TwoMillion 这个靶机是为了纪念Hack the box拥有200万个用户

10.10.11.221

cd /pentest/intelligence-gathering
./fscan_amd64 -h 10.10.11.221

(icmp) Target 10.10.11.221    is alive
[*] Icmp alive hosts len is: 1
10.10.11.221:22 open
10.10.11.221:80 open
[*] alive ports len is: 2
start vulscan
[*] WebTitle:http://10.10.11.221       code:301 len:162    title:301 Moved Permanently 跳转url: http://2million.htb/

echo "10.10.11.221 2million.htb" >> /etc/hosts

http://2million.htb/

web就是hack the box老版本用户的界面

获取web普通权限

就是和注册htb账号的方法一样。查看JS源码，发现API，利用API

获取linux普通权限

越权成为admin权限，使用命令执行漏洞，一句话反弹shell获取www-data权限
翻文件，发现数据库的用户名密码，ssh登陆admin用户，获取系统普通权限

提权

Linux OverlayFS权限提升漏洞（CVE-2023-0386）

try:

git clone https://github.com/chenaotian/CVE-2023-0386

gcc -Wall exp.c pkg-config fuse --cflags --libs -o exp

compile failed

try2:

git clone https://github.com/xkaneiki/CVE-2023-0386
make all
compile failed

sudo apt-get update && sudo apt-get install dislocker
sudo apt-get update && sudo apt-get install libfuse-dev
apt-get install libfuse3-dev

try install libfuse-dev to solve this problem.