Skip to main content
HashnodeCyber JournalCyber Journal

Command Palette

Search for a command to run...

Hack The Box: TwoMillion Walkthrough - Invite Code, API Abuse & Root

Updated
4 min read
O
Ohm Ramwala
CyberSecurity Researcher wandering in the depth of systems
Part of seriesHackTheBox Exploitation Series

Introduction

TwoMillion is an Easy-rated Linux machine on Hack The Box that combines web enumeration, API abuse, command injection, credential discovery, and privilege escalation. The machine is inspired by the legacy Hack The Box platform and provides a great opportunity to practice web application testing and Linux privilege escalation techniques.

In this walkthrough, I'll explain the methodology used to gain initial access, move laterally through the system, and eventually obtain root privileges.

Initial Enumeration

The first step was performing a port scan against the target machine.

The scan revealed two open ports:

  • Port 22 (SSH)

  • Port 80 (HTTP)

Visiting the website showed an old Hack The Box themed portal that required an invite code before registration.

Discovering the Invite Code

While examining the application's source code, I noticed a JavaScript function responsible for generating invite codes. The code was obfuscated using a common JavaScript packing technique.

After deobfuscating the script, I discovered hidden API endpoints related to invite generation.

One endpoint returned a ROT13-encoded message explaining how to generate a valid invite code. After decoding the message and interacting with the appropriate API endpoint, a Base64-encoded invite code was generated.

Decoding the value allowed me to create a valid user account and gain access to the platform.

API Enumeration

Once authenticated, I began exploring the application's API functionality.

During testing, I discovered that the API documentation was exposed and could be accessed directly. This made it significantly easier to identify available endpoints and understand how requests were processed.

Further investigation revealed an administrative settings endpoint that lacked proper authorization controls.

Privilege Escalation to Admin

The vulnerable endpoint allowed modification of account attributes without sufficient validation.

By manipulating the request parameters, I was able to change my account type from a normal user to an administrator.

This provided access to several administrative API endpoints that were previously unavailable.

Command Injection

One of the newly accessible endpoints generated VPN configuration files.

After testing user-supplied input, I discovered that the application was vulnerable to command injection.

To verify the vulnerability, I supplied a payload that triggered an outbound request to my attacker-controlled machine.

After confirming code execution, I used a reverse shell payload and successfully obtained command execution as the web server user.

Post-Exploitation

After upgrading the shell for better interaction, I started reviewing application files and configuration data.

Inside the application's environment configuration file, I found database credentials stored in plaintext.

The credentials were reused for a local system account, allowing SSH access to the machine as a legitimate user.

This provided a far more stable foothold than the initial web shell.

Privilege Escalation

While performing local enumeration, I discovered internal mail messages stored on the server.

One email referenced an unpatched Linux kernel vulnerability related to OverlayFS and FUSE.

This hint suggested that the system might be vulnerable to a known privilege escalation vulnerability.

After confirming the kernel version and researching publicly available exploits, I identified a compatible exploit path.

Executing the exploit successfully elevated privileges to root.

Lessons Learned

This machine highlights several common security issues:

  • Hidden API endpoints can expose sensitive functionality.

  • Client-side obfuscation should never be relied upon for security.

  • Authorization flaws can lead to privilege escalation.

  • Command injection remains one of the most dangerous web vulnerabilities.

  • Configuration files often contain valuable credentials.

  • Internal communications may reveal useful information during post-exploitation.

  • Unpatched kernels can provide straightforward paths to root access.

Conclusion

TwoMillion is an excellent beginner-friendly machine that demonstrates how multiple small weaknesses can be chained together to achieve full system compromise. It covers web application enumeration, API abuse, command injection, credential harvesting, and Linux privilege escalation in a realistic attack path.

#ethicalhacking#hackthebox#redteaming#hacking
8 views

Comments

Join the discussion

No comments yet. Be the first to comment.

HackTheBox Exploitation Series

Part 1 of 1

A collection of things HTB taught me the hard way.