(October 22, 2022, 08:30 PM)jahman Wrote: Hello,

The secret key of the cookie JWT can be cracked: 123beany123

where did u find JWT token?

Just log you to the app with the cristohper creds

(October 22, 2022, 08:30 PM)jahman Wrote: Hello,

The secret key of the cookie JWT can be cracked: 123beany123

how did you crack the jwt ?

(October 22, 2022, 08:39 PM)keeb Wrote:

(October 22, 2022, 08:30 PM)jahman Wrote: Hello,

The secret key of the cookie JWT can be cracked: 123beany123

how did you crack the jwt ?

use jwt2john

(October 22, 2022, 07:43 PM)crash2overload Wrote:

(October 22, 2022, 07:39 PM)dumpsterX0 Wrote: tryin to bruteforce the store basic auth with workers name.

Does it work for you?

not work :'v

tampering wiht the leave request form. it takes JSON input so maybe some kind of deserialization if we know the backend.

(October 22, 2022, 08:57 PM)sam123 Wrote: tampering wiht the leave request form. it takes JSON input so maybe some kind of deserialization if we know the backend.

yeah maybe

(October 22, 2022, 07:56 PM)br4v0ch4rl33 Wrote: /hr cookie 'guest' can be changed to anything to get access to dashboard

the fact that we can change it to anything and it still works is probably proof taht jwt token impersonation might be a rabbit hole

(October 22, 2022, 09:16 PM)sam123 Wrote:

(October 22, 2022, 07:56 PM)br4v0ch4rl33 Wrote: /hr cookie 'guest' can be changed to anything to get access to dashboard

the fact that we can change it to anything and it still works is probably proof taht jwt token impersonation might be a rabbit hole

^

There is a SSRF that leaks source code http://hat-valley.htb/api/store-status?url=%22http://localhost:3002/%22
Need to abuse the Exec function (command injection)