Welcome to the JSON box writeup! This was a medium-difficulty box and fun to play with. For the initial shell, you need to identify a vulnerability related to JSON-based deserialization on the website, and by leveraging this issue incorporated with a Bearer:
header, you can get a RCE on the box. For the root shell, you can leverage a permissive permission configured for the initial user, SeImpersonatePrivilege
, to perform a JuicyPotato exploit to get a SYSTEM shell. Let’s get started.
As usual, let’s start with a basic Nmap discovery scan:
nmap -Pn --open -sC -sV -p- -T4 10.10.10.158
From the scan, we have some interesting ports:
So from the initial scan, it looks like we need to focus on the web server first.
The front page was a login page, and it was configured with weak credentials:
Username = admin : Password = admin
Once logged in as “Admin” user, it was pretty dead end with the website itself. Pages and functions were either static or 404 not found.
When you are targeting a web server, it is recommended to do directory brute-forcing to check if there are any hidden files/folders. I used Dirsearch tool to accomplish this.
/files/password.txt
There was a password.txt
file under the /files
folder, but it was a troll. -_-
However, an interesting file Account
was found under the /api
directory.
#hackthebox-writeup #json #json-writeup #juicypotato #hackthebox