TwoMillion

Platform: Hack The Box

Season: 9

Difficulty: Easy

OS: Linux

Date: 2025-11-01

Author: x4cc3

Executive Summary

TwoMillion is an Easy-difficulty Linux machine themed around the retired Hack The Box platform. The application exposes a poorly secured API that allows privilege escalation to admin and command injection via a VPN generation endpoint. After gaining a reverse shell as www-data, database credentials are recovered and reused for SSH access. Privilege escalation exploits an overlayfs kernel bug (CVE-2023-0386) that allows an unprivileged user to smuggle a SUID root binary into the filesystem.

Reconnaissance

Port Scan

nmap -Pn -sV -sC 10.10.11.221

Port	Service	Version
22/tcp	SSH	OpenSSH 8.9p1 (Ubuntu)
80/tcp	HTTP	nginx (redirects to `2million.htb`)

Added to /etc/hosts:

echo "10.10.11.221 2million.htb" | sudo tee -a /etc/hosts

Directory Enumeration

feroxbuster -u <http://2million.htb/> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

The landing page is a Hack The Box clone with an invite-only registration system.