CodeTwo is a HackTheBox machine featuring a vulnerable web application with JavaScript execution functionality leading to full system compromise through CVE exploitation and backup tool abuse.

Box Info

Reconnaissance

Initial Enumeration

Performed Nmap scan and identified 2 open ports 22 and 8000

The Magic Informer is a HackTheBox challenge featuring a Node.js application with multiple critical vulnerabilities. This writeup demonstrates how I chained LFI, JWT bypass, and SSRF to achieve RCE.

Box Info

Reconnaissance

Application Overview

The web application features:

Passman is an easy-rated HackTheBox machine featuring a Node.js password manager vulnerable to IDOR via GraphQL mutations. This writeup demonstrates how I exploited an authorization flaw to change admin passwords and retrieve the flag.

Box Info

Reconnaissance

Application Overview

The web application presents a password manager interface:

Discovery Date: 18^th May 2025

Introduction

Imagine a bank teller who accepts withdrawal slips from anyone without checking IDs. A hacker slips in a fake note saying, “Give all money to me,” and the teller blindly obeys.

That’s exactly what happens in this DOM XSS vulnerability — where a website blindly trusts messages from any sender, allowing attackers to inject malicious scripts.

Discovery Date: 16^th July 2024

Vulnerability Overview

CVE-2017-3506 is a critical vulnerability in Oracle WebLogic Server (WLS) components that allowed unauthenticated remote code execution via malformed XML data in WLS Security subcomponent. During a penetration test of Alibaba’s infrastructure, I identified and exploited this vulnerability to gain server access.

Affected Systems

Discovery Methodology

Initial Reconnaissance

Identified WebLogic servers using:

TwoMillion is a special release from HackTheBox to celebrate 2,000,000 HackTheBox members. It released directly to retired, so no points and no bloods, just for run. It features a website that looks like the original HackTheBox platform, including the original invite code challenge that needed to be solved in order to register. Once registered, I’ll enumerate the API to find an endpoint that allows me to become an administrator, and then find a command injection in another admin endpoint. I’ll use database creds to pivot to the next user, and a kernel exploit to get to root. In Beyond Root, I’ll look at another easter egg challenge with a thank you message, and a YouTube video exploring the webserver and it’s vulnerabilities.