https://app.hackthebox.com/machines/Unicode

https://0xdf.gitlab.io/2022/05/07/htb-unicode.html

Enumeration

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-generator: Hugo 0.83.1
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Hackmedia
|_http-trane-info: Problem with XML parsing of /evox/about
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Visiting the website and seem like its a hecker website

Untitled

Seems like GoBuster and Burp Suite also can’t find anything, so I go to register an account.

Exploitation

After login, we tried all the upload reverse shell and command injection all useless, and ended up checking the cookies and found out its JWT

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImprdSI6Imh0dHA6Ly9oYWNrbWVkaWEuaHRiL3N0YXRpYy9qd2tzLmpzb24ifQ.eyJ1c2VyIjoienlhaXJlIn0.csqX1Z06p4wqAoRWCT7kc2McscmfJsoRNQInnWb5HrMOgGE7ZAzgWB1HZHEOx3BdyxSurH30WL9lJ5JuvVHQfzOGoQR8_gLy463DkZklv2reRrtv6u6Jygii_FuTcdYuwgqabW2fPCT74W_uzCG-dcmTwr6v9t5-FRNbS45LIMZSdxKr1CBT9X09Dvu0Crja8Z6snaQ48Q0oW0RfnHQeI-sPbwV2HLRRDciIKaGEGjBh0JqBXQF3VJACm7eCaDU9rLc-EzS-VZC3iXl-XP9eoB8T1qTarjl1lVAAg4MAu9_SD6sUy-hqk_aHIh0CwSyYwK0obABmL9ECwVhDi4nYOQ

Hence going to https://jwt.io/ to decrypt my token and see what is inside

Untitled

From here found a new URL, its time to add hackmedia.htb to our /etc/hosts

<http://hackmedia.htb/static/jwks.json>

We can wget the jwks.json to our local machine

jwks.json

{
    "keys": [
        {
            "kty": "RSA",
            "use": "sig",
            "kid": "hackthebox",
            "alg": "RS256",
            "n": "h6RZJvhJTmeyW8CoyuRgRsf5t2y2ygRdsjq2_ExWrtWb5LEathz2jWNuxFQgTbReLU6THVscH8lEu_BZbjcSd00M2GzJuSJmMhxcYdts7xzdK7CZOQMzDodiewlw31K0YLsXN9mR5_5nakqKJaqapPXs3CHtsaCB19QdK3O2nt6RAH5wKHLLCjS2lzxdVlRNGbrEXhSl1fXhOCrxbQA87_HAu7H3wedCSasIZy7FDzlTO-TbegXRjU72_lSGkRcIZ0ZL0BpwsglaOF_oOP5A5hTvo08hp045kC__mzgVlKZEQOfLkS4McT8LVYqqxtDxySmflQg_giqGxnKVWhiYNQ",
            "e": "AQAB"
        }
    ]
}

And here are 3 pages of website talking about JSON Web Token JWT: https://hackernoon.com/json-web-tokens-jwt-demystified-f7e202249640 https://openid.net/specs/draft-jones-json-web-key-03.html#Acknowledgements https://book.hacktricks.xyz/pentesting-web/hacking-jwt-json-web-tokens

To skip time, we will go to https://mkjwk.org/ and generate our JWT

Untitled