Hack the Box (HTB) machines walkthrough series — JSON

April 2, 2020 by

Security Ninja

Today we will be continuing with our exploration of Hack the Box (HTB) machines, as seen in previous articles. This walkthrough is of an HTB machine named JSON.

HTB is an excellent platform that hosts machines belonging to multiple OSes. It also has some other challenges as well. Individuals have to solve the puzzle (simple enumeration plus pentest) in order to log into the platform and download the VPN pack to connect to the machines hosted on the HTB platform.

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Get Your Plan

Note: Only write-ups of retired HTB machines are allowed. The machine in this article, named JSON, is retired.

The walkthrough

Let’s start with this machine.

1. Download the VPN pack for the individual user and use the guidelines to log into the HTB VPN.
2. The JSON machine IP is 10.10.10.158.
3. We will adopt the same methodology of performing penetration testing as before. Let’s start with enumeration in order to gain as much information about the machine as possible.
4. As usual, let’s start with the nmap scan to gather more information about the services running on this machine. [CLICK IMAGES TO ENLARGE]
   

   <<nmap -sC -sV -oA Json 10.10.10.158>>
   

   
   

5. As we can see, a lot of interesting ports are shown. Let’s begin their enumeration next. Below is the service available on port 80.
   
6. Using the default admin creds gets us in.
   
7. Let’s get the request parsed via Burp. If we look closely, we can see that the bearer field and cookie token are the same.
   
8. And if we decode them, we get the same request parameters.
   
9. For testing, I deleted the bearer field. The response was null.
   
10. I then added the random text “lhm”, Base64-encode it and pass it in the bearer field. We got a deserialization error.
    
11. We can try to exploit JSON deserialization. Here, I have used the YSOSerial.net payload and then just plug in to fetch the PowerShell module, which will serve to give the reverse shell.
    
12. We Base64-encode the above payload and then plug it into the bearer field.
    
13. Success! We got the reverse shell back.
    
14. We enumerate to grab user.txt.
    
15. Now, let’s enumerate to escalate the privileges.
16. It looks like we got SeImpersonatePrivilege and the machine does not have patches. Let’s see if we can utilize Juicy Potato.
    
17. In order to send the Juicy Potato .exe to the target machine, we will mount the attacker machine directory to the remote machine using PowerShell, as shown below.
    
18. Once done, we just create an rs.bat with the reverse shell. The thing to note is that we will use the netcat 64-bit version for getting the reverse shell here. Below is the nc command:
    
19. Then we just simply execute the Juicy Potato binary with the required parameters, and we get the shell.
    
20. Finally, we enumerate to get the root flag.
    

This was an interesting machine with little enumeration required to get the initial flag, and then a straightforward exploit to escalate privileges.

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Get Your Plan

We will continue this series with more in the way of interesting HTB machines.