Awkward writeup by evyatar9

Read my writeup to Awkward machine on:


User 1: Found vhost store.hat-valley.htb, Found API /api/staff-details sending request without cookies and we get users and passwords, crack the password of christopher.jones, Crack the JWT secret token, Found SSRF on /api/store-status, Using the SSRF we found internal port 3002 which contains the API doc and the implementation for each method, Found code injection on awk on /api/all-leave request, Signing a new JWT token with awk command injection which leads to LFI, Using the LFI we read the .bashrc file of bean user and we found a backup script, Download the backup from /home/bean/Documents/backup/bean_backup_final.tar.gz and we found on the backup the password of bean.hill user on backup/.config/xpad/content-DS1ZS1.

User 2: Found the password of store.hat-valley.htb on /etc/nginx/conf.d/.htpasswd, On /var/www/store/cart_actions.php we found command injection using sed on delete item operation, Using that we get a reverse shell as www-data.

Root: By running pspy64 we found root user runs script /root/scripts/ to notify about changes on /var/www/private/leave_requests.csv file, At the moment the file changed root sends mail, Use --exec command to run script on mail command, Using that we get a reverse shell as root.