PENETRATION TESTING

REPORT
Two Million – Hack the Box Machine

Aayesha Khan
[email protected]
Table Of Contents

Table of Contents
1. Summary....................................................................................................................... 1
Executive Summary ................................................................................................... 2
2. Attack Narrative .......................................................................................................... 2
Enumeration ............................................................................................................... 2
Application Overview ................................................................................................ 3
Generate Invitation Token .......................................................................................... 6
Registration Page........................................................................................................ 6
User Dashboard .......................................................................................................... 6
Available API Endpoints ............................................................................................ 7
Update User Rights .................................................................................................... 7
Command Execution .................................................................................................. 9
Shell as Admin ......................................................................................................... 10
Privilege Escalation .................................................................................................. 11
3. Conclusion .................................................................................................................. 17
Recommendations .................................................................................................... 17
Risk Rating ............................................................................................................... 18
4. Appendix A: Vulnerability Detail and Mitigation .................................................. 19
Command Injection in VPN Generation .................................................................. 19
API Privilege Escalation .......................................................................................... 19
Kernal Exploitation .................................................................................................. 19
Insecure Session Handling ....................................................................................... 20
5. Appendix B: About the Security Assessment .......................................................... 21

1|Page
Vulnerability Assessment and Penetration Testing (VAPT) Report
Target: Hack The Box - TwoMillion
Assessment Date: 13-02-2025
Tester: Aayesha Khan
Methodology: OWASP Top 10:2021, PTES, NIST SP 800-115
1. Executive Summary
This VAPT assessment aims to identify security vulnerabilities within the HTB TwoMillion
machine by simulating real-world attacks. The machine was tested against the OWASP Top
10:2021 security risks, identifying several high-impact vulnerabilities that could be exploited
by an attacker to gain full control over the system.
2. Attack Narrative
Tools Used
• Nmap – Network scanning
• Burp Suite – Web API testing
• Curl – API interaction
• SSH – Remote login
• GitHub PoC for CVE-2023-0386 – Kernel exploit
2.1 Enumeration
Nmap
We start by running Nmap to find open ports on the target machine.

Two ports are open: 22 (SSH) and 80 (HTTP).

Let's start by visiting the website.

2|Page
2.2 Application Overview
The application resembles HTB’s old version from 2017. It includes pages such as Login,
Invite, Hall of Fame, and FAQ.

The old version of HTB requires an invitation code for the user Sign

When we check the source code of the sign up option and observed that there is a Json file
named as “/js/inviteapi.min.js”

3|Page
Obfuscated Code
We found that the supposed to be inviteapi.min.js is responsible for sending the invitation
validation request. The JavaScript file contains multiple keywords like POST,
makeInviteCode, verifyInviteCode so looks like it is obfuscated.

We used https://beautifier.io to get the JavaScript in Deobfuscated format.

Deobfuscated JavaScript:

From the deobfuscated JavaScript we can see that the JavaScript contains 2 functions.
1. Function verifyInviteCode is responsible for verifying the Invitation code.
2. Function makeInviteCode is responsible for generating the Invitation code.

4|Page
2.3 Generate Invitation Token
Upon sending a POST request for How-to-Generate application returns the ROT13 encrypted
string.

Using Cyberchef we have decrypted the encrypted data. We have converted the ROT13 string
to cleartext format and it gave a hint for another endpoint.

Upon sending a POST request for Generate-invite application returns a base64 encoded
string.

We have converted the base64 encoded string to clear text format which gives us our
invitation code.

5|Page
2.4 Registration Page
We have entered our invitation code and which allows us to login into application with our
username and password.

2.5 User Dashboard

We have login into the application and we saw very limited options. A few of them are:
1. Dashboard
2. FAQ
3. Generate the VPN Connection File

6|Page
2.6 Available API Endpoints
The interesting part of generating a VPN connection file was, It is called
the api/v1/user/vpn/download. We can get the list of API endpoints by calling the /api/v1.
It was observed that the application contains the admin API as well. Admin API contains 3
endpoints:
1. GET - /api/v1/admin/auth : Check if user is admin or not
2. POST - /api/v1/admin/vpn/generate : Generate VPN for specific user
3. PUT - /api/v1/admin/settings/update : Update user settings

2.7 Update the User Rights

Update admin settings API returns the error message which shows that the API request is
missing an email parameter.

7|Page
We have added the email parameter and sent the request. It’s observed that the API request is
missing the “is_admin” parameter.

We have added the missing parameter and based on the response it’s observed that the User
has now admin privilege.

8|Page
Generate VPN File

2.8 Command Execution

It’s observed that generated VPN profile endpoint is vulnerable to command Injection.

The .env file contains the username and password for admin which we got using the cat
command.

9|Page
2.9 Shell as admin
We can log in as admin users who read the user flag.

10 | P a g e
2.10 Privilege escalation
If we search for directories from root, we find the /var directory, let's look there.
If we enter we see another interesting directory /mail.
We see an email that tells us.

Failed Attempt
We searched OverlayFS CVE and came across this article by ProjectDiscovery.
We got the access as the root user but still, it’s not a complete root permission.
CVE-2023-0386 Analysis
I started searching again and it’s observed that the machine is vulnerable to CVE-2023-0386.
From Google: CVE-2023-0386 is a high-severity vulnerability in the Linux kernel’s
overlayfs filesystem. Improper permission handling allows local attackers to easily escalate
privileges to root, compromising the entire system.
How to Detect?
The easiest way to check whether your system is vulnerable is to see which version of the
Linux kernel it uses by running the command uname -r
A system is likely to be vulnerable if it has a kernel version lower than 6.2. We found that our
Linux machine is running on 5.15
What is SUID bit?

11 | P a g e
SUID, short for Set User ID, is a special permission that can be assigned to executable
files. When an executable file has the SUID permission enabled, it allows users who execute
the file to temporarily assume the privileges of the file’s owner.
What is OverlayFS?
Overlay filesystems, also known as “union filesystems” or “union mounts” let you mount a
filesystem using 2 directories: a “lower” directory, and an “upper” directory.
1. Structure
OverlayFS uses three main components:
• Lower directory: Read-only base layer containing the original files.
• Upper directory: Writable layer where changes are made.
• Merged view: The combined result of the lower and upper directories.
2. File Operations
• Read:
o If a file exists in both layers, the version in the upper layer is presented.
o If a file exists only in the lower layer, it is accessed from there.
• Write:
o If a file in the lower layer is modified, it is copied to the upper layer first
(copy-on-write), and then the changes are applied to the copy.
• Delete:
o When a file in the lower layer is deleted, it is “hidden” by creating a whiteout
marker in the upper layer.
3. Mounting Example
Assume you have:
• Lower layer: /lower
• Upper layer: /upper
• Mount point: /merged
How does the CVE-2023-0386 Works?
1. Pretending to Have a Root-Owned File:
o The attacker uses a trick called FUSE (a tool for making fake filesystems) to
create a “fake” file that looks like:
▪ It’s owned by the system administrator (root).
▪ It has the SUID bit set, which means running this file will give
whoever runs it admin-level privileges.

12 | P a g e
Normally, creating such a file directly on the system isn’t allowed unless you’re already an
admin. But with FUSE, you can fake it.
2. Create a Safe “Sandbox” Environment:
o The attacker uses something called user namespaces to create a sandbox
environment.
o This lets them temporarily do things (like mounting filesystems) that normally
require admin permissions.
3. Set Up the OverlayFS Trick:
o The attacker sets up an OverlayFS filesystem:
▪ The lower directory (base layer) is the fake filesystem they made with
FUSE.
▪ The upper directory (writable layer) is something like /tmp, where
anyone can write files.
4. Trigger the Kernel Bug:
o The attacker “copies” the fake file (from the lower layer) to the writable layer
(upper directory).
o When the kernel handles this copy, it believes the fake file’s permissions and
creates a real file in /tmp that:
▪ Is owned by root.
▪ Has the SUID bit set.
5. Escape the Sandbox and Exploit the File:
o The attacker exits the sandbox and now has a real root-owned SUID
file in /tmp.
o They execute this file to become root and take full control of the system.
Code Example
Here is the code example which I took from the Datadog article.
The code written in C will try to set setuid and setgid to root.

13 | P a g e
We will write the instructions as written in the poc.c file.

We have the root flag.

We also have thank you message from HTB team. Let’s try to read the message.
14 | P a g e
15 | P a g e
16 | P a g e
3. Conclusion
Conclusion
The Hack The Box - TwoMillion machine presents a comprehensive attack surface,
demonstrating real-world vulnerabilities that attackers can exploit to gain full system control.
Our assessment has revealed critical weaknesses in authentication, access control, session
management, and privilege escalation mechanisms, all of which align with the OWASP Top
10:2021 security risks. The command injection vulnerability in the VPN generation feature
was particularly severe, allowing attackers to execute arbitrary system commands, while the
API privilege escalation issue demonstrated a lack of proper role enforcement, making
unauthorized access and administrative control attainable. Additionally, the use of an outdated
Linux kernel (CVE-2023-0386) enabled privilege escalation to root, exposing the entire
system to a complete compromise. The machine also suffered from weak cryptographic
storage of credentials, missing multi-factor authentication, and insecure session management,
all of which facilitated persistent unauthorized access. The lack of logging and monitoring
mechanisms further exacerbated these risks, as attacks could go undetected. To mitigate these
vulnerabilities, the system must implement strict access controls, enforce strong
authentication mechanisms, sanitize user input, patch outdated components, and establish
comprehensive logging and monitoring practices. By addressing these security gaps and
adhering to ASVS 4.0.3 compliance standards, the system can significantly improve its
resilience against cyber threats, thereby ensuring robust protection against unauthorized
access, privilege escalation, and data breaches.
3.1 Recommendations:
Patch the Linux Kernel to mitigate CVE-2023-0386.
• Upgrade to the latest stable Linux Kernel to prevent privilege escalation.
• Regularly monitor security advisories for new patches and updates.
Implement strong input validation mechanisms.
• Use allowlists and strict input validation to sanitize user input.
• Apply web application firewalls (WAF) to filter and block malicious requests.
Secure API endpoints with authentication and role-based access control.
• Enforce authentication with JWT tokens and expiration policies.
• Implement least privilege access control, ensuring only authorized users access
sensitive functions.
Regularly audit security configurations and permissions.
• Conduct quarterly security audits to detect misconfigurations.
• Utilize automated tools like Nessus, Burp Suite, and OpenVAS for vulnerability
scanning.
Harden system security by restricting unnecessary services and implementing security best
practices.

17 | P a g e
 • Disable unused services and ports to minimize the attack surface.
• Implement system monitoring tools to detect and prevent anomalous activities.
3.2 Overall Risks Rating
The Hack The Box - TwoMillion machine has a High overall risk rating due to critical
vulnerabilities such as command injection, API privilege escalation, and kernel exploitation
(CVE-2023-0386). These weaknesses allow attackers to gain full system control, execute
arbitrary commands, and escalate privileges to root, posing a severe security threat.
Additionally, insecure session handling increases the risk of unauthorized access. To mitigate
these risks, it is crucial to implement proper access controls, upgrade the Linux kernel,
enforce secure session management, and apply input validation to prevent exploitation.
Immediate remediation is necessary to strengthen the system’s security posture.

18 | P a g e
4. Appendix A: Vulnerability Detail and Mitigation
4.1. Command Injection in VPN Generation
Rating: Critical
Description: The VPN configuration feature is vulnerable to command injection, allowing an
attacker to execute arbitrary system commands.
Impact:
• Full control over system processes, enabling further compromise.
• Potential access to sensitive data and user credentials.
Mitigation:
• Use parameterized queries to prevent arbitrary command execution.
• Implement strict server-side input validation to filter out malicious payloads.
• Restrict the execution of system commands within the application.
4.2. API Privilege Escalation
Rating: High
Description: API endpoints lack proper access control, allowing unauthorized users to
escalate privileges.
Impact:
• Attackers can gain administrative privileges without authentication.
• Possible unauthorized modification of system settings and user accounts.
Mitigation:
• Implement Role-Based Access Control (RBAC) to ensure only authorized users can
access sensitive endpoints.
• Use JWT tokens with proper expiration policies and role validation.
• Log and monitor API access to detect suspicious activity.
4.3. Kernel Exploitation (CVE-2023-0386)
Rating: High
Description: The system uses an outdated Linux kernel version vulnerable to CVE-2023-
0386, allowing privilege escalation via OverlayFS.
Impact:
• Attackers can exploit this flaw to gain root access.
• Full system compromise, leading to data theft and further exploitation.
Mitigation:

19 | P a g e
 • Upgrade the Linux kernel to the latest patched version.
• Disable unprivileged user namespaces if not required.
• Regularly monitor and update system components to mitigate known vulnerabilities.
4.4. Insecure Session Handling
Rating: Medium
Description: Weak session management policies expose user sessions to hijacking.
Impact:
• Attackers can steal user session tokens and gain unauthorized access.
• Increased risk of impersonation attacks.
Mitigation:
• Implement secure session management practices, including HttpOnly, Secure, and
SameSite attributes for cookies.
• Enforce session timeouts and automatic logout for inactive users.
• Use multi-factor authentication (MFA) to enhance security.

20 | P a g e
Appendix B: About the Security Assessment
The Vulnerability Assessment and Penetration Testing (VAPT) conducted on the Hack The
Box - TwoMillion machine aimed to simulate real-world attacks and evaluate security
weaknesses within the system. The assessment followed industry standards such as OWASP
Top 10:2021, PTES, and NIST SP 800-115 to ensure a thorough evaluation. The scope of the
assessment was to identify exploitable vulnerabilities, assess the impact of security
weaknesses, evaluate the effectiveness of existing security controls, and provide
recommendations for strengthening the security posture of the system. The methodology
included reconnaissance through open-source intelligence (OSINT) and active scanning,
enumeration to identify exposed services and misconfigurations, exploitation through attacks
like command injection and privilege escalation, post-exploitation to evaluate the impact of
compromise, and reporting to document findings and mitigation strategies.
The key findings of the assessment revealed several critical security issues, including
command injection in VPN generation, API privilege escalation vulnerabilities, kernel
exploitation via CVE-2023-0386, insecure session handling, and weak access controls. A
successful exploitation of these vulnerabilities could lead to unauthorized access to sensitive
user data, full system compromise, service disruptions, and potential reputational and
financial damage. To enhance the security of the system, it is recommended to patch the
Linux kernel, implement robust access control mechanisms, enforce strong authentication
with multi-factor authentication (MFA), conduct regular security audits, implement strict
input validation, and deploy monitoring solutions for detecting suspicious activities.
The assessment demonstrated that the Hack The Box - TwoMillion machine contains critical
vulnerabilities that could be exploited by attackers to gain full control of the system.
Addressing these security flaws through recommended mitigations will significantly improve
the overall security posture and resilience against cyber threats.

21 | P a g e