HTB-TwoMillion

API 越权、命令执行、CVE-2023-0386

Task 1

└─# nmap -sS -sV -A -Pn 10.10.11.221
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-17 21:25 CST
Nmap scan report for 10.10.11.221
Host is up (0.35s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_  256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open  http    nginx
|_http-title: Did not follow redirect to http://2million.htb/
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=3/17%OT=22%CT=1%CU=38870%PV=Y%DS=3%DC=T%G=Y%TM=67D8
OS:22FA%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10D%TI=Z%CI=Z%TS=A)SEQ(S
OS:P=107%GCD=1%ISR=10D%TI=Z%CI=Z%II=I%TS=A)SEQ(SP=107%GCD=2%ISR=10D%TI=Z%CI
OS:=Z%II=I%TS=A)OPS(O1=M53AST11NW7%O2=M53AST11NW7%O3=M53ANNT11NW7%O4=M53AST
OS:11NW7%O5=M53AST11NW7%O6=M53AST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=
OS:FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M53ANNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T
OS:=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R
OS:%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=
OS:40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0
OS:%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=7F7%RUD=G)IE
OS:(R=Y%DFI=N%T=40%CD=S)

Network Distance: 3 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 8080/tcp)
HOP RTT       ADDRESS
1   0.28 ms   172.30.144.1
2   442.86 ms 10.10.16.1
3   442.97 ms 10.10.11.221

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 59.39 seconds

How many TCP ports are open?
:2

Task 2

f12 查看源码，找到了 inviteapi.min.js

What is the name of the JavaScript file loaded by the /invite page that has to do with invite codes?
:inviteapi.min.js

Task 3

eval(function(p, a, c, k, e, d) {
    e = function(c) {
        return c.toString(36)
    }
    ;
    if (!''.replace(/^/, String)) {
        while (c--) {
            d[c.toString(a)] = k[c] || c.toString(a)
        }
        k = [function(e) {
            return d[e]
        }
        ];
        e = function() {
            return '\\w+'
        }
        ;
        c = 1
    }
    ;while (c--) {
        if (k[c]) {
            p = p.replace(new RegExp('\\b' + e(c) + '\\b','g'), k[c])
        }
    }
    return p
}('1 i(4){h 8={"4":4};$.9({a:"7",5:"6",g:8,b:\'/d/e/n\',c:1(0){3.2(0)},f:1(0){3.2(0)}})}1 j(){$.9({a:"7",5:"6",b:\'/d/e/k/l/m\',c:1(0){3.2(0)},f:1(0){3.2(0)}})}', 24, 24, 'response|function|log|console|code|dataType|json|POST|formData|ajax|type|url|success|api/v1|invite|error|data|var|verifyInviteCode|makeInviteCode|how|to|generate|verify'.split('|'), 0, {}))

反混淆后

function verifyInviteCode(code) {
    var formData = { "code": code };
    $.ajax({
        type: "POST",
        dataType: "json",
        data: formData,
        url: '/api/v1/invite/verify',
        success: function(response) {
            console.log(response);
        },
        error: function(response) {
            console.log(response);
        }
    });
}

function makeInviteCode() {
    $.ajax({
        type: "POST",
        dataType: "json",
        url: '/api/v1/invite/how/to/generate',
        success: function(response) {
            console.log(response);
        },
        error: function(response) {
            console.log(response);
        }
    });
}

可以发现路径名称

What JavaScript function on the invite page returns the first hint about how to get an invite code? Don't include () in the answer.
:makeInviteCode

Task 4

POST 请求

└─# curl -X POST http://2million.htb/api/v1/invite/generate
{"0":200,"success":1,"data":{"code":"NTZRSlMtNDJLSjYtSTZXSTYtR1U5Mkc=","format":"encoded"}}

然后 base 64 解码

56QJS-42KJ6-I6WI6-GU92G

The endpoint in makeInviteCode returns encrypted data. That message provides another endpoint to query. That endpoint returns a code value that is encoded with what very common binary to text encoding format. What is the name of that encoding?
:base64

Task 5

注册登录账号然后进去到 ACCESS 抓包

路径 /api/v1/user/vpn/generate

What is the path to the endpoint the page uses when a user clicks on "Connection Pack"?
:/api/v1/user/vpn/generate

Task 6

访问接口 /api/v1 返回了很多其他接口

访问 /api/v1/admin/settings/update 接口返回了错误信息，加上 Content-type:application/json，用 PUT 方式请求

提示没有 email 参数，设置 email 参数，为注册的 email

再次请求提示没有 is_admin 参数

再设置 is_admin 参数为 1

返回了用户信息，应该是越权成功了，GET 访问一下 /api/v1/admin/auth 返回了 true ，说明确实成功了

How many API endpoints are there under /api/v1/admin?
:3

Task 7

What API endpoint can change a user account to an admin account?
:/api/v1/admin/settings/update

Task 8

POST 访问 /api/v1/admin/vpn/generate，返回

然后随便填一个用户名也能返回，然后修改字段

说明存在命令执行

What API endpoint has a command injection vulnerability in it?
:/api/v1/admin/vpn/generate

Task 9

反弹一个 shell 监听

然后列出文件，找到了 .env 得到了用户和密码

DB_HOST=127.0.0.1
DB_DATABASE=htb_prod
DB_USERNAME=admin
DB_PASSWORD=SuperDuperPass123

What file is commonly used in PHP applications to store environment variable values?
:env

Submit User Flag

ssh 直接登录拿到 userflag

Submit the flag located in the admin user's home directory.
:efdaf723f682ab1f854c2c76e7909794

Task 11

登录提示有 email

查找有 email 的信息

find / -name "mail" 2>/dev/null

What is the email address of the sender of the email sent to admin?
:ch4p@2million.htb

Task 12

查看 admin 内容

From: ch4p <ch4p@2million.htb>
To: admin <admin@2million.htb>
Cc: g0blin <g0blin@2million.htb>
Subject: Urgent: Patch System OS
Date: Tue, 1 June 2023 10:45:22 -0700
Message-ID: <9876543210@2million.htb>
X-Mailer: ThunderMail Pro 5.2

Hey admin,

I'm know you're working as fast as you can to do the DB migration. While we're partially down, can you also upgrade the OS on our web host? There have been a few serious Linux kernel CVEs already this year. That one in OverlayFS / FUSE looks nasty. We can't get popped by that.

HTB Godfather

可以看到其中有一个 OverlayFS 搜 CVE，关于 Linux kernel CVE ，Linux 内核

What is the 2023 CVE ID for a vulnerability in that allows an attacker to move files in the Overlay file system while maintaining metadata like the owner and SetUID bits?
:CVE-2023-0386

Submit Root Flag

开两个终端，把 CVE 传到靶机上，编译之后（编译会报错，但是不影响）在第一个终端输入

./fuse ./ovlcap/lower ./gc

第二个终端输入

./exp

拿到 root 权限

Submit the flag located in root's home directory.
:3a62869985c7bf6157abcb2661ce6983

CVE-2023-0386

具体漏洞分析：https://securitylabs.datadoghq.com/articles/overlayfs-cve-2023-0386/，https://github.com/chenaotian/CVE-2023-0386

exploit：https://github.com/xkaneiki/CVE-2023-0386/

这个 CVE 主要是关于 Linux 内核的 OverlayFS 子系统，当用户将一个具有权限的文件从一个 nosuid 挂载点复制到另一个挂载点时，未经授权的攻击者可以执行 setuid 文件，导致权限提升。

漏洞触发逻辑是如果 overlay 文件系统发生了copy-up 操作（尝试修改下层文件，触发下层文件向上层拷贝）的时候，如果下层文件系统是一个用户文件系统（比如 fuse），可以自定义任何文件，但该文件系统存在限制（比如 nosuid），这个漏洞就允许将下层用户自定义的 suid 文件从一个 nosuid 文件系统拷贝到一个正常文件系统中，从而导致非法 suid 获取真正的 suid 特权，毕竟在文件拷贝的时候并不是单纯地只拷贝文件内容，还包括了文件的权限信息、时间戳等信息一起被拷贝。

FUSE 文件系统（Filesystem in Userspace）,Linux 下的用户态文件系统接口，允许用户在用户空间（而非内核空间）实现和运行自定义的文件系统。允许在用户层定义文件系统的一些回调函数比如 open、write 甚至 getattr 等文件元数据信息。