HACK THE BOX 2million

Hi, I decided to start challenging myself by trying out hackthebox machines and do as many as I can within a month.

The fist box, i gave a go at was 2million it reminded me of the old version of hackthebox where you had to actually hackthebox to be able to login.
I was follwing ippsec’s tutorial and read some writeups that i would link down below.

The first thing that every pentester has to do is scan the target, we have to know what is up and working before we do anaything else but first we have to connect to the box in the first place as shown below.

I found two open ports, sadly i forgot to screenshot it🤦🏾‍♂️ which were 22 and port 80. Now what you are supposed to do is type in cat /etc/hosts on the terminal and add 2million.htb to it. Now it’s time to run burpsuite to listen to the requests on seeing what is running on the site.

Noticed that i could change the endpoints and kept on looking at the responses

Below, trying to get an invite code with the invite endpoint

c

Make the necessary required information and request it to burpsuite to look at it

Experimenting to see if it is possible to get a reverse shell, once seen it is successful, it is time to connect

connection to shell successful, as shown used the bash shell https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

There is a clue on what to look for that is overlays

Links:

HTB: TwoMillion

2million (hackthebox) writeup

Hack The Box: TwoMillion Machine Walkthrough -Easy Difficulty