In this post, I would like to share a walkthrough of the Unicode Machine from Hack the Box

This room has been considered difficulty rated as a medium machine on Hack The Box

What will you gain from the Unicode machine?

For the user flag, you will use the JWT token to retrieve credentials

As for the root flag, you need to execute the SUID abuse

Information Gathering on Unicode Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

Let’s access the website interface to find any vulnerability that we can exploit 

We managed to see only simple page that contain the Home, Login, and Register button on the top of the website

Let’s try to register which we can use to login on to the Dashboard

We should be able to login using the credentials that we created earlier.

Welcome to the Dashboard

There’s upload function but we didn’t get anything after uploading a file

Let’s see the cookies on the website and notice the token is jwt.

JWT information

We should copy-paste the jwt token into JSON Web Tokens –

I notice that jku has been stated from the token I retrieve.

For information on jku or jwt, you can read over here

Another information that we can retrieve from the URL we found earlier.

We should do some research jwks generator

As a result, we need to select the options that have been shown above.

Aside from that, we require to change the jku and user value as shown above.

At last, we successfully access the admin Dashboard as shown in the screenshot above.

An error has appeared as “The Report is being prepared. Please come back later” when we try to see the saved reports

There might be some LFI attack methods that can be used over here.

However, the result is not good.

As a result, let’s try to Unicode the symbols to bypass the parameters

The output of /etc/password is shown above.

Let’s do some research on nginx folder

There’s a statement from the database

We got credentials for the reuser “code” and the password for it.

Finally, we should be able to access the machine via ssh

Lastly, we can read the user flag by typing the command “cat user.txt

Escalate Root Privileges Access

For us to be aware of the SUID that we can use for further escalation, we need to run sudo -l command

We should look at the file extension that leads me to LSB executable file

Let’s transfer the file to our own machine to analyze the SUID

However, we cannot read the file content which looks useless to our eyes.

Let’s install the pyinstxttractor on our machine and execute it as shown above.

A new folder has been created from the previous activity.

We also notice that the file format is python 3.9 byte-compiled where we need to decompile it.

As a result, we need to install a python decompiler,

I will skip the explanation above which it also show only installation of the tool

At last, we can finally be able to read the treport file content

Let’s run the SUID “treport” so that we can obtain the root flag

From the code analysis, we can use choice 3 with the next command would {–config, /root/root.txt}