Machine Synopsis

Overgraph is a hard Linux machine that starts of with a static webpage on port 80. Enumerating for possible vhosts an attacker is able to identify `graph.htb`, `internal.graph.htb` and `internal-api.graph.htb` as valid vhosts. The `internal` vhost is protected by a login screen. An attacker, is able to register a new account and using a NoSQL injection he can bypass the OTP mail validation step. After logging in to the web application and enumerating the new environment it is discovered that two cookies define if the user is an administrator or not. One of the cookies is set to the simple value `false` so the attacker can simply change that to `true`. The other cookie is a token and it is uncertain if the attacker can generate a valid administrator token. Further enumeration of the web application reveals that there is a chat application implemented and another user is asking for a link. Using an intricate combination of Cross Site Scripting and Cross Server Request Forgery an attacker is able to steal the administrator token from the other user and get administrative privileges. At this point, a new functionality is available, which allows the upload of video files. These files seem to undergo some kind of processing after they are uploaded. By exploiting a bug in `FFmpeg`, the SSH key of the user `user` can be exfiltrated. Enumerating the remote machine as the user `user` reveals that `root` is executing a binary that listens only on localhost. The binary is vulnerable to a `Use After Free` attack. By exploiting this vulnerability the attacker is able to gain code execution as `root`.