This exercise can be found on PentesterLab Pro, underneath JSON Web Token.

Before we can begin exploiting JSON Web Token (JWT) authentication, we have to understand how it behaves. Now this vulnerability was discovered in 2015 and has since evolved over the years. This exploit works because of the design flaw in how the signature and header interact. In order to sign the header, you need the header to verify the signature, but at the same time you also need the signature to verify the header. If an attacker receives as JWT where the header is not signed, it allows the attacker to alter both the header and the algorithm for the signature and the server will still verify the signature, this is possible because JWT supports an option to have the algorithm as None within a signature. This can allow an attacker to alter the token to give a user administrative access to a particular website. Now given, this vulnerability can now be prevented by disabling the None option within the signature.

 To begin the exploitation, first you have to access the website.

After clicking on the Register tab in the navigation bar we can insert in a username and password. I personally chose user1 and letmein. The reason we have to do this is that right now, we don't have a user's cookie, after we create a user, we can then intercept the cookie and decode it to figure out the format.

I personally used the tool Burpsuite Community Edition to proxy the traffic coming from the browser, that way I could grab and modify the requests. Below we see a request being sent from our computer to the web-server.

After the user was successfully registered we were forwarded to the welcome site. Within the request in the Cookie: category next to auth= we can see the header and signature separated by periods. Now this cookie is encoded in base64, which we can decode in the Decoder tab of Burpsuite.

After pasting the cookie into the Decoder tab, we then have to decode, in base64, the parts separated by the periods. We can do this by highlighting which parts to decode per segment. After we decode we can then change "HS256" to "None" and "user1" to "admin" and delete everything following the last period. This changes the signature algorithm from HS256 to None, our logged in user from user1 to admin, and deletes the string signature. After this we have then have to encode in base64 both sections. Once again, remember to keep the parts separated. 

From here, we can go back to the Proxy tab and send the request that contained the cookie to Repeater. We can then send several requests using Repeater and the original cookie just to see the Response from the web-server. After doing this, we can then delete the cookie and paste our own that we re-encoded.

 After sending the request, we notice that the login was successful, as we were able to login as an admin! We can then go back to the website, refresh the page, change the cookie in the Proxy tab request to the one of the admin and below the following page should display.

If you've reached this page then congratulations, you've successfully exploited JWT!

Now, this is of course only works if you have physical access to the computer and a re-installation or repair disc of preferably Windows 10. 

First you must create a bootable USB of the Windows ISO, which can be done here: Rufus Download

After the repair bootable has been created, boot from the USB and arrive at the Windows set up screen. From here, you will press the shift+F10 to open up the command prompt. This prompt has administrative privileges and will allow you to access the files in the already installed Windows OS. 
Note: Please make sure that UEFI secure boot is disabled, if needed please change the boot sequence.


Now from here, you have to find the drive letter of the installed OS, normally it remains the C: drive, but every once in a while this changes. You can use the dir command to search through each letter and see if the directory displays. However, you can also use the diskpart utility with the command list volume to get a sense of the volumes and the letters attached.

X:\Sources> dir a:

or

X:\Sources>diskpart

DISKPART> list volume


After you find the operating system, you then want to copy over the sticky keys file as a backup, then replace the sticky keys file in System32 with the command prompt, this will allow you to access the command prompt from the login screen. This can be done with the two following commands:

X:\Sources > copy c:\windows\system32\sethc.exe c:\
X:\Sources > copy /y c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe

From here, you can exit out of the command prompt and Windows Setup to cancel the installation.
Now, in Windows 10 version 1803, a patch was released that removed accessing sticky keys from the login screen, however if you press "Forgot Password" and press the shift key five times, the sticky keys prompt will display, but because we replaced sticky keys with the command prompt, we should now be greeted with an Administrator privileged command prompt.

From here you can add an account as an administrator or change the password of an existing one. Below are the commands to both change the password and create an administrator.

To create an administrator account:

C:\Windows\System32 > net user [ new username] [new password]

C:\Windows\System32 > net localgroup administrators /add [new username]

To change the password of an existing account:

C:\Windows\System32 > net user [old username] [new password]

Hopefully the process was successful. After logging in, we now have to undo what we just did. 
​The best way to revert the changes is through the re-installation USB. 

After you have booted the USB and gotten the command prompt again, all of the changes can be undone through the following two commands:

X:\Sources > copy /y c:\sethc.exe c:\windows\system32\sethc.exe
X:\Sources > del c:\sethc.exe

Success! Hopefully everything has worked properly, now I must add that sometimes this method does not work because sticky keys has been disabled on the installed operating system, if that is the case then this process will fail.

Some underground hackers are developing a new command and control server. Can you break in and see what they are up to?
​
Now please note that every time you start the instance to attempt to CTF it gives you a new port and probably will give a different flag as well. In the spirit of Hack The Box, please do not read this until you have attempted the challenge, thanks!

After accessing the IP address provided by Hack The Box, the first thing I decided to do was send an SQL injection attack on the username and password login. The injection was: 'or'1'='1

This brought me to this screen, to which I noticed the URL change. I decided to test and see if this URL was vulnerable to injections as well and thankfully it is!

From here, I decided to type in flag for the info=' ', in the hopes that I would get lucky.

And low and behold I got lucky! The flag is HTB{Map_Th3_Pl4n3t}, congratulations!

What you will need: Windows 10 or Kali Linux, Burpsuite

Now please note that every time you start the instance to attempt to CTF it gives you a new port and probably will give a different flag as well. In the spirit of Hack The Box, please do not read this until you have attempted the challenge, thanks!

The first thing I did was set up a proxy on my Firefox browser to automatically redirect to the Burpsuite application. From here, I went to the IP address and port number provided by Hack The Box and received this interception in the Proxy tab. After examining it, I didn't find anything special. I then forwarded all of the traffic and then decided to inspect the website itself. 

After examining the webpage's surface, I didn't find anything that showed an immediate vulnerability. I even tried manual XSS attacks and SQL injections in the password submission box, but it didn't get me anywhere, so I turned back to Burpsuite.

I then began to examine the Target tab and realized that a POST and GET message is sent with every request. I didn't quite understand what this meant though at the time, so I decided to send the Raw data to Repeater, in the hopes of examining the data more thoroughly. 

After sending the request to Repeater, I realized that the password submission is sending POST requests and that the cookies are not changing, meaning that I could possibly send as many requests as I pleased. So my next thought was to just brute force the password. I decided to use the following password list, as it contains the top 10,000 most common passwords of 2017.
Side note: I did edit the password list, placing some passwords higher than others and some lower than others in accordance to what I thought would get me the fastest results.

From here, I sent the request to Burpsuite's Intruder functionality and because we don't need to edit the cookies, I changed the attack to only target the password.

 Next, I uploaded the password list  in the Payloads tab under the Payload Options and then began the attack.
Now please note that if you do not have Burpsuite Pro, it will throttle the requests made thus slowing it down dramatically.

After waiting for quite some time, as I do not have Burpsuite Pro, I realized that the Status and Length for each request seemed exactly the same, so I kept my eye out for any abnormal activity.  Finally, the payload leonardo was the change, with an extended Length.

Finally, it turns out that the password was not just leonardo, but that the response from the noooooooope.html webpage actually contained the flag HTB{l1k3_4_b0s5_s0n}! 

Now to keep true to the HackTheBox spirit, I must ask that you only read this WalkThrough after to compare notes. But regardless of your stance, here is my method.
Utilities needed: Kali VM, web browser, internet access, luck

The first thing I did was access the website: https://hackthebox.eu/invite and press F12 (if you are using Chrome) to bring up the developer tools. From here if we scroll down a bit we notice the script https://www.hackthebox.eu/js/htb-fronted.min.js and right below that is /js/inviteapi.min.js. Curious I decided to type this extension, so the link looked like this:
https://www.hackthebox.eu/js/inviteapi.min.js

That link takes us directly to here and this is where I got a bit lost. At first it didn't make much sense to me until I thought about functions. And my thought process was that the words between | must be functions.

That link takes us to this page and this is where I got a bit lost. At first it didn't make much sense to me until I thought about functions. And my thought process was simple, the words between | must be functions.

I decided to test this theory with the verifyInviteCode, because if I can just verify myself, I would not have to grab any type of code. However, knowing that if console finds an available function it will tab-complete, I soon realized that verifyInviteCode was not going to work.

So instead I tried the makeInviteCode function and two options arose, makeInviteCode and makeInviteCode().

I went back to the website: https://hackthebox.eu/invite and tried out both, the first one gave me an error, but it did drop a hint letting me know that the second one does exist.

After running the function, it then appears that a string of data appears that is encoded in Base64, thankfully I know of a website that can help.

After copying the message and decoding it, I realize that I have to access another link.
From here I realize that I need to send a POST request to the following link:
https://hackthebox.eu/api/invite/generate  in order to advance, so I find this webpage that sends POST requests to help test websites.

And success! The response, encoded in Base64, I paste it into the website we used earlier and receive the invite code.

However, this process sadly fails. And the reason why is because the API that HackTheBox uses to generate the invite codes are unique to your IP address, meaning that sharing codes is not an option. I minor security tactic, but one I think is necessary.

To overcome this we can quickly send a POST packet using the wget tool in Kali Linux, from here the code is received once again.

And after decoding the Base64 string, we arrive at our invite screen once again.

Success! We can now sign up and use HackTheBox.

You have sniffed out a wireless network stream. Can you determine the encryption key used and identify any sensitive data?

The first thing I notice is that it is a *.pcapng file extension, which I have never worked with. So I begin to do a bit of research and discover that it stands for pcap Next Generation. Now normally I wouldn't care too much, but after I tried to attack the file I received this error:

After doing some more research I discover a tool called editcap that whenever using the libpcap library allows you to convert *.pcapng file types back to *.pcap. After I converted the file, aircrack-ng was happy to begin the PTW attack and below is the deciphered key: [DE:AD:BE:EF:01]

Next, I began to decrypt the WEP packets with airdecap-ng.

I then opened up the file, set the expression to follow the TCP stream and low and behold the username and password were displayed!

<?php
include 'config.php';
echo "<html><title>Password Recovery</title></html>";
if(isset($_GET['name']) && $_GET['name']!='' && !preg_match('/and|or/i',$_GET['name'])) {
$res = mysql_query("SELECT name,email FROM user where name='".$_GET['name']."'");
#echo "SELECT name,email FROM user where name='".$_GET['name']."'";
if(mysql_fetch_object($res)) {
// Generation of new password
//<topsecure content>
// removed in phps file :)
//</topsecure content>
die("A new password was generated and sent to your email address!");
} else {
$res = mysql_query("SELECT name,email FROM user where name sounds like '".$_GET['name']."'");
if(mysql_fetch_object($res)) {
echo "We couldn't find your username, but it sounds like this user:<br>";
} else {
$name = $_GET['name'];
$name = str_replace('on','',$name);
$name =  str_replace('On','',$name);
$name = str_replace('ON','',$name);
$name = str_replace('oN','',$name);
$name = str_replace('<script','',$name);
die("We couldn't find your username!<br>Are you sure it is $name?");
}
        $res = mysql_query("SELECT name,email FROM user where name sounds like '".$_GET['name']."'");
#echo "SELECT name,email FROM user where name sounds like '".$_GET['name']."'";
while($row = mysql_fetch_object($res)) {
  echo $row->name;
  echo "<br>";
}
}
} else {
echo "Dear users,<br>We had a security breach! Please use this site to generate your new password.<br><br><br>";
echo '<form action="#" method="get">Please enter your username: <br><input type="text" name="name"><br><input type="submit" name="submit" value="submit"></form>';
echo '<!-- .phps?-->';
}
?>

After analyzing the code and doing some research it appears that this code is vulnerable to SQL injections, specifically with the lines:
($_GET['name']) and
mysql_query("SELECT name,email FROM user where name='".$_GET['name']."'");.

This arises because the code itself does not filter any inputs and instead trusts that the requests sent are valid. After doing more in-depth research I discovered that the statement mysql_query() and ($_GET['name']) whenever used together are usually vulnerable, and should instead be replaced by using prepared statements and parameterized queries. Instead you should use prepare('SELECT ...'); and execute(array('name' => $name)); or prepare('SELECT ...'); and bind_param('variable_type', $name);. This allows for a speed boost if the statement is executed more than once in a session as it will only be compiled once.

To begin, the first thing we should do is analyze the code, now I am not a PHP developer, but my background knowledge of programming tells me that this script includes an input method, because it is asking for a value. So this tells me that the exploit will probably have to do with something related to the filter of the input, more than likely with the line:
strtoupper(htmlspechars($NAME)).
After doing some research, I find out that, whenever using htmlspechars(), it should encode HTML-significant characters, but in this function it does not contain the ENT_QUOTES flag, which will encode single or double quotes, so we should be able to exploit it, if done correctly.
Personally, I find the best way to exploit code is to see what it does visually. So for starters, we should create a mock server on our Kali Linux machine and run the script, that way we can test our theory. To create a mock server in Kali is fairly easy, as long as you have PHP 5.5 or newer. For starters, you should begin by creating the directory public_html in the root directory, create a file inside of the newly created directory called ctf.php, paste the code into the file, then run the command: php -S localhost:8000. Then go to your web browser, type in the url: http://localhost:8000/ctf.php.
From here, the following should display.

 The next major thing to realize is the strtoupper() method, now this causes trouble because the script we would normally run to test a XSS injection is: <script>alert(1)</script>, however after the input is placed through this method it caplizatlizes alert(1), making it invalid.
Therefore, we need a way to convert Javascript code to where it does not matter on capitalization and symbols such as <,>, or / are not used.

Now at first I tried to use hexadecimal and decided to use a mouse event, because they work whenever capitalized. I then converted the text: alert(1) to
' onmouseover='%61%2b%6c%2b%65%2b%72%2b%74%2b%28%2b%31%2b%29, but this did not work. So I thought that I must be missing something, and while researching I discovered JSFuck, which only uses six different characters!

So I tried JSFuck by only converting alert(1) to:
' onmouseover='[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()

And in a complete surprise, it works, all you have to do is move your mouse across the input box!

​Notes:

• Make sure to remove the CD drive after installing the operating system and booting successfully, as not doing this will prompt to ask to re-install.
• Run the command, as this will install the latest updates:

                 $ sudo apt-get update && sudo apt-get upgrade