Welcome to the JSON box writeup! This was a medium-difficulty box and fun to play with. For the initial shell, you need to identify a…
Welcome to the JSON box writeup! This was a medium-difficulty box and fun to play with. For the initial shell, you need to identify a vulnerability related to JSON-based deserialization on the website, and by leveraging this issue incorporated with a
Bearer: header, you can get a RCE on the box. For the root shell, you can leverage a permissive permission configured for the initial user,
SeImpersonatePrivilege, to perform a JuicyPotato exploit to get a SYSTEM shell. Let’s get started.
As usual, let’s start with a basic Nmap discovery scan:
nmap -Pn --open -sC -sV -p- -T4 10.10.10.158
From the scan, we have some interesting ports:
So from the initial scan, it looks like we need to focus on the web server first.
The front page was a login page, and it was configured with weak credentials:
Username = admin : Password = admin
Once logged in as “Admin” user, it was pretty dead end with the website itself. Pages and functions were either static or 404 not found.
When you are targeting a web server, it is recommended to do directory brute-forcing to check if there are any hidden files/folders. I used Dirsearch tool to accomplish this.
There was a
password.txt file under the
/files folder, but it was a troll. -_-
However, an interesting file
Account was found under the
JSON Parsing in Android - What is JSON, Comparison betwen JSON and XML, JSON parsing step by step implementation and functions.
JSON.stringify() and JSON.parse() are useful tools for handling JSON-formatted content