Hack The Box Player Writeup – 10.10.10.145

Hack The Box Player Writeup 10.10.10.145

Hack The Box Player (10.10.10.145) is a very hard linux machine.

As always, I added machine IP 10.10.10.145 to etc/hosts as player.htb and I began the namap scanning.

Nmap scan found 3 open ports. 22 (ssh), 80 (webserver) and 6686 (unknown tcp port)

I open the player.htb from browser to see what’s running in the port 80. There is a website but with a “forbidden” message.

So the next thing came in to my mind possible subdomains or virtual hosts of the player.htb domain using wfuzz

The wfuzz returned me 3 subdomains names

After done with wfuzz, I the discoered vhosts to etc/hosts along with player.htb as below:

After browsing through the discovered vHosts, I found the below websites running on them:

Lets enumerate one by one, starting with dev.player.htb

http://dev.player.htb/

The dev.player.htb, is a login page. This page looks like front-end of development tools or apps. The burp request showed me the POST request is sending to “components/user/controller.php?action=authenticate” with the input “username=xxxxxx&password=xxxxx&theme=default&language=xx“. However, without having a valid credential to the page I’m unable to do anything yet, so I moved towards another domain.

http://staging.player.htb/

The staging.player.htb has a webpage showing warning about ongoing developments, there is a contact core team page, any input there gives an 501 inernal server error. However, before displaying error page, there is some untidy code diplayed, I cpatyured it here:

To find what’s going behind the screen I used burp to capture that moment. The burp showed me the reference of the page is http://staging.player.htb/contact.php.

I note down following for my future use:

http://chat.player.htb/

This page seems to be an internal chat page between the devs. An automated blank reply by a user Vincent is sent back whatever I type in. I tried to intercept using burpsuit, but the reply is managed at client-side so, no traffic was noticed by burp.

After reading messages in the chat, the following message caught my attention: They mentioned our staging exposing some sensitive files and main domain exposing source code which allowing them to access our product before release. Currently our team working on the fix.

http://player.htb/launcher/

The Burp interception, I saw that this page, every 10 seconds a GET request is sent to: /launcher/dee8dc8a47256c64630d803a4c40786e.php and receives the response: Not released yet

The curl request of the above PHP is as below:

I’ve as well noticed the responce is changed if I add email and click on send.

And the response is as below:

Looking at the above PHP code I understood that the PHP code uses JSON Web Tokens (JWT) to generate a token for login privileges.

So I went online to analyze the tokens using https://jwt.io/

So I have the decoded key using the JWD decoder online: C0B137FE2D792459F26FF763CCE44574A5B5AB03

However, If I noticed that the “blue part” in the encoded signature is based on the “Verify Signature”. If I add the secret I found in the PHP code it changes, but if I enable the “secret base64 encoded” option we get the exact signature from the original token!

So now I got the new TOKEN:

Using the new token I got, I used BURP to send a GET request. The responce revealed a new page:

Click to rate this post!
[Total: 2 Average: 4]

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: https://www.hackthebox.eu/home/users/profile/68523

View all posts by Navin →
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Sorry, that action is blocked.
0
Would love your thoughts, please comment.x
()
x
%d bloggers like this: