HTB · Easy
HTB TwoMillion: A Lesson in API Abuse and Privilege Escalation
JavaScript deobfuscation reveals hidden API endpoints, leading to invite code generation. API route enumeration exposes an admin section with broken access control, enabling self-promotion to admin. Command injection in a VPN generation endpoint provides a shell. A leaked .env file gives SSH credentials, and CVE-2023-0386 (OverlayFS) escalates to root.
