HackTheBox – TwoMillion Walkthrough | API Enumeration, Command Injection & Kernel Privesc

This retired HTB machine covers web application analysis, API exploitation, and Linux kernel privilege escalation techniques.

Initial Access: API Enumeration & Command Injection
Deobfuscating JavaScript to discover hidden API endpoints. Exploiting improper input validation in the admin API to achieve command injection and gain initial foothold on the system.

Privilege Escalation: Kernel Exploit
Leveraging CVE-2023-0386 (OverlayFS) to escalate privileges from standard user to root. This FUSE-based vulnerability allows unprivileged users to gain full system access.

Key Techniques Covered:
JavaScript deobfuscation and analysis
REST API enumeration and testing
Command injection via vulnerable parameters
Linux kernel exploitation (CVE-2023-0386)
GTFOBins techniques for privilege escalation

📂 Scripts, and Commands:
https://github.com/strikoder/CTFS/blo...

🏠 Room Link:
https://www.hackthebox.com/machines/t...
--------
⏱️ Timestamps:
00:00 - Intro & Target Overview
01:15 - Enum
10:42 - JS Deobfescation
18:34 - API & Auth Enum
37:59 - Exploitation
41:52 - Privilege Escalation
--------

Follow me for more real-world hacking walkthroughs, live streams, and cert prep content 👇

💻 Labs
GitHub: https://github.com/strikoder

🎥 Streams & Short Content
Twitch:   / strikoder  
Instagram:   / strikoder  
TikTok:   / strikoder  

💬 Community & Discussions
Discord Server:   / discord  
X (Twitter): https://x.com/Strikoder

📨 Official Contact
LinkedIn:   / strikoder  
Email: [email protected]

More videos coming soon on PNPT, and OSCP prep.
Stay tuned, and thanks for the support!

#twomillion #oscp #cpts #hackthebox #linux #ethicalhacking #cybersecurity #pentesting #ctf #infosec #enumeration #privilegeescalation #windowshacking #networksecurity #bugbounty #RedTeam #capturetheflag #hackingtools #cyberseclabs #hackermindset #Nmap #terminal #strikoder