HackTheBox - Awkward

IppSec · Beginner ·🔧 Backend Engineering ·3y ago

Key Takeaways

Solves HackTheBox's Awkward challenge using nmap, FFUF, and JWT error exploitation

Original Description

00:00 - Introduction 01:00 - Start of nmap 02:00 - Taking a look at the web page, finding users on the site, and using FFUF to VHost Enumeration due to talking about a store 04:25 - Fingerprinting the websites, dev looks to be PHP and the main page appears to be Vue 07:55 - Exploring the vue app in Firefox Dev Tools, discovering some routes in the webpack which lead to an API 11:50 - An JWT error message is displayed when accessing some API Pages, removing the token and bypassing authentication 13:10 - Explaining why the web application skips authentication when a cookie is not present, and showing how similar it was to the OMIGod Vulnerability 15:40 - Extracting all users from the page and then using curl to save the hashes to a file. Use CrackStation to crack hashes and get a cred 21:20 - Logged in as Christopher.Jones, checking the Online Store Status link which is vulnerable to SSRF 23:45 - Using FFUF to fuzz for all possible ports and using a bash trick to create a wordlist based upon a range of numbers without creating a file 29:40 - Discovering some API Documentation on a page on port 3002 31:10 - The API all-leave page uses awk, and we can abuse this binary to perform a file disclosure vulnerability if we can poison user names. 33:40 - Using hashcat to crack our JWT 35:30 - Creating a python script to generate JWT's which allow us to exploit awk and exfil files off the server 42:00 - Python script completed, leaking some files and discovering a unique file in a users .bashrc 48:00 - Having trouble exporting the backup file, and modifying our script to write binary files which allow us to download the tar.gz backup 54:00 - Discovering bean's credentials in his xpad directory and logging in 56:20 - Running a process list on the box shows inotify is watching an interesting file that is only writable by www-data 59:40 - Looking for system() calls in the PHP app and discovering a sed command. We can exploit this like we did awk to get code execution without an
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →
1 HHC2016 - Analytics
HHC2016 - Analytics
IppSec
2 HackTheBox - October
HackTheBox - October
IppSec
3 HackTheBox - Arctic
HackTheBox - Arctic
IppSec
4 HackTheBox - Brainfuck
HackTheBox - Brainfuck
IppSec
5 HackTheBox - Bank
HackTheBox - Bank
IppSec
6 HackTheBox - Joker
HackTheBox - Joker
IppSec
7 HackTheBox - Lazy
HackTheBox - Lazy
IppSec
8 Camp CTF 2015 - Bitterman
Camp CTF 2015 - Bitterman
IppSec
9 HackTheBox - Devel
HackTheBox - Devel
IppSec
10 Reversing Malicious Office Document (Macro) Emotet(?)
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
11 HackTheBox - Granny and Grandpa
HackTheBox - Granny and Grandpa
IppSec
12 HackTheBox - Pivoting Update: Granny and Grandpa
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
13 HackTheBox - Optimum
HackTheBox - Optimum
IppSec
14 HackTheBox - Charon
HackTheBox - Charon
IppSec
15 HackTheBox - Sneaky
HackTheBox - Sneaky
IppSec
16 HackTheBox - Holiday
HackTheBox - Holiday
IppSec
17 HackTheBox - Europa
HackTheBox - Europa
IppSec
18 Introduction to tmux
Introduction to tmux
IppSec
19 HackTheBox - Blocky
HackTheBox - Blocky
IppSec
20 HackTheBox - Nineveh
HackTheBox - Nineveh
IppSec
21 HackTheBox - Jail
HackTheBox - Jail
IppSec
22 HackTheBox - Blue
HackTheBox - Blue
IppSec
23 HackTheBox - Calamity
HackTheBox - Calamity
IppSec
24 HackTheBox - Shrek
HackTheBox - Shrek
IppSec
25 HackTheBox - Mirai
HackTheBox - Mirai
IppSec
26 HackTheBox - Shocker
HackTheBox - Shocker
IppSec
27 HackTheBox - Mantis
HackTheBox - Mantis
IppSec
28 HackTheBox - Node
HackTheBox - Node
IppSec
29 HackTheBox - Kotarak
HackTheBox - Kotarak
IppSec
30 HackTheBox - Enterprise
HackTheBox - Enterprise
IppSec
31 HackTheBox - Sense
HackTheBox - Sense
IppSec
32 HackTheBox - Minion
HackTheBox - Minion
IppSec
33 VulnHub - Sokar
VulnHub - Sokar
IppSec
34 VulnHub - Pinkys Palace v2
VulnHub - Pinkys Palace v2
IppSec
35 HackTheBox - Inception
HackTheBox - Inception
IppSec
36 Vulnhub - Trollcave 1.2
Vulnhub - Trollcave 1.2
IppSec
37 HackTheBox - Ariekei
HackTheBox - Ariekei
IppSec
38 HackTheBox - Flux Capacitor
HackTheBox - Flux Capacitor
IppSec
39 HackTheBox - Jeeves
HackTheBox - Jeeves
IppSec
40 HackTheBox - Tally
HackTheBox - Tally
IppSec
41 HackTheBox - CrimeStoppers
HackTheBox - CrimeStoppers
IppSec
42 HackTheBox - Fulcrum
HackTheBox - Fulcrum
IppSec
43 HackTheBox - Chatterbox
HackTheBox - Chatterbox
IppSec
44 HackTheBox - Falafel
HackTheBox - Falafel
IppSec
45 How To Create Empire Modules
How To Create Empire Modules
IppSec
46 HackTheBox - Nightmare
HackTheBox - Nightmare
IppSec
47 HackTheBox - Nightmarev2  - Speed Run/Unintended Solutions
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
48 HackTheBox - Bart
HackTheBox - Bart
IppSec
49 HackTheBox -  Aragog
HackTheBox - Aragog
IppSec
50 HackTheBox - Valentine
HackTheBox - Valentine
IppSec
51 HackTheBox - Silo
HackTheBox - Silo
IppSec
52 HackTheBox - Rabbit
HackTheBox - Rabbit
IppSec
53 HackTheBox - Celestial
HackTheBox - Celestial
IppSec
54 HackTheBox - Stratosphere
HackTheBox - Stratosphere
IppSec
55 HackTheBox - Poison
HackTheBox - Poison
IppSec
56 HackTheBox - Canape
HackTheBox - Canape
IppSec
57 HackTheBox - Olympus
HackTheBox - Olympus
IppSec
58 HackTheBox - Sunday
HackTheBox - Sunday
IppSec
59 HackTheBox - Fighter
HackTheBox - Fighter
IppSec
60 HackTheBox - Bounty
HackTheBox - Bounty
IppSec

Related Reads

📰
Dev Log: 2026-07-01
Extract a theme-class seam from Livewire tables package to improve Blades functionality
Dev.to · Nasrul Hazim Bin Mohamad
📰
I built a native Android app in an afternoon, and I've never written a line of Kotlin
Learn how to build a native Android app without prior Kotlin knowledge, leveraging modern tools and frameworks to streamline development
Dev.to · Tilde A. Thurium
📰
Vibe Coding Is Real Now — Here’s How to Do It Without Wrecking Your Codebase
Learn how to apply vibe coding effectively to speed up feature development without compromising code quality, and why discipline is key to its success
Medium · Programming
📰
How to build your first MCP server in 10 minutes
Learn to build a Minecraft server using MCP in under 10 minutes for a seamless gaming experience
Dev.to · GrahamduesCN

Chapters (19)

Introduction
1:00 Start of nmap
2:00 Taking a look at the web page, finding users on the site, and using FFUF to VH
4:25 Fingerprinting the websites, dev looks to be PHP and the main page appears to
7:55 Exploring the vue app in Firefox Dev Tools, discovering some routes in the web
11:50 An JWT error message is displayed when accessing some API Pages, removing the
13:10 Explaining why the web application skips authentication when a cookie is not p
15:40 Extracting all users from the page and then using curl to save the hashes to a
21:20 Logged in as Christopher.Jones, checking the Online Store Status link which is
23:45 Using FFUF to fuzz for all possible ports and using a bash trick to create a w
29:40 Discovering some API Documentation on a page on port 3002
31:10 The API all-leave page uses awk, and we can abuse this binary to perform a fil
33:40 Using hashcat to crack our JWT
35:30 Creating a python script to generate JWT's which allow us to exploit awk and e
42:00 Python script completed, leaking some files and discovering a unique file in a
48:00 Having trouble exporting the backup file, and modifying our script to write bi
54:00 Discovering bean's credentials in his xpad directory and logging in
56:20 Running a process list on the box shows inotify is watching an interesting fil
59:40 Looking for system() calls in the PHP app and discovering a sed command. We ca
Up next
Indian Express Editorial Analysis by Chandan Sharma - 1 JULY 2026 | UPSC Current Affairs 2026
StudyIQ IAS
Watch →