JSON,a Windows box created by HackTheBox user Cyb3rb0b, was an overall easy difficulty box. The initial foothold was about finding the json de-serialization issue in ASP .net and getting an RCE with that and using that to get the user. Privilege Escalation was much more easier checking if the box was vurnable to juciy/rotten potato and we find it is and using that to get Root.
# Nmap 7.80 scan initiated Mon Dec 2 12:19:22 2019 as: nmap -sC -sV -oN nmap/json 10.10.10.158 Nmap scan report for 10.10.10.158 Host is up (0.14s latency). Not shown: 988 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp FileZilla ftpd 80/tcp open http Microsoft IIS httpd 8.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/8.5 |_http-title: Json HTB 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49157/tcp open msrpc Microsoft Windows RPC 49158/tcp open msrpc Microsoft Windows RPC Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 3h59m59s, deviation: 0s, median: 3h59m59s |_nbstat: NetBIOS name: JSON, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:26:f4 (VMware) |_smb-os-discovery: ERROR: Script execution failed (use -d to debug) | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2019-12-02T21:20:46 |_ start_date: 2019-12-02T16:43:11
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon Dec 2 12:21:00 2019 -- 1 IP address (1 host up) scanned in 98.70 seconds
Viewing and intercepting all the requests from the website we see /api/account to be sending Bearer token which is just the base64 encoded json containing the user details.
when we pass any other base64 encoded string we get an error stating Cannot deserialize Json.Net Object.
Show me the Json.Net component, that component have a public vulnerability.