Json is a medium difficulty machine running Windows. It tests your knowledge in OSINT, JSON Deserialization and basic Privilege Escalation. I didn’t find anything too overly complicated with this machine. It was obvious as to what needed to be done it was just a matter of finding the right payload and the correct injection point.
Be sure to checkout the Basic Setup section before you get started.
Like always, enumeration is our first port of call. Let’s take a look at the machine and see what we are dealing with.
Ports to take note of here are ftp on port 22, winrm on port 5985 and then there is also smb on port 445, netbios on port 139 and various rpc ports.
We see a version number for IIS but we don’t see one for FileZilla.
A quick connection with netcat reveals that information:
Using the searchsploit command we see no immediate results pertaining to the versions found.
Doing a scan with Gobuster using the dir mode reveals some files and directories:
We see two directories of interest files and views. Let’s dig a bit deeper by looking in to views:
We find some interesting files but no more directories. Let’s check the files directory as well:
We have a password.txt file! Taking a look at that file all we see is:
Let’s checkout the main website at http://json.htb:
Interesting. The slow load shows me a dashboard and then redirects to the login.html page. Although this looks like it may be a web app I notice the title of the page as SB Admin 2. I recognise it immediately as a Bootstrap dashboard theme by StartBootstrap. So this site is custom not a known web app.
Like every login page we come across we try the credentials admin:admin which logs us in.
We are presented with the dashboard that we got a glimpse of:
Analyzing the login with Burp Suite we notice the POST call to /api/token/ with Accept: application/json and Content-Type: application/json in the header. There’s our JSON reference.
On doing some research online we come across many articles on deserialization and specifically what has been coined Friday the 13th JSON Attacks. In these slides we see a tool that may be of use called ysoserial.net where an example is given to create a payload that pings a machine: ysoserial.exe -f BinaryFormatter -g TypeConfuseDelegate -base64 -c "ping 10.0.0.19".
Refining our command to fit our needs we end up with the following:
The payload.ps1 file contains the code for a standard PowerShell reverse shell:
The result is a base64 encoded output which we will copy to our clipboard:
Now let’s setup our listener:
Then using Burp Suite we intercept the login and then step forward until we see our GET call to /api/Account. We will then right click and select Send to Repeater (just incase we lose connection). In our Repeater tab we add our payload in the Bearer: section of the header and send it to the server:
Back at our listener we should see a connection:
NOT: If you don’t see a command prompt hit ENTER.
Just like that we have the user.txt flag. Now onward to root!
Let’s check out what permissions we have:
We see that SeImpersonatePrivilege is enabled so we should be able to use the JuicyPotato exploit.
To get the file on to the machine we start up our webserver on the attacker machine to serve the file:
Then download from the victim machine:
We will use a PowerShell reverse shell again so we download that as well:
Once again we setup our listener on the attacker machine:
And then launch our exploit:
Back at our listener on the attacker machine we should receive a connection:
Overall this machine was quite fun. It was straight forward and practical considering the misuse of JSON within the realms of website authentication. There have been many examples of this exploit being used in the wild against insecure authentication APIs.