Official Secret Discussion

can u give some hints to me? I have tried to do an noe-JWT attempt,failed
then i tried to forge a token, failed.
Then I try read file.zip, and got nothing.
I was new in this code audit and may u give some help?

Hi there, help needed ! :slight_smile:

Since few hours, i tried to forge a token with no successā€¦
Downloaded source code at first, tried to forge a J** with the name t**n and the token st and it fails each time with ā€œinvalid tokenā€.

Brute forcing / crack with different tools does not reveal the key so i think itā€™s not the good oneā€¦
Does the secret_token can be found there or we need to obtain it another way ?
thanks a lotā€¦

DMed you

Hey Guys

After almost a week of trail-and-error -
I tried crafting a j-t token using the s----t found in the source code with tā€“a---- username - but it fails. (like others mentioned above)
The most interesting part is that when i ran the source code locally on my box (using nodā€“js/monā€“db) - it works fine and iā€™m able to forge a token using the s----t (and get access as admin).
Also- when checking in j-t.io - my local generated token is authenticated OK when using the s----t but similiar token from htb api/site fails to authenticate.
Does it make sense or iā€™m missing something basic?

P.S - once getting admin permission via my local box, going to /api/lā€“s iā€™ve got an exception because of the eā€“c function - which is not definedā€¦ so iā€™m also clueless on path forward.

Hope i didnt spoiled too much and will appreciate any nudges.

Thanks

Hey, did you ever figure out the problem? I downloaded the code and am trying to run it locally but I keep getting that response as well.

If you run a code that has a hardcoded password in it, of course it will work locally when youā€™ll use that password. So if it doesnā€™t work anymore against the live host, then most likely the password has been changed.
You should look a bit more closely at what exactly you downloaded. Some things might be hidden :slight_smile:

1 Like

Hey, thanks for the quick reply.
not sure i fully understand - isnt the s-----t is within the .**v file?
i ran the exact same source-code on my local-box, so isnt it should be the same s-----t word?

It would, but the owner probably changed it before distributing it. Try digging a little deeper into that .**v file

Any help with root? I think it is something with /xxx/cxxxt file ?

1 Like

DM for hints.

Iā€™m still not understanding where to look. I found the commit comment that said ā€˜removed .**v for security reasonsā€™. Does this mean there is an older .**v file somewhere else? And if there is how do we view it?

ā€¦ and rooted :slight_smile:
I mean: root flag ^^

I would rank this machine Medium, nope? At least for the root part

1 Like

Hi i saw you rooted Static Box form HTB.

How u get the otp ? i found the ā€œsecretā€ on the recovered .gz file where there are creds too.
i tried with totp.app website ā€¦ but nothing!! also tried with Authenticator extension from Firefox.

need help please dm me

Initial foothold was much easier after I was stuck and redid recon thinking as a dev. But now iā€™m stuck gaining root. Bet I have to do some ā€œgrindingā€ correct?

1 Like

Sorry for the late response. I just used the wrong tools or the wrong way. I tryed a different tool and then it worked.

Hey Guys
Managed to get user/shell -
Is the path forward to root involves the /o-t/cā€”t binary?
tough iā€™m no expert in c - i couldnt think of a way to bof/manipulate it.
Will appreciate any tips moving forward.
Thanks

Actually I didnt root it. I was only able to get to user. For the OTP you have to create a OTP with the secret you found. There is a PHP script on GitHub that you can help. Also you can use python to do this

Back to Hack the box after a long time and this was a fun box.

User was pretty easy and everything you need is under your eyes. Just think about a lazy programmer writing API documentation and you will IDentify the right way to make progress.

Root was a little bit more tricky but it brought me back to the my old love in terms of programming languages. Enumeration is key.

Definitely a fun box.

Struggled with this as well. Turns out Hapi/JOI is pretty dumb and your payload isnā€™t parsed as JSON unless you specify the Content-Type header ā€œapplication/jsonā€.

1 Like