Written by

Share this post!


← ../

HackTheBox Unicode Writeup

February 13, 20222 min read


This challenge was incredibly simple yet fun to play around in. There were hints across each step along the way, however it took time to notice and trial and error.

Let's get started!



└──╼ #nmap -sS -sC -sV -A -p-
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-13 18:34 EST
Nmap scan report for hackmedia.htb (
Host is up (0.027s latency).
Not shown: 65533 closed tcp ports (reset)
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 fd:a0:f7:93:9e:d3:cc:bd:c2:3c:7f:92:35:70:d7:77 (RSA)
|   256 8b:b6:98:2d:fa:00:e5:e2:9c:8f:af:0f:44:99:03:b1 (ECDSA)
|_  256 c9:89:27:3e:91:cb:51:27:6f:39:89:36:10:41:df:7c (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-trane-info: Problem with XML parsing of /evox/about
|_http-title: 503
|_http-server-header: nginx/1.18.0 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 1720/tcp)
1   26.29 ms
2   26.30 ms hackmedia.htb (

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 91.42 seconds


└──╼ #gobuster fuzz -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u -b "404, 503, 200"
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url:           
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Excluded Status codes:   200,404,503
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
2022/02/13 18:42:24 Starting gobuster in fuzzing mode
Found: [Status=308] [Length=264]
Found: [Status=308] [Length=260]  
Found: [Status=308] [Length=264]
Found: [Status=308] [Length=258]   
Found: [Status=308] [Length=258]   
Progress: 11719 / 220561 (5.31%)                            ^C
[!] Keyboard interrupt detected, terminating.
2022/02/13 18:42:58 Finished


└──╼ #nikto -host
- Nikto v2.1.6
+ Target IP:
+ Target Hostname:    hackmedia.htb
+ Target Port:        80
+ Start Time:         2022-02-13 19:15:21 (GMT-5)
+ Server: nginx/1.18.0 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)



When checking the cookies, there was a JWT Token present which will probably be our vector.

There seems to be a value in the Header called jku. Upon further research this tells our website where our keys are held via the url.

When we open this site, we get these values.

    "keys": [
            "kty": "RSA",
            "use": "sig",
            "kid": "hackthebox",
            "alg": "RS256",
            "n": "AMVcGPF62MA_lnClN4Z6WNCXZHbPYr-dhkiuE2kBaEPYYclRFDa24a-AqVY5RR2NisEP25wdHqHmGhm3Tde2xFKFzizVTxxTOy0OtoH09SGuyl_uFZI0vQMLXJtHZuy_YRWhxTSzp3bTeFZBHC3bju-UxiJZNPQq3PMMC8oTKQs5o-bjnYGi3tmTgzJrTbFkQJKltWC8XIhc5MAWUGcoI4q9DUnPj_qzsDjMBGoW1N5QtnU91jurva9SJcN0jb7aYo2vlP1JTurNBtwBMBU99CyXZ5iRJLExxgUNsDBF_DswJoOxs7CAVC5FjIqhb1tRTy3afMWsmGqw8HiUA2WFYcs",
            "e": "AQAB"

While researching, I also fell upon this site which happened to be the way into the admin account.

Link: https://blog.pentesteracademy.com/hacking-jwt-tokens-jku-claim-misuse-2e732109ac1c

Using this, we can now change our n using the generated values.

    "keys": [
            "kty": "RSA",
            "use": "sig",
            "kid": "hackthebox",
            "alg": "RS256",
            "n": "[Value]",
            "e": "AQAB"

We can also generate our token using the same methodology as the website.

We can input into the cookie and then login as admin.


When looking around the website, I noticed something weird with one of the urls.

We might be able to this as our way into the files. However, there was a problem. It wouldn't allow me to access the /etc/passwd file.

I linked the name of the box to this point here and figured it must be a Unicode Normalization Vulnerability. Meaning we must use unicode characters in replacement for . and /

Link: https://book.hacktricks.xyz/pentesting-web/unicode-normalization-vulnerability

root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin messagebus:x:103:106::/nonexistent:/usr/sbin/nologin syslog:x:104:110::/home/syslog:/usr/sbin/nologin _apt:x:105:65534::/nonexistent:/usr/sbin/nologin tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin pollinate:x:110:1::/var/cache/pollinate:/bin/false usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin sshd:x:112:65534::/run/sshd:/usr/sbin/nologin systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false mysql:x:113:117:MySQL Server,,,:/nonexistent:/bin/false code:x:1000:1000:,,,:/home/code:/bin/bash


We are now able to see all users on this server, but one in particular stood out. The user code seems to be a local user, which means the user.txt may lay here.

Using the same methodology, we may extract the user token using the url.


From here, we need to find a way to access the root directory. We are unable to access it using the url, like we did for the user flag.

There is only "oh-so-much" gobuster we can do, but with access to the files in the system, we can now check all sites in the webpage.

Navigating to /etc/nginx/sites-available/default, we are now able to see what we need.

There seems to be user passwords in the db.yaml file, also included with in the location /home/code/coder


mysql_host: "localhost" mysql_user: "code" mysql_password: "PASSWORD" mysql_db: "user"

Lets login.

Linpeas did not provide any useful vectors into our root. And our sudo exploits did not work either.

However, when sudo -l is run, we have access to a program called treport

Upon running we have access to the following commands.

[email protected]:~/coder$ sudo /usr/bin/treport 
1.Create Threat Report.
2.Read Threat Report.
3.Download A Threat Report.

Since we know that the root.txt will be in the /root directory, we can download the file from the network using File:///root/root.txt, giving us our flag.

We are done!

Published February 13, 2022, by ZyphenSVC.

If you enjoyed the post, consider sharing it!


Copyright © 2023 Sriaditya Vedantam. Site source on GitHub.