# Awkward

#### Scan Details.

```
PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 7254afbaf6e2835941b7cd611c2f418b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCMaN1wQtPg5uk2w3xD0d0ND6JQgzw40PoqCSBDGB7Q0/f5lQSGU2eSTw4uCdL99hdM/+Uv84ffp2tNkCXyV8l8=
|   256 59365bba3c7821e326b37d23605aec38 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsq9sSC1uhq5CBWylh+yiC7jz4tuegMj/4FVTp6bzZy
80/tcp open  http    syn-ack nginx 1.18.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

```

Two ports are open checking port 80 we are presented with a site hat-valley.htb

<figure><img src="https://2448159634-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FZ3qjCoK8e9KxZEgUXr4K%2Fuploads%2FYk3ARHbhrGAfCAcs1IP2%2Fhat-valley.png?alt=media&#x26;token=4fa191c1-3260-4797-9b7c-a4312b28dda7" alt=""><figcaption></figcaption></figure>

#### Burp Fuzzing&#x20;

Checking the site out with burp the site we find a few directories to look into notably hr and api.

<figure><img src="https://2448159634-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FZ3qjCoK8e9KxZEgUXr4K%2Fuploads%2FVt7bAjdrlYaZIl0xx6VA%2Fdirs.png?alt=media&#x26;token=55b381fb-2f73-49ba-afa0-08d6eea59559" alt=""><figcaption></figcaption></figure>

#### Subdomain Fuzzing&#x20;

Fuzzing for subdomain we get one domain.

<figure><img src="https://2448159634-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FZ3qjCoK8e9KxZEgUXr4K%2Fuploads%2FDbdAxahQwb7ohmfFvXY3%2Fsubs.png?alt=media&#x26;token=35fca7d8-7b09-4e30-85e0-e70c873bbc03" alt=""><figcaption></figcaption></figure>

#### HR Directory

Accessing the /hr site we are presented with a login screen.

<figure><img src="https://2448159634-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FZ3qjCoK8e9KxZEgUXr4K%2Fuploads%2F0xJOfrg9fRCnKErp3Dzb%2Flogin.png?alt=media&#x26;token=4b08ef8f-6416-4172-83f3-d276d08cf201" alt=""><figcaption></figcaption></figure>

Trying default creds don't work, so checking the cookie we see it's set to guest manipulating it to admin we get access to the dashboard.

<figure><img src="https://2448159634-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FZ3qjCoK8e9KxZEgUXr4K%2Fuploads%2FZpVPjwFitcoCJj6WAX0b%2Fdash.png?alt=media&#x26;token=a70458ab-58f7-4a1d-9ba5-43aae9603833" alt=""><figcaption></figcaption></figure>

Checking out the leave requet section we identify a user named christine.

#### API Directory.

Checking the api directory from burp results /api/staff-details seems interesting, loading it up on repeater and trying to access it with the cookie admin we get a jwt malformed error setting the cookie to empty it displays some staff credentials.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://malw0re.gitbook.io/notes/awkward.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.