Blazorized Discussion Discussion [HTB] [HINTS]

Let’s discuss Blazorized

I’ll try to solve soon

Very interesting web framework. I decompiled DLLs and found the JWT Secret. Now I’ll use it to forge new admin tokens.

Os command injection is possible on the admin panel. Now looking a way to root.

logged into the user RSA_4810?

Yes, use BloodHound to enumerate the users. It will take about 2 minutes once you open BloodHound. I’ll write more hints soon. I am preparing them.

I have completed all the active ones :slight_smile:

Nice, and did you complete all challenges as well?

not yet, i have too many pwn, gamepwn and reversing left :laughing: and few other hard ones as well

It’d be great if you open a thread when you started a new challenge

Yeah sure, will do that

1 Like

Here are general hints for Blazorized

  1. Decompile .dll files on the webserver: Use tools like dnSpy to peek into .NET assemblies and find the JWT secret.

  2. Forge an admin token: Use the JWT secret to create a token with admin privileges and access the admin page.

  3. Access the admin page: Set the token in local storage and navigate to the admin page.

  4. Inject OS Command on the Admin Panel: Obtain a shell on the server and read the user flag.

  5. Escalate to RSA_4810: Use BloodHound to find escalation paths, then crack the krb5 hash to get the password.

  6. From RSA_4810 to SSA_601: Set the scriptPath of SSA_601 to a reverse shell script and execute it. Refer here if issues arise.

  7. From SSA_601 to root: Use BloodHound again to find escalation paths to root. It’s just one command away.