Thanks @DrDrizzyT for the nudge without giving too much away. I understand why everyone was so let down by root… could have been a few ways to make that more interesting but the learning of curl for json web tokens was worth putting in the effort.
Some hints:
-
Yes, do a heap of enumeration. I have already learnt this from ippsec videos as I have watched a LOT of his videos so this part was easy for me. I found all the directories and files first try using correct extensions which I run every time I hop onto a box. Dirbuster will find this for you straight away or you can use Gobuster and change status codes. Best thing about dirbuster though is that it is recursive.
-
Once you have creds: same as majority of boxes, just because you have found a username to a password doesn’t mean that these two match on every part of the machine. I have found on multiple boxes that USERS are interchangeable. A common error by users in real life.
-
Yes, read the medium article on curl jwt. Couple of decent hints already on this thread but sometimes some extra commands are not needed. It is not always best to copy word for word what is in an article. The main parts are normally correct, but addons sometimes aren’t really needed for the specific machine you are working on (especially if you don’t know what they are doing). Take this into consideration.
-
If you have done everything successfully so far, especially with enumeration, you should know where this newly acquired token is to be used. Once you receive this first list, and then receive your first creds, have a look at your link again and then have a think. Things should fall into place.
-
You should know what to do at this point! Quite an easy path from here.
If this is too much of a spoiler, I apologise. I tried to keep it cryptic enough with the little pointers that would have helped me throughout.