HTB Writeup: TwoMillion

Difficulty: Medium — frustratingly fun

Completion: User & Root

⚙️ Summary

This box involved careful enumeration of web-facing services, source-code inspection, and subtle privilege escalation via local configuration weaknesses.

🧪 Tools Used

• Nmap
• Gobuster
• Burp Suite
• Custom Python Script (for token manipulation)

🕵️‍♂️ Attack Path (Public Summary)

1. Initial recon exposed non-standard login interface.
2. Analyzed a GitHub repo tied to the target stack (hinted via metadata).
3. Used source code insights to bypass authentication.
4. Local privilege escalation via misconfigured cron jobs.

Request Full Report – Authorized Access Only

⮐ Back to Writeup Hub