Machine Synopsis

BackendTwo is a medium-difficulty Linux machine that extends the initial Backend UHC box, incorporating some fresh vulnerabilities alongside a few minor repetitions of steps that remained unexploited in UHC competitions. The process begins with an API whose functions are revealed through fuzzing to identify a registration endpoint. Following this, a mass assignment vulnerability is exploited to assign administrative privileges to a user. Subsequently, access is obtained to a file-read endpoint, allowing for the reading of /proc to uncover the page source, and ultimately, the JWT's signing secret. This knowledge enables the forging of a new token, granting access to the file-write API. Here, a backdoor is discreetly inserted into an endpoint, which facilitates shell access (the method for forcefully gaining entry is also demonstrated). Escalation involves leveraging password reuse and exploiting weaknesses in pam-wordle.