Hack The Box Moncton Meetup #8.
TheNotebook is a medium difficulty Linux box on HTB that was released on March 6th, 2021. The initial attack vector is a Json Web Token vulnerability that handles key signing insecurely. This allows the attacker to use their own key pair to sign the token and gain admin access to the web interface. This vulnerability is exploited through the use of the JWT.io site and Burp, a web proxy.
The skills and tools required to complete this walkthrough include the ability to work with Base64, knowledge of Json Web Token, minimal PHP knowledge, Linux enumeration, and an understanding of docker. The tools needed include nmap, OpenSSL, a web proxy like ZAP or Burp, and the use of Google search engine.
The first step in enumerating the box is to run a quick scan with nmap, which will reveal the open ports on the target machine. After the scan, it is found that there are three ports open, one being filtered, with SSH and HTTP being the other two. Since SSH is usually more secure, the focus is on the HTTP server.
Upon accessing the webpage, the attacker is greeted with The Notebook application and registers an account. An interesting cookie is set after the login process, which is found to be a JWT. Further investigation reveals that the cookie is being used for authentication and is not set to ever expire. This opens up an opportunity for the attacker to control what is passed in the cookie and exploit the vulnerability.