Possibly Related Threads…

hellooword · Dec 15, 2024, 05:25 PM

maybe i can trade this web (Intergalactic Bounty) for the first two web or any FullPwn

- direct message

wintercaptainsoldier · Dec 15, 2024, 05:37 PM

(Dec 15, 2024, 05:25 PM)hellooword Wrote: maybe i can trade this web (Intergalactic Bounty) for the first two web or any FullPwn

- direct message

Hey I can trade apolo or armaxis for the Intergalactic Bounty

Surfacing2325 · Dec 15, 2024, 05:48 PM

hello. i have Armaxis and Breaking Bank

hellooword · Dec 15, 2024, 05:50 PM

(Dec 15, 2024, 05:37 PM)wintercaptainsoldier Wrote:
(Dec 15, 2024, 05:25 PM)hellooword Wrote: maybe i can trade this web (Intergalactic Bounty) for the first two web or any FullPwn

- direct message

Hey I can trade apolo or armaxis for the Intergalactic Bounty

send private message Intergalactic Bounty solution i can give both apolo and armaxis

wintercaptainsoldier · Dec 15, 2024, 05:53 PM

(Dec 15, 2024, 05:48 PM)Surfacing2325 Wrote: hello. i have Armaxis and Breaking Bank

Can you give me a hint for breaking bank ?

Surfacing2325 · Dec 15, 2024, 06:04 PM

(Dec 15, 2024, 05:53 PM)wintercaptainsoldier Wrote:
(Dec 15, 2024, 05:48 PM)Surfacing2325 Wrote: hello. i have Armaxis and Breaking Bank

Can you give me a hint for breaking bank ?

yeep

For "Breaking Bank," here's a useful hint:

Focus on JWT verification: The server validates JWT tokens by fetching the JSON Web Key Set (JWKS) from a URL specified in the
jku
claim of the token header.
What to exploit:
- There might be insufficient validation on the
  jku
  claim.
- If you control the URL or can redirect the server to your JWKS file, you can craft a JWT signed with your private key.
Steps to think about:
1. Forge a JWT with a
  jku
  header pointing to your server (hosting a JWKS file).
2. Ensure the JWKS file contains the public key matching the private key you used to sign the JWT.
3. Trick the server into using your JWKS file to validate the token.
4. Access privileged endpoints or accounts (e.g.,
  financial-controller@frontier-board.htb).

wintercaptainsoldier · Dec 15, 2024, 06:15 PM

(Dec 15, 2024, 06:04 PM)Surfacing2325 Wrote:
(Dec 15, 2024, 05:53 PM)wintercaptainsoldier Wrote:
(Dec 15, 2024, 05:48 PM)Surfacing2325 Wrote: hello. i have Armaxis and Breaking Bank

Can you give me a hint for breaking bank ?
yeep

For "Breaking Bank," here's a useful hint:
Focus on JWT verification: The server validates JWT tokens by fetching the JSON Web Key Set (JWKS) from a URL specified in the
jku
claim of the token header.

What to exploit:

There might be insufficient validation on the
jku
claim.

If you control the URL or can redirect the server to your JWKS file, you can craft a JWT signed with your private key.

Steps to think about:

Forge a JWT with a
jku
header pointing to your server (hosting a JWKS file).

Ensure the JWKS file contains the public key matching the private key you used to sign the JWT.

Trick the server into using your JWKS file to validate the token.

Access privileged endpoints or accounts (e.g.,
financial-controller@frontier-board.htb).

Yes I tried to do something like jku: http://127.0.0.1:1337/analytics/redirect?url=webhook, where I had my own pub key. But I never saw a request in the webhook. Did you store the pub key somewhere else ?

Surfacing2325 · Dec 15, 2024, 06:23 PM

(Dec 15, 2024, 06:15 PM)wintercaptainsoldier Wrote:
(Dec 15, 2024, 06:04 PM)Surfacing2325 Wrote:
(Dec 15, 2024, 05:53 PM)wintercaptainsoldier Wrote:
(Dec 15, 2024, 05:48 PM)Surfacing2325 Wrote: hello. i have Armaxis and Breaking Bank

Can you give me a hint for breaking bank ?
yeep

For "Breaking Bank," here's a useful hint:
Focus on JWT verification: The server validates JWT tokens by fetching the JSON Web Key Set (JWKS) from a URL specified in the
jku
claim of the token header.

What to exploit:

There might be insufficient validation on the
jku
claim.

If you control the URL or can redirect the server to your JWKS file, you can craft a JWT signed with your private key.

Steps to think about:

Forge a JWT with a
jku
header pointing to your server (hosting a JWKS file).

Ensure the JWKS file contains the public key matching the private key you used to sign the JWT.

Trick the server into using your JWKS file to validate the token.

Access privileged endpoints or accounts (e.g.,
financial-controller@frontier-board.htb).

Yes I tried to do something like jku: http://127.0.0.1:1337/analytics/redirect?url=webhook, where I had my own pub key. But I never saw a request in the webhook. Did you store the pub key somewhere else ?

Write pm

wintercaptainsoldier · Dec 15, 2024, 06:36 PM

(Dec 15, 2024, 06:23 PM)Surfacing2325 Wrote:
(Dec 15, 2024, 06:15 PM)wintercaptainsoldier Wrote:
(Dec 15, 2024, 06:04 PM)Surfacing2325 Wrote:
(Dec 15, 2024, 05:53 PM)wintercaptainsoldier Wrote:
(Dec 15, 2024, 05:48 PM)Surfacing2325 Wrote: hello. i have Armaxis and Breaking Bank

Can you give me a hint for breaking bank ?
yeep

For "Breaking Bank," here's a useful hint:
Focus on JWT verification: The server validates JWT tokens by fetching the JSON Web Key Set (JWKS) from a URL specified in the
jku
claim of the token header.

What to exploit:

There might be insufficient validation on the
jku
claim.

If you control the URL or can redirect the server to your JWKS file, you can craft a JWT signed with your private key.

Steps to think about:

Forge a JWT with a
jku
header pointing to your server (hosting a JWKS file).

Ensure the JWKS file contains the public key matching the private key you used to sign the JWT.

Trick the server into using your JWKS file to validate the token.

Access privileged endpoints or accounts (e.g.,
financial-controller@frontier-board.htb).

Yes I tried to do something like jku: http://127.0.0.1:1337/analytics/redirect?url=webhook, where I had my own pub key. But I never saw a request in the webhook. Did you store the pub key somewhere else ?

Write pm

I can't . You have disabled private messages. Can you pm me ?

eunaosei · Dec 15, 2024, 07:01 PM

(Dec 15, 2024, 06:44 PM)Surfacing2325 Wrote:
(Dec 15, 2024, 06:36 PM)wintercaptainsoldier Wrote:
(Dec 15, 2024, 06:23 PM)Surfacing2325 Wrote:
(Dec 15, 2024, 06:15 PM)wintercaptainsoldier Wrote:
(Dec 15, 2024, 06:04 PM)Surfacing2325 Wrote: yeep

For "Breaking Bank," here's a useful hint:
Focus on JWT verification: The server validates JWT tokens by fetching the JSON Web Key Set (JWKS) from a URL specified in the
jku
claim of the token header.

What to exploit:

There might be insufficient validation on the
jku
claim.

If you control the URL or can redirect the server to your JWKS file, you can craft a JWT signed with your private key.

Steps to think about:

Forge a JWT with a
jku
header pointing to your server (hosting a JWKS file).

Ensure the JWKS file contains the public key matching the private key you used to sign the JWT.

Trick the server into using your JWKS file to validate the token.

Access privileged endpoints or accounts (e.g.,
financial-controller@frontier-board.htb).

Yes I tried to do something like jku: http://127.0.0.1:1337/analytics/redirect?url=webhook, where I had my own pub key. But I never saw a request in the webhook. Did you store the pub key somewhere else ?

Write pm
I can't . You have disabled private messages. Can you pm me ?

im writing

can you pm me too?

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	Hack the box Pro Labs, VIP, VIP+ 1 month free Method	RedBlock	23	2,170	1 hour ago Last Post: kkkato
	[FREE] HackTheBox Academy - CBBH CDSA CPTS All Modules Flags	Techtom	20	2,491	Yesterday, 11:06 PM Last Post: op334
	[FREE] HackTheBox All Cheatsheets	Tamarisk	3	396	Yesterday, 10:36 PM Last Post: op334
	[FREE] 300+ Writeups PDF HackTheBox/HTB premium retired	Tamarisk	369	92,003	Yesterday, 04:10 PM Last Post: sabbyahmed
	CBBH Write Ups	hiddenhacker	22	6,226	Yesterday, 06:39 AM Last Post: Usercomplex