can u give some hints to me? I have tried to do an noe-JWT attempt,failed
then i tried to forge a token, failed.
Then I try read file.zip, and got nothing.
I was new in this code audit and may u give some help?
Hi there, help needed !
Since few hours, i tried to forge a token with no successā¦
Downloaded source code at first, tried to forge a J** with the name t**n and the token st and it fails each time with āinvalid tokenā.
Brute forcing / crack with different tools does not reveal the key so i think itās not the good oneā¦
Does the secret_token can be found there or we need to obtain it another way ?
thanks a lotā¦
DMed you
Hey Guys
After almost a week of trail-and-error -
I tried crafting a j-t token using the s----t found in the source code with tāa---- username - but it fails. (like others mentioned above)
The most interesting part is that when i ran the source code locally on my box (using nodājs/monādb) - it works fine and iām able to forge a token using the s----t (and get access as admin).
Also- when checking in j-t.io - my local generated token is authenticated OK when using the s----t but similiar token from htb api/site fails to authenticate.
Does it make sense or iām missing something basic?
P.S - once getting admin permission via my local box, going to /api/lās iāve got an exception because of the eāc function - which is not definedā¦ so iām also clueless on path forward.
Hope i didnt spoiled too much and will appreciate any nudges.
Thanks
Hey, did you ever figure out the problem? I downloaded the code and am trying to run it locally but I keep getting that response as well.
If you run a code that has a hardcoded password in it, of course it will work locally when youāll use that password. So if it doesnāt work anymore against the live host, then most likely the password has been changed.
You should look a bit more closely at what exactly you downloaded. Some things might be hidden
Hey, thanks for the quick reply.
not sure i fully understand - isnt the s-----t is within the .**v file?
i ran the exact same source-code on my local-box, so isnt it should be the same s-----t word?
It would, but the owner probably changed it before distributing it. Try digging a little deeper into that .**v file
Any help with root? I think it is something with /xxx/cxxxt file ?
DM for hints.
Iām still not understanding where to look. I found the commit comment that said āremoved .**v for security reasonsā. Does this mean there is an older .**v file somewhere else? And if there is how do we view it?
ā¦ and rooted
I mean: root flag ^^
I would rank this machine Medium, nope? At least for the root part
Hi i saw you rooted Static Box form HTB.
How u get the otp ? i found the āsecretā on the recovered .gz file where there are creds too.
i tried with totp.app website ā¦ but nothing!! also tried with Authenticator extension from Firefox.
need help please dm me
Initial foothold was much easier after I was stuck and redid recon thinking as a dev. But now iām stuck gaining root. Bet I have to do some āgrindingā correct?
Sorry for the late response. I just used the wrong tools or the wrong way. I tryed a different tool and then it worked.
Hey Guys
Managed to get user/shell -
Is the path forward to root involves the /o-t/cāt binary?
tough iām no expert in c - i couldnt think of a way to bof/manipulate it.
Will appreciate any tips moving forward.
Thanks
Actually I didnt root it. I was only able to get to user. For the OTP you have to create a OTP with the secret you found. There is a PHP script on GitHub that you can help. Also you can use python to do this
Back to Hack the box after a long time and this was a fun box.
User was pretty easy and everything you need is under your eyes. Just think about a lazy programmer writing API documentation and you will IDentify the right way to make progress.
Root was a little bit more tricky but it brought me back to the my old love in terms of programming languages. Enumeration is key.
Definitely a fun box.
Struggled with this as well. Turns out Hapi/JOI is pretty dumb and your payload isnāt parsed as JSON unless you specify the Content-Type header āapplication/jsonā.