HackTheBox – TwoMillion Walkthrough | API Enumeration, Command Injection & Kernel Privesc

This retired HTB machine covers web application analysis, API exploitation, and Linux kernel privilege escalation techniques. Initial Access: API Enumeration & Command Injection Deobfuscating JavaScript to discover hidden API endpoints. Exploiting improper input validation in the admin API to achieve command injection and gain initial foothold on the system. Privilege Escalation: Kernel Exploit Leveraging CVE-2023-0386 (OverlayFS) to escalate privileges from standard user to root. This FUSE-based vulnerability allows unprivileged users to gain full system access. Key Techniques Covered: JavaScript deobfuscation and analysis REST API enumeration and testing Command injection via vulnerable parameters Linux kernel exploitation (CVE-2023-0386) GTFOBins techniques for privilege escalation 📂 Scripts, and Commands: https://strikoder.com/writeups/twomil... 🏠 Room Link: https://www.hackthebox.com/machines/t... -------- ⏱️ Timestamps: 00:00 - Intro & Target Overview 01:15 - Enum 10:42 - JS Deobfescation 18:34 - API & Auth Enum 37:59 - Exploitation 41:52 - Privilege Escalation -------- Follow me for more real-world hacking walkthroughs, live streams, and cert prep content 👇 💻 Labs GitHub: https://github.com/strikoder 🎥 Streams & Short Content Twitch:   / strikoder   Instagram:   / strikoder   TikTok:   / strikoder   💬 Community & Discussions Discord Server:   / discord   X (Twitter): https://x.com/Strikoder 📨 Official Contact LinkedIn:   / strikoder   Email: [email protected] More videos coming soon on PNPT, and OSCP prep. Stay tuned, and thanks for the support! #twomillion #oscp #cpts #hackthebox #linux #ethicalhacking #cybersecurity #pentesting #ctf #infosec #enumeration #privilegeescalation #windowshacking #networksecurity #bugbounty #RedTeam #capturetheflag #hackingtools #cyberseclabs #hackermindset #Nmap #terminal #strikoder