Let’s discuss Blazorized
I’ll try to solve soon
Very interesting web framework. I decompiled DLLs and found the JWT Secret. Now I’ll use it to forge new admin tokens.
Os command injection is possible on the admin panel. Now looking a way to root.
logged into the user RSA_4810?
Yes, use BloodHound to enumerate the users. It will take about 2 minutes once you open BloodHound. I’ll write more hints soon. I am preparing them.
I have completed all the active ones
Nice, and did you complete all challenges as well?
not yet, i have too many pwn, gamepwn and reversing left and few other hard ones as well
It’d be great if you open a thread when you started a new challenge
Yeah sure, will do that
Here are general hints for Blazorized
-
Decompile .dll files on the webserver: Use tools like dnSpy to peek into .NET assemblies and find the JWT secret.
-
Forge an admin token: Use the JWT secret to create a token with admin privileges and access the admin page.
-
Access the admin page: Set the token in local storage and navigate to the admin page.
-
Inject OS Command on the Admin Panel: Obtain a shell on the server and read the user flag.
-
Escalate to RSA_4810: Use BloodHound to find escalation paths, then crack the krb5 hash to get the password.
-
From RSA_4810 to SSA_601: Set the scriptPath of
SSA_601
to a reverse shell script and execute it. Refer here if issues arise. -
From SSA_601 to root: Use BloodHound again to find escalation paths to root. It’s just one command away.