Awkward

Awkward walkthrough

Scan Details.

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 7254afbaf6e2835941b7cd611c2f418b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCMaN1wQtPg5uk2w3xD0d0ND6JQgzw40PoqCSBDGB7Q0/f5lQSGU2eSTw4uCdL99hdM/+Uv84ffp2tNkCXyV8l8=
|   256 59365bba3c7821e326b37d23605aec38 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsq9sSC1uhq5CBWylh+yiC7jz4tuegMj/4FVTp6bzZy
80/tcp open  http    syn-ack nginx 1.18.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Two ports are open checking port 80 we are presented with a site hat-valley.htb

Burp Fuzzing

Checking the site out with burp the site we find a few directories to look into notably hr and api.

Subdomain Fuzzing

Fuzzing for subdomain we get one domain.

HR Directory

Accessing the /hr site we are presented with a login screen.

Trying default creds don't work, so checking the cookie we see it's set to guest manipulating it to admin we get access to the dashboard.

Checking out the leave requet section we identify a user named christine.

API Directory.

Checking the api directory from burp results /api/staff-details seems interesting, loading it up on repeater and trying to access it with the cookie admin we get a jwt malformed error setting the cookie to empty it displays some staff credentials.