Penetration Testing Report – 2Million

Target: 2Million HTB Machine
Author: Asma Neji
Date: February 2026
Assessment Type: Black-Box / Capture The Flag (CTF-style)
Objective: Identify vulnerabilities, gain privileged access, and retrieve both User and Root flags

1. Executive Summary

The target system 2Million was assessed to identify security weaknesses that could allow unauthorized access or privilege escalation.

During the assessment, multiple vulnerabilities were identified, including insecure application logic, information disclosure, and a critical Linux kernel vulnerability (CVE-2023-0386) that allowed local privilege escalation to root.

Successful exploitation resulted in full system compromise and retrieval of both user and root flags.

2. Scope & Methodology

Scope

• Target IP: 10.129.xxx.xxx
• Services assessed:
  • Web application
  • Linux operating system
  • Local privilege boundaries

Methodology

The assessment followed a standard penetration testing methodology:

1. Reconnaissance – Service enumeration and web application analysis
2. Initial Access – Application logic abuse and credential discovery
3. Privilege Escalation – Local enumeration and kernel vulnerability exploitation
4. Post-Exploitation – Root access verification and flag retrieval

3. Findings & Exploitation Summary

3.1 Web Application Weaknesses

Finding: Insecure application logic and exposed functionality
The web application allowed unintended actions without proper authorization checks. Sensitive endpoints and administrative functionality were discoverable.

Impact: This allowed an attacker to gain an authenticated shell as a low-privileged user.
Risk Level: Medium

3.2 Information Disclosure

Finding: Sensitive internal information exposed
Emails, internal identifiers, and system hints were accessible. One exposed email address (ch4p@2million.htb) provided valuable context for further enumeration.

Impact: Significantly reduced attack complexity.
Risk Level: Medium

3.3 Local Privilege Escalation (Critical)

Finding: Vulnerable Linux kernel – OverlayFS
The system was running a Linux kernel vulnerable to CVE-2023-0386 (OverlayFS). This vulnerability allows an attacker to move files within the Overlay filesystem while preserving metadata, including file ownership and the SetUID bit.

CVE Details:

• CVE ID: CVE-2023-0386
• Type: Local Privilege Escalation
• Affected Component: OverlayFS
• Severity: Critical

Impact: A local attacker can escalate privileges from a standard user to root, resulting in full system compromise.
Risk Level: Critical

4. Post-Exploitation

After successful privilege escalation:

• Root access was obtained
• System integrity was fully compromised
• Sensitive files became accessible
• The root flag was retrieved from /root/

This confirms a complete compromise of the target system.

5. Impact Assessment

If exploited in a real-world environment, this vulnerability chain could lead to:

• Full server takeover
• Unauthorized access to sensitive data
• Persistence installation
• Lateral movement within internal networks
• Total loss of confidentiality, integrity, and availability

6. Recommendations & Mitigations

Immediate Actions

• Update the Linux kernel to a version patched against CVE-2023-0386
• Restrict OverlayFS usage where not required

Web Application Hardening

• Implement strict authorization checks
• Remove exposed administrative functionality
• Sanitize and restrict sensitive endpoints

Monitoring & Defense

• Enable File Integrity Monitoring
• Implement privilege escalation detection
• Deploy EDR/XDR solutions with kernel exploit detection
• Perform regular vulnerability scanning and patch management

7. Conclusion

The 2Million machine demonstrates how chained vulnerabilities — from weak application logic to unpatched kernel flaws — can result in full system compromise.

This assessment highlights the importance of:

• Secure application design
• Least privilege principles
• Timely system patching
• Continuous security monitoring

8. Skills Demonstrated

• Web application security testing
• Linux privilege escalation
• CVE research and exploitation analysis
• System enumeration
• Post-exploitation validation
• Professional reporting

Machine Owned ✓