In this post, I would like to share a walkthrough of the Unicode Machine from Hack the Box
This room has been considered difficulty rated as a medium machine on Hack The Box
What will you gain from the Unicode machine?
For the user flag, you will use the JWT token to retrieve credentials
As for the root flag, you need to execute the SUID abuse
Information Gathering on Unicode Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
Let’s access the website interface to find any vulnerability that we can exploit
We managed to see only simple page that contain the Home, Login, and Register button on the top of the website
Let’s try to register which we can use to login on to the Dashboard
We should be able to login using the credentials that we created earlier.
Welcome to the Dashboard
There’s upload function but we didn’t get anything after uploading a file
Let’s see the cookies on the website and notice the token is jwt.
JWT information
We should copy-paste the jwt token into JSON Web Tokens – jwt.io
I notice that jku has been stated from the token I retrieve.
For information on jku or jwt, you can read over here
Another information that we can retrieve from the URL we found earlier.
We should do some research jwks generator
As a result, we need to select the options that have been shown above.
Aside from that, we require to change the jku and user value as shown above.
At last, we successfully access the admin Dashboard as shown in the screenshot above.
An error has appeared as “The Report is being prepared. Please come back later” when we try to see the saved reports
There might be some LFI attack methods that can be used over here.
However, the result is not good.
As a result, let’s try to Unicode the symbols to bypass the parameters
The output of /etc/password is shown above.
Let’s do some research on nginx folder
There’s a statement from the database
We got credentials for the reuser “code” and the password for it.
Finally, we should be able to access the machine via ssh
Lastly, we can read the user flag by typing the command “cat user.txt“
Escalate Root Privileges Access
For us to be aware of the SUID that we can use for further escalation, we need to run sudo -l command
We should look at the file extension that leads me to LSB executable file
Let’s transfer the file to our own machine to analyze the SUID
However, we cannot read the file content which looks useless to our eyes.
Let’s install the pyinstxttractor on our machine and execute it as shown above.
A new folder has been created from the previous activity.
We also notice that the file format is python 3.9 byte-compiled where we need to decompile it.
As a result, we need to install a python decompiler,
I will skip the explanation above which it also show only installation of the tool
At last, we can finally be able to read the treport file content
Let’s run the SUID “treport” so that we can obtain the root flag
From the code analysis, we can use choice 3 with the next command would {–config, /root/root.txt}
No responses yet