Analytics - HackTheBox

Analytics is a easy hackthebox machine that explores a vulnerability in a service called metabase. After gaining foothold into a docker continer we get credentials used in both the database and the ssh. Inside the machine we use a vulnerability in a service called overlayfs to get root.

March 29, 2024 · 3 min

TwoMillion - HackTheBox

TwoMillion is an Easy difficulty Linux box that was released to celebrate reaching 2 million users on HackTheBox. The box features an old version of the HackTheBox platform that includes the old hackable invite code. After hacking the invite code an account can be created on the platform. The account can be used to enumerate various API endpoints, one of which can be used to elevate the user to an Administrator. With administrative access the user can perform a command injection in the admin VPN generation endpoint thus gaining a system shell. An .env file is found to contain database credentials and owed to password re-use the attackers can login as user admin on the box. The system kernel is found to be outdated and CVE-2023-0386 can be used to gain a root shell.

September 9, 2023 · 6 min