Official Blazorized Discussion

You’ll need to have privileges, but not always system or admin to elevate.

You will need to have the specific set of permissions to the attack you choose.

If you have enumerated the attack path via Bloodhound, just follow the instructions in the edge.

No I only have NU, not SSA and RSA users. Found some db credentials but no luck. I’ll keep enumerating to get to either of those accounts.

Follow the attack path in Bloodhound.

If you haven’t already, just run Sharphound and check the results.
The attack won’t take you 2 minutes to accomplish.

1 Like

go to chat gpt and type “what are 20 common names for what the keyname would be for a jwt token to be put into localstorage”. try them all.

Any hint for ScriptPath? I’ve already got RSA, and I know what SSA is capable of just don’t know how to pivot. My script isn’t being executed, and I’m not sure why. I’ve read the docs and it mentions having to be a network share. Can anyone nudge?

Hey guys I’m just wondering how do I prevent the reverse shell from getting blocked (immediately getting closed) when executing the SQLi?

htb

4 Likes

I feel like this box should be hard, no? I just rooted and man it was tough. Or maybe I just suck lol

Thanks to @FroggieDrinks and @bsnun for the hints

4 Likes

Yes. This box was almost def. mislabeled. Only reason i could see it be Medium is because post foothold its just a lot of basic AD exploits. But that foothold is rough for people

I feel like Axelle and this one should had switched places honestly because it was just a payload dump even less hard than AD exploiting.

2 Likes

Absolutely. This box was hard from start to finish. I’m pretty new to HTB, so I’m not sure how this box compares to other machines. But with that being said this box felt like a beat down from 15 soccer hooligans. :joy:

2 Likes

Im struggling with the S**peradmin token initialization. I managed to download the dll files and able to generate the JWT token for mentioned user. But after updating the token the token seems to be invalid. Is it because of expiry or something else.


Please assist.

I checked all DLLs with the name Blazorized, but I did not find the jwt token in them, tell me in which class and in which DLL it can be located?

Your expiration could be to quick, but also make sure your crafted JWT has the correct setup. Make sure the alg: is correct and that youve set s****admin account to the correct fields.

1 Like

You need to find the hidden .dll inside the main .dll. It references a .dll name that you cant find in the api’s. That will hold your key.

After creating new JWT, replaced it using Burp and checking website again I see I can ‘sign out’ but the page looks blank (empty).

What am I missing? (beside the root flag of course ;))

Is it working correctly or machine needs to be reset?

It says “Unauthorized” you have to guess the correct way to use that jwt in that page. dm me if you need more help

Hi Zhayr,

I think I generated a ‘valid JWT’ (that’s why I can see that red ‘Sign out’ button. Before sending request with new generated token I can see a green button with ‘sign in’ option).

I was wondering if (even if I’m using this ‘valid token’) something is not loading properly (like some part of the admin’s page).

But if you’re telling I’m still missing something with the token - I’ll check it again…

Thank you for the hint :slight_smile:

1 Like

Sb knows why scriptpath attrinute of SSA_**** is blank? As far as i know it must contain a path

i was also struggling with this thing for a while.

if you enumerate all the subdomains that are available, you can find a valid jwt token. from that you can get an idea of how the admin jwt should be constructed. it (literally) has to follow the same format as the a** jwt.

I reviewed the help library and my token generator matches. When I use it, webpage shows unauthorized but button on top left says sign out. When I entered it into a decoder, is shows an invalid signature. Algorithm is correct, all other items match. Can’t figure what I am missing…I’ve reviewed the other libraries.