that give access to a ssh session in the machine. To elevate privileges we used a binary called pspy64 to look at processes without root privileges. We are able to look at a command executed by root that can be used to gain root privileges and this way we get root access.
Pilgrimage is a hackthebox machine that has a website to shrink images. Running gobuster we found a git repository and we extract all the code used in the website. Inside the retrieved repository we have a binary called magick that is used to shrink images, however it has a vulnerable version. The version in question has a Local File Inclusion vulnerability that allows the attackers to read files. After reading a sqlite database file we get ssh credentials. Inside the system we found a script that analyses the files submitted in the website for malware. However the script use a vulnerable version of binwalk which gives us a shell as root.
Keeper is a machine that uses a well-known ticket web application called Request Tracker with default credentials. Using the credentials we get access as root and find a ticket with information made by a user that has the SSH password in his description. Those credentials give us access to their SSH session. In there, we get a keepass dump and database. We use a vulnerability of keepass that allows us to get parts of the master key from a dump and with a quick search we get all the master key. In the database, we have a PuTTY-User-Key-File that we need to translate to an SSH private key to login in SSH as root.
TwoMillion is an Easy difficulty Linux box that was released to celebrate reaching 2 million users on HackTheBox. The box features an old version of the HackTheBox platform that includes the old hackable invite code. After hacking the invite code an account can be created on the platform. The account can be used to enumerate various API endpoints, one of which can be used to elevate the user to an Administrator. With administrative access the user can perform a command injection in the admin VPN generation endpoint thus gaining a system shell. An .env file is found to contain database credentials and owed to password re-use the attackers can login as user admin on the box. The system kernel is found to be outdated and CVE-2023-0386 can be used to gain a root shell.