HackTheBox - Luke

gaBdfD4BGBo/default.jpg

00:40 - Begin of Recon
02:45 - Checking FTP to get a note
03:38 - Going to each of the three websites
04:30 - Running Gobuster on port 80/3000
06:30 - Taking notes of all the login pages (forgot Ajenti)
07:55 - config.php found which has a password
10:15 - Discovering /login on port 3000 accepts username=&password;=
11:25 - Successful login! JWT Token returned
14:00 - Using curl to add the JWT Token in the header to access other api endpoints
15:10 - Using BurpSuite to add headers
18:30 - Navigating the Rest API to dump the usernames and passwords
20:30 - Attempting logins on other services
21:30 - Derry can login to /management
22:50 - Ajenti Password! Lets try logging in
22:30 - Ajenti has a virtual terminal that is running as root!
26:20 - Extra Content - Getting a reverse shell
28:30 - Grabbing the JWT Secret, so we can forge our own tokens!
29:10 - Creating a python script to generate JWT Tokens
30:20 - This token has no expiration time, and is assigned at 0. Should never expire!
31:30 - Adding Requests to our script, so the script can make web requests
33:15 - Lets try removing all signing algorithms from the token and see if server accepts it
34:40 - Cracking the JWT Token Signing key with Hashcat

gaBdfD4BGBo/default.jpg
HackTheBox - Luke HackTheBox - Luke Reviewed by Anonymous on September 14, 2019 Rating: 5