[HTB] JSON — Write-up

[HTB] JSON — Write-up

Welcome to the JSON box writeup! This was a medium-difficulty box and fun to play with. For the initial shell, you need to identify a…

Welcome to the JSON box writeup! This was a medium-difficulty box and fun to play with. For the initial shell, you need to identify a vulnerability related to JSON-based deserialization on the website, and by leveraging this issue incorporated with a Bearer: header, you can get a RCE on the box. For the root shell, you can leverage a permissive permission configured for the initial user, SeImpersonatePrivilege, to perform a JuicyPotato exploit to get a SYSTEM shell. Let’s get started.

Recon

Nmap

As usual, let’s start with a basic Nmap discovery scan:

nmap -Pn --open -sC -sV -p- -T4 10.10.10.158

From the scan, we have some interesting ports:

  • FTP (21/TCP) —_ *Anonymous login was not allowed_
  • HTTP (80/TCP)
  • SMB (445/TCP) — *No null session allowed
  • WinRM (5985/TCP) — *A default port for Windows Remote Management (WinRM). If we have a user who is part of a “Remote Management Users” group and her credentials, we can gain a remote shell leveraging this service. However, this was not no need to gain an initial shell on this box.

Web Server (HTTP — 80/TCP)

So from the initial scan, it looks like we need to focus on the web server first.

The front page was a login page, and it was configured with weak credentials:

Username = admin : Password = admin

Once logged in as “Admin” user, it was pretty dead end with the website itself. Pages and functions were either static or 404 not found.

Web Server — Dirsearch

When you are targeting a web server, it is recommended to do directory brute-forcing to check if there are any hidden files/folders. I used Dirsearch tool to accomplish this.

/files/password.txt

There was a password.txt file under the /files folder, but it was a troll. -_-

However, an interesting file Account was found under the /api directory.

hackthebox-writeup json json-writeup juicypotato hackthebox

Bootstrap 5 Complete Course with Examples

Bootstrap 5 Tutorial - Bootstrap 5 Crash Course for Beginners

Nest.JS Tutorial for Beginners

Hello Vue 3: A First Look at Vue 3 and the Composition API

Building a simple Applications with Vue 3

Deno Crash Course: Explore Deno and Create a full REST API with Deno

How to Build a Real-time Chat App with Deno and WebSockets

Convert HTML to Markdown Online

HTML entity encoder decoder Online

JSON Parsing in Android - Step by Step Implementation

JSON Parsing in Android - What is JSON, Comparison betwen JSON and XML, JSON parsing step by step implementation and functions.

JSON Tutorial For Beginners | What is JSON | Learning JSON with JavaScript

JSON Tutorial For Beginners | What is JSON | Learning JSON with JavaScript

What is JSON - JSON Parsing in Swift

What is JSON and how do you parse JSON in Swift? JSON stands for JavaScript Object Notation and it's a way to represent data in a standard way. Learn how to parse JSON in Swift using the Codable protocol. We take the response JSON data from a real API call and then parse it in Swift!

JavaScript | Convert JSON String to JSON Object

Convert JSON string to JSON object javascript. This tutorial is the purpose to explain the best ways and examples for convert JSON string to a JSON object.

How to use JSON.stringify() and JSON.parse() in JavaScript

JSON.stringify() and JSON.parse() are useful tools for handling JSON-formatted content