# Awkward

#### Scan Details.

```
PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 7254afbaf6e2835941b7cd611c2f418b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCMaN1wQtPg5uk2w3xD0d0ND6JQgzw40PoqCSBDGB7Q0/f5lQSGU2eSTw4uCdL99hdM/+Uv84ffp2tNkCXyV8l8=
|   256 59365bba3c7821e326b37d23605aec38 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsq9sSC1uhq5CBWylh+yiC7jz4tuegMj/4FVTp6bzZy
80/tcp open  http    syn-ack nginx 1.18.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

```

Two ports are open checking port 80 we are presented with a site hat-valley.htb

<figure><img src="https://2448159634-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FZ3qjCoK8e9KxZEgUXr4K%2Fuploads%2FYk3ARHbhrGAfCAcs1IP2%2Fhat-valley.png?alt=media&#x26;token=4fa191c1-3260-4797-9b7c-a4312b28dda7" alt=""><figcaption></figcaption></figure>

#### Burp Fuzzing&#x20;

Checking the site out with burp the site we find a few directories to look into notably hr and api.

<figure><img src="https://2448159634-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FZ3qjCoK8e9KxZEgUXr4K%2Fuploads%2FVt7bAjdrlYaZIl0xx6VA%2Fdirs.png?alt=media&#x26;token=55b381fb-2f73-49ba-afa0-08d6eea59559" alt=""><figcaption></figcaption></figure>

#### Subdomain Fuzzing&#x20;

Fuzzing for subdomain we get one domain.

<figure><img src="https://2448159634-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FZ3qjCoK8e9KxZEgUXr4K%2Fuploads%2FDbdAxahQwb7ohmfFvXY3%2Fsubs.png?alt=media&#x26;token=35fca7d8-7b09-4e30-85e0-e70c873bbc03" alt=""><figcaption></figcaption></figure>

#### HR Directory

Accessing the /hr site we are presented with a login screen.

<figure><img src="https://2448159634-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FZ3qjCoK8e9KxZEgUXr4K%2Fuploads%2F0xJOfrg9fRCnKErp3Dzb%2Flogin.png?alt=media&#x26;token=4b08ef8f-6416-4172-83f3-d276d08cf201" alt=""><figcaption></figcaption></figure>

Trying default creds don't work, so checking the cookie we see it's set to guest manipulating it to admin we get access to the dashboard.

<figure><img src="https://2448159634-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FZ3qjCoK8e9KxZEgUXr4K%2Fuploads%2FZpVPjwFitcoCJj6WAX0b%2Fdash.png?alt=media&#x26;token=a70458ab-58f7-4a1d-9ba5-43aae9603833" alt=""><figcaption></figcaption></figure>

Checking out the leave requet section we identify a user named christine.

#### API Directory.

Checking the api directory from burp results /api/staff-details seems interesting, loading it up on repeater and trying to access it with the cookie admin we get a jwt malformed error setting the cookie to empty it displays some staff credentials.