Command Injection

TwoMillion is an Easy difficulty Linux box that was released to celebrate reaching 2 million users on HackTheBox. The box features an old version of the HackTheBox platform that includes the old hackable invite code. After hacking the invite code an account can be created on the platform. The account can be used to enumerate various API endpoints, one of which can be used to elevate the user to an Administrator. With administrative access the user can perform a command injection in the admin VPN generation endpoint thus gaining a system shell. An .env file is found to contain database credentials and owed to password re-use the attackers can login as user admin on the box. The system kernel is found to be outdated and CVE-2023-0386 can be used to gain a root shell.

Sau is a machine that has a vulnerable version of the service request-baskets. The vulnerability presented is a Server Side Request Forgery that allows us to perform requests to internal services not exposed in the machine. The hidden service is a vulnerable version of Maltrail which gives us OS command injection giving access to the machine. In the end, to escalate privileges we used a misconfigured command in sudoers that uses systemctl status pager to get a shell as root.