by Hack The Box Player (10.10.10.145) is a very hard linux machine.
As always, I added machine IP 10.10.10.145 to etc/hosts as player.htb and I began the namap scanning.
➜ player nmap -sTV -p 1-65535 -oN nmap-player player.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-13 21:43 +03
Nmap scan report for 10.10.10.145
Host is up (0.014s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.11 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.7
6686/tcp open tcpwrapped
Service Info: Host: player.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 173.42 secondsNmap scan found 3 open ports. 22 (ssh), 80 (webserver) and 6686 (unknown tcp port)
I open the player.htb from browser to see what’s running in the port 80. There is a website but with a “forbidden” message.
So the next thing came in to my mind possible subdomains or virtual hosts of the player.htb domain using wfuzz
wfuzz -c -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomainstop1million-20000.txt --hc 400,404,403 -H "Host: FUZZ.player.htb" -u http://player.htb -t 100The wfuzz returned me 3 subdomains names
********************************************************
* Wfuzz 2.4 - The Web Fuzzer *
********************************************************
Target: http://player.htb/
Total requests: 19983
===================================================================
ID Response Lines Word Chars Payload
===================================================================
000000019: 200 86 L 229 W 5243 Ch "dev"
000000067: 200 63 L 180 W 1470 Ch "staging"
000000070: 200 259 L 714 W 9513 Ch "chat"After done with wfuzz, I the discoered vhosts to etc/hosts along with player.htb as below:
10.10.10.145 player.htb dev.player.htb staging.player.htb chat.player.htbAfter browsing through the discovered vHosts, I found the below websites running on them:
Lets enumerate one by one, starting with dev.player.htb
http://dev.player.htb/
The dev.player
http://staging.player.htb/
The staging.player.htb has a webpage showing warning about ongoing developments, there is a contact core team page, any input there gives an 501 inernal server error. However, before displaying error page, there is some untidy code diplayed, I cpatyured it here:
array(3) { [0]=> array(4) { ["file"]=> string(28) "/var/www/staging/contact.php" ["line"]=> int(6) ["function"]=> string(1) "c" ["args"]=> array(1) { [0]=> &string(9) "Cleveland" } } [1]=> array(4) { ["file"]=> string(28) "/var/www/staging/contact.php" ["line"]=> int(3) ["function"]=> string(1) "b" ["args"]=> array(1) { [0]=> &string(5) "Glenn" } } [2]=> array(4) { ["file"]=> string(28) "/var/www/staging/contact.php" ["line"]=> int(11) ["function"]=> string(1) "a" ["args"]=> array(1) { [0]=> &string(5) "Peter" } } } Database connection failed.
Unknown variable user in /var/www/backup/service_config fatal error in /var/www/staging/fix.phpTo find what’s going behind the screen I used burp to capture that moment. The burp showed me the reference of the page is http://staging.player.htb/contact.php.
⚡ root@ns09 ~/htb/player curl http://staging.player.htb/contact.php
array(3) {
[0]=>
array(4) {
["file"]=>
string(28) "/var/www/staging/contact.php"
["line"]=>
int(6)
["function"]=>
string(1) "c"
["args"]=>
array(1) {
[0]=>
&string(9) "Cleveland"
}
}
[1]=>
array(4) {
["file"]=>
string(28) "/var/www/staging/contact.php"
["line"]=>
int(3)
["function"]=>
string(1) "b"
["args"]=>
array(1) {
[0]=>
&string(5) "Glenn"
}
}
[2]=>
array(4) {
["file"]=>
string(28) "/var/www/staging/contact.php"
["line"]=>
int(11)
["function"]=>
string(1) "a"
["args"]=>
array(1) {
[0]=>
&string(5) "Peter"
}
}
}
Database connection failed.<html><br />Unknown variable user in /var/www/backup/service_config fatal error in /var/www/staging/fix.php#
⚡ root@ns09 ~/htb/player
I note down following for my future use:
Unknown variable user in /var/www/backup/service_config
fatal error in /var/www/staging/fix.phphttp://chat.player.htb/
This page seems to be an internal chat page between the devs. An automated blank reply by a user Vincent is sent back whatever I type in. I tried to intercept using
After reading messages in the chat, the following message caught my attention: They mentioned our staging exposing some sensitive files and main domain exposing source code which allowing them to access our product before release. Currently our team working on the fix.
http://player.htb/launcher/
The Burp interception, I saw that this page, every 10 seconds a GET request is sent to: /launcher/dee8dc8a47256c64630d803a4c40786e.php and receives the response: Not released yet
The curl request of the above PHP is as below:
I’ve as well noticed the responce is changed if I add email and click on send.
/launcher/dee8dc8a47256c64630d803a4c40786c.phpAnd the response is as below:
Set-Cookie: access=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJwcm9qZWN0IjoiUGxheUJ1ZmYiLCJhY2Nlc3NfY29kZSI6IkMwQjEzN0ZFMkQ3OTI0NTlGMjZGRjc2M0NDRTQ0NTc0QTVCNUFCMDMifQ.cjGwng6JiMiOWZGz7saOdOuhyr1vad5hAxOJCiM3uzULooking at the above PHP code I understood that the PHP code uses JSON Web Tokens (JWT) to generate a token for login privileges.
So I went online to analyze the tokens using https://jwt.io/
So I have the decoded key using the JWD decoder online: C0B137FE2D792459F26FF763CCE44574A5B5AB03
However, If I noticed that the “blue part” in the encoded signature is based on the “Verify Signature”. If I add the secret I found in the PHP code it changes, but if I enable the “secret base64 encoded” option we get the exact signature from the original token!
So now I got the new TOKEN:
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJwcm9qZWN0IjoiUGxheUJ1ZmYiLCJhY2Nlc3
NfY29kZSI6IjBFNzY2NTg1MjY2NTU3NTYyMDc2ODgyNzExNTk2MjQwMjYwMTEzOTMifQ.VXuTKq
w__J4YgcgtOdNDgsLgrFjhN1_WwspYNf_FjyEUsing the new token I got, I used BURP to send a GET request. The responce revealed a new page:
