HackTheBox Writeup — Json

Hello Guys , I am Faisal Husaini. My username on HTB is “kNgF” . Also join me on discord.

The IP of this box is 10.10.10.158

Running masscan on it , we get

masscan -p1-65535,U:1-65535 10.10.10.158 --rate=1000 -e tun0

Running NMAP against the target

Alot of Open Ports were discovered

Moving onto web part first

We are returned with a login page , try default admin:admin creds

We got logged in successfully , also a dashboard appears , intercepting the request for this in Burp

We see that we get a JSON stuff in the response , also looking in the Requests , we notice that the Bearer and Cookie value is same which is Base64 encoded string , when we decode that

The decoded string is exactly the same that we saw in the response of the request we made

We try to change the value of ID from 1 to 2 and then again base64 encode it and then put it in the Bearer part of the Request and then see the response

Checking the response

We see that the response is also changed with the JSON value we changed in the base64 encoded string , so here we can apply that it has insecure deserialization. Also from the response we see that the system is running ASP.NET from the X-Powered-By header

So we use a tool named ysoserial.net for getting RCE which I downloaded from Github whose link I will post at the end of this writeup

Here we first try to get pinged back to our local machine , so we copy the base64 encoded payload string and then put it in the Bearer header and then run the request

We see that we got an error , looking back to tcpdump

Pinged got hit back successfully , so we now move onto getting reverse shell

We will use a powershell script from Nishang named Invoke-PowerShellTcp.ps1

We got the base64 encoded string for our reverse shell which will first get the powershell script from our local machine and then run it through powershell and then we hit our reverse shell

We did the same thing like before , making a new request with our payload and then hitting Go. As soon as we hit go , and checking whether our script was uploaded

We see that our script was uploaded successfully , and moving on to our netcat listener

Reverse shell got hit successfully , now moving onto getting the user flag which is usually located under the Desktop folder of the user

Moving onto the priv esc part

Running the whoami /priv command

We see that SeImpersonatePrivilege is enabled , so we can try JuicyPotato method for privilege escalation here

So I downloaded the JuicyPotato executable and then upload on the remote box and check the usage , before that , also create a .bat file where we will make use of it by making it run the reverse powershell script like we did before

Here we have the powershell command to run in the batch file

Now we execute the JuicyPotato.exe file which we upload along with the following commands

We recieved a failed error , so this is failing with the current CLSID , so I check some different CLSID of different Application Services and used that

This time it executed successfully with the new CLSID we provided and it will run the batch file we provided , now checking back our netcat listener

We got another reverse shell successfully and this time we are NT Authority\System

Moving onto getting the root flag which is usually located under the Desktop folder of the Administrator account

Overall this box was fantastic and also a new thing to learn like always

References

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store