Hack The Box Player Writeup – 10.10.10.145

Hack The Box Player (10.10.10.145) is a very hard linux machine.

As always, I added machine IP 10.10.10.145 to etc/hosts as player.htb and I began the namap scanning.

➜  player nmap -sTV -p 1-65535 -oN nmap-player player.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-13 21:43 +03
Nmap scan report for 10.10.10.145
Host is up (0.014s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.11 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http       Apache httpd 2.4.7
6686/tcp open  tcpwrapped
Service Info: Host: player.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 173.42 seconds

Nmap scan found 3 open ports. 22 (ssh), 80 (webserver) and 6686 (unknown tcp port)

I open the player.htb from browser to see what’s running in the port 80. There is a website but with a “forbidden” message.

So the next thing came in to my mind possible subdomains or virtual hosts of the player.htb domain using wfuzz

wfuzz -c -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomainstop1million-20000.txt --hc 400,404,403 -H "Host: FUZZ.player.htb" -u http://player.htb -t 100

The wfuzz returned me 3 subdomains names

********************************************************
* Wfuzz 2.4 - The Web Fuzzer *
********************************************************
Target: http://player.htb/
Total requests: 19983
===================================================================
ID Response Lines Word Chars Payload
===================================================================
000000019: 200 86 L 229 W 5243 Ch "dev"
000000067: 200 63 L 180 W 1470 Ch "staging"
000000070: 200 259 L 714 W 9513 Ch "chat"

After done with wfuzz, I the discoered vhosts to etc/hosts along with player.htb as below:

10.10.10.145 player.htb dev.player.htb staging.player.htb chat.player.htb

After browsing through the discovered vHosts, I found the below websites running on them:

Lets enumerate one by one, starting with dev.player.htb

http://dev.player.htb/

The dev.player.htb, is a login page. This page looks like front-end of development tools or apps. The burp request showed me the POST request is sending to “components/user/controller.php?action=authenticate” with the input “username=xxxxxx&password=xxxxx&theme=default&language=xx“. However, without having a valid credential to the page I’m unable to do anything yet, so I moved towards another domain.

http://staging.player.htb/

The staging.player.htb has a webpage showing warning about ongoing developments, there is a contact core team page, any input there gives an 501 inernal server error. However, before displaying error page, there is some untidy code diplayed, I cpatyured it here:

array(3) { [0]=> array(4) { ["file"]=> string(28) "/var/www/staging/contact.php" ["line"]=> int(6) ["function"]=> string(1) "c" ["args"]=> array(1) { [0]=> &string(9) "Cleveland" } } [1]=> array(4) { ["file"]=> string(28) "/var/www/staging/contact.php" ["line"]=> int(3) ["function"]=> string(1) "b" ["args"]=> array(1) { [0]=> &string(5) "Glenn" } } [2]=> array(4) { ["file"]=> string(28) "/var/www/staging/contact.php" ["line"]=> int(11) ["function"]=> string(1) "a" ["args"]=> array(1) { [0]=> &string(5) "Peter" } } } Database connection failed.
Unknown variable user in /var/www/backup/service_config fatal error in /var/www/staging/fix.php

To find what’s going behind the screen I used burp to capture that moment. The burp showed me the reference of the page is http://staging.player.htb/contact.php.

⚡  root@ns09  ~/htb/player  curl http://staging.player.htb/contact.php
array(3) {
  [0]=>
  array(4) {
    ["file"]=>
    string(28) "/var/www/staging/contact.php"
    ["line"]=>
    int(6)
    ["function"]=>
    string(1) "c"
    ["args"]=>
    array(1) {
      [0]=>
      &string(9) "Cleveland"
    }
  }
  [1]=>
  array(4) {
    ["file"]=>
    string(28) "/var/www/staging/contact.php"
    ["line"]=>
    int(3)
    ["function"]=>
    string(1) "b"
    ["args"]=>
    array(1) {
      [0]=>
      &string(5) "Glenn"
    }
  }
  [2]=>
  array(4) {
    ["file"]=>
    string(28) "/var/www/staging/contact.php"
    ["line"]=>
    int(11)
    ["function"]=>
    string(1) "a"
    ["args"]=>
    array(1) {
      [0]=>
      &string(5) "Peter"
    }
  }
}
Database connection failed.<html><br />Unknown variable user in /var/www/backup/service_config fatal error in /var/www/staging/fix.php#                                                                                                        
⚡  root@ns09  ~/htb/player  

I note down following for my future use:

Unknown variable user in /var/www/backup/service_config
fatal error in /var/www/staging/fix.php

http://chat.player.htb/

This page seems to be an internal chat page between the devs. An automated blank reply by a user Vincent is sent back whatever I type in. I tried to intercept using burpsuit, but the reply is managed at client-side so, no traffic was noticed by burp.

After reading messages in the chat, the following message caught my attention: They mentioned our staging exposing some sensitive files and main domain exposing source code which allowing them to access our product before release. Currently our team working on the fix.

http://player.htb/launcher/

The Burp interception, I saw that this page, every 10 seconds a GET request is sent to: /launcher/dee8dc8a47256c64630d803a4c40786e.php and receives the response: Not released yet

The curl request of the above PHP is as below:

I’ve as well noticed the responce is changed if I add email and click on send.

/launcher/dee8dc8a47256c64630d803a4c40786c.php

And the response is as below:

Set-Cookie: access=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJwcm9qZWN0IjoiUGxheUJ1ZmYiLCJhY2Nlc3NfY29kZSI6IkMwQjEzN0ZFMkQ3OTI0NTlGMjZGRjc2M0NDRTQ0NTc0QTVCNUFCMDMifQ.cjGwng6JiMiOWZGz7saOdOuhyr1vad5hAxOJCiM3uzU

Looking at the above PHP code I understood that the PHP code uses JSON Web Tokens (JWT) to generate a token for login privileges.

So I went online to analyze the tokens using https://jwt.io/

So I have the decoded key using the JWD decoder online: C0B137FE2D792459F26FF763CCE44574A5B5AB03

However, If I noticed that the “blue part” in the encoded signature is based on the “Verify Signature”. If I add the secret I found in the PHP code it changes, but if I enable the “secret base64 encoded” option we get the exact signature from the original token!

So now I got the new TOKEN:

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJwcm9qZWN0IjoiUGxheUJ1ZmYiLCJhY2Nlc3
NfY29kZSI6IjBFNzY2NTg1MjY2NTU3NTYyMDc2ODgyNzExNTk2MjQwMjYwMTEzOTMifQ.VXuTKq
w__J4YgcgtOdNDgsLgrFjhN1_WwspYNf_FjyE

Using the new token I got, I used BURP to send a GET request. The responce revealed a new page:

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: Profile: https://www.hackthebox.eu/nav1n

You may also like...

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Sorry, that action is blocked.