![]() ![]() Let’s add hackmedia to our hosts file then have a look at the jwks.json file: This covers hacking JWT and JKU concepts, but basically the jwks.json file is a set of JSON encoded public keys that were used to digitally sign our JWT we received as the cookie. We see the user we created, we also see a JKU set for a hostname of hackmedia.htb. Let’s use it again for this box, first download the python3 jwt_tool.py eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImprdSI6Imh0dHA6Ly9oYWNrbWVkaWEuaHRi元18nTKztpy2x0svtVyTw1YX_YuINoU8sG2VKOaAF_3SW0hffM2vN9_6tYYJBbd6Fh2qFR01jd5-bWBk_0Smy59nttPHqn2Rh2IqiKsDbqOqL5jJpSAYeKEXdBWRW2_z6XePj11z6dDqc5YupoDuJzC_B705sib_gB9c9Nf2SphTfU-vckDw3Ghw74圓nibr-QJNSDohUTOGWZT-satIYVQJvBxCyY1BBCWxzpAbhO9dFtBUQcsLDWg9iw-lke7i2YVjfGCld1ChfuqrK2q-EzTiPQ6GrqhDwkBFPA0MJ6otyt61j0PLe8ELpgZKO6_0IO6l3uDaHADw We covered JWT in another box called Secret, on that one I used the JWT toolkit by Ticarpi. This is a good introduction to the concepts. The cookie returned is easily recognisable as a JSON Web Token (JWT). Set-Cookie: auth =eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImprdSI6Imh0dHA6Ly9oYWNrbWVkaWEuaHRi元18nTKztpy2x0svtVyTw1YX_YuINoU8sG2VKOaAF_3SW0hffM2vN9_6tYYJBbd6Fh2qFR01jd5-bWBk_0Smy59nttPHqn2Rh2IqiKsDbqOqL5jJpSAYeKEXdBWRW2_z6XePj11z6dDqc5YupoDuJzC_B705sib_gB9c9Nf2SphTfU-vckDw3Ghw74圓nibr-QJNSDohUTOGWZT-satIYVQJvBxCyY1BBCWxzpAbhO9dFtBUQcsLDWg9iw-lke7i2YVjfGCld1ChfuqrK2q-EzTiPQ6GrqhDwkBFPA0MJ6otyt61j0PLe8ELpgZKO6_0IO6l3uDaHADw Path =/ └─# curl -i -s -k -X POST -d 'username=pencer&password=password' '' ![]() Looking at the URL we see a subpage called redirect: Interestingly there’s a big button in the middle that says “Google about us”. Nmap done: 1 IP address (1 host up ) scanned in 8.71 seconds Service Info: OS: Linux CPE: cpe:/o:linux:linux_kernel |_http-server-header: nginx/1.18.0 (Ubuntu ) └─# nmap -p $ports -sC -sV -oA unicode 10.10.11.126Ģ2/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux protocol 2.0 ) Skills learned are using JWT Tools to manipulate and then create malicious tokens. Skills required are a basic understanding of JSON Web Tokens. Escalation to root is using a binary we find to be vulnerable via misuse of curl parameters. ![]() In there we use a unicode filter bypass to leak data through a local file inclusion vulnerability, leading to access to the box via SSH. Using JWT Tools we decode and then craft our own token to gain admin access to a dashboard. Our initial scan finds a simple website to investigate, and from there we discover the use of an interesting JSON Web Token. Unicode is a medium machine on HackTheBox. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |