HTB: twomillion Writeup (Incomplete)
Status Notice
⚠️ INCOMPLETE WRITEUP - This writeup is a skeleton with minimal documentation. Only the user flag has been captured. Investigation notes for most sections are pending.
Machine Information
| Attribute | Details |
|---|---|
| Name | twomillion |
| OS | Linux |
| Difficulty | Easy |
| Points | N/A |
| Release Date | N/A |
| IP Address | 10.129.x.x |
| Author | D3vnomi |
Summary
twomillion is an Easy-difficulty Linux machine from HackTheBox. Standard exploitation path expected: initial enumeration → service discovery → initial foothold → privilege escalation to user → privilege escalation to root.
Current Status: User flag captured. Root flag and detailed exploitation steps pending documentation.
Reconnaissance
Port Scanning
nmap -sC -sV -T4 -p- 10.129.x.xInvestigation Pending: Port scan results not documented.
Service Enumeration
Hostname: 2million.htb
echo "10.129.x.x 2million.htb" >> /etc/hostsInvestigation Pending: Service enumeration details not documented.
Initial Foothold
Investigation Pending:
- Exploitation vector not documented
- Entry point methodology not recorded
- Initial access method unknown
User Compromise
User Flag
🚩 User Flag (Captured): 57a85413575d3901b55353d87cd1f91e
Exploitation Details
Investigation Pending: Method to obtain user flag not documented.
Privilege Escalation
Path to Root
Investigation Pending: Privilege escalation technique not documented.
Root Flag
Status: Not captured
Investigation Pending:
- Root exploitation methodology unknown
- Root flag not yet obtained
Tools Used
| Tool | Purpose |
|---|---|
nc | Reverse shell listener (likely) |
Note: Tool list is incomplete and based on template.
Next Steps to Complete This Writeup
- Document all nmap scan results and open ports
- Record service enumeration findings
- Detail initial foothold exploitation steps and payloads
- Document user credential discovery methodology
- Capture root flag
- Document privilege escalation chain
- Create attack chain diagram when complete
- Add actual key learnings from exploitation
Disclaimer
This writeup is for educational purposes only. All activities described were performed in a controlled, legal environment (HackTheBox platform). Unauthorized access to computer systems is illegal.
Last Updated: 08 Mar 2026
Documentation Status: Skeleton/Incomplete - User flag only
Tags: #HackTheBox #Linux #Easy #Incomplete