Welcome to the JSON box writeup! This was a medium-difficulty box and fun to play with. For the initial shell, you need to identify a vulnerability related to JSON-based deserialization on the website, and by leveraging this issue incorporated with a Bearer: header, you can get a RCE on the box. For the root shell, you can leverage a permissive permission configured for the initial user, SeImpersonatePrivilege, to perform a JuicyPotato exploit to get a SYSTEM shell. Let’s get started.

Recon

Nmap

As usual, let’s start with a basic Nmap discovery scan:

nmap -Pn --open -sC -sV -p- -T4 10.10.10.158

From the scan, we have some interesting ports:

• FTP (21/TCP) —_ *Anonymous login was not allowed_
• HTTP (80/TCP)
• SMB (445/TCP) — *No null session allowed
• WinRM (5985/TCP) — *A default port for Windows Remote Management (WinRM). If we have a user who is part of a “Remote Management Users” group and her credentials, we can gain a remote shell leveraging this service. However, this was not no need to gain an initial shell on this box.

Web Server (HTTP — 80/TCP)

So from the initial scan, it looks like we need to focus on the web server first.

The front page was a login page, and it was configured with weak credentials:

Username = admin : Password = admin

Once logged in as “Admin” user, it was pretty dead end with the website itself. Pages and functions were either static or 404 not found.

Web Server — Dirsearch

When you are targeting a web server, it is recommended to do directory brute-forcing to check if there are any hidden files/folders. I used Dirsearch tool to accomplish this.

/files/password.txt

There was a password.txt file under the /files folder, but it was a troll. -_-

However, an interesting file Account was found under the /api directory.

#hackthebox-writeup #json #json-writeup #juicypotato #hackthebox