HTB CDSA
Certified Defensive Security Analyst by Academy. Get started now!
Machine Synopsis
Unicode is a medium difficulty Linux machine. The machine begins with the enumeration of a webserver. Upon registering a new account on the webserver a JWT cookie is used to authenticate the current session. Inspecting the JWT cookie reveals that it is signed through a `jwks.json` file stored on the server. Further enumeration reveals a `/redirect?url=` endpoint. Combining the findings so far an attacker could use the `jwt_tool` to craft a cookie that authenticates the Administrator user. Replacing the authentication cookie with the newly crafted one, the attacker is able to access a new dashboard. Searching around the dashboard an heavily filtered LFI endpoint is discovered. To bypass the filtration a `HostSplit` attack can be used since the webserver converts Unicode characters back to ASCII. Enumerating the local file system a YAML file can be found inside the `code` user's home directory. The YAML file contains credential that allows SSH authentication on the remote machine as the user `code`. The user `code` is able to execute a binary as the `root` user. Inspecting the binary it is revealed that it is a Python compiled binary. The attacker is able to transfer the binary to a local machine and extract the source code using `pyinstxtractor` and `uncompyle6`. Reviewing the source code the attacker is able to spot a filtering bypass to inject command arguments to a `curl` call, thus allowing him to place an SSH key inside root's directory and ultimately authenticate as `root` on the remote machine using SSH.
Machine Matrix