[HTB] JSON — Write-up (OSWE-Prep)

bigb0ss
8 min readApr 13, 2021

Json was a medium difficulty Windows box. Good learning path for:

  • JSON-based deserialization (Bearer: header)
  • JuicyPotato Exploit (SeImpersonatePrivilege)

Initial Recon

Nmap

# nmap -Pn --open -sC -sV -p- -T4 10.10.10.158PORT     STATE  SERVICE      VERSION
21/tcp open ftp FileZilla ftpd
| ftp-syst:
|_ SYST: UNIX emulated by FileZilla
80/tcp open http Microsoft IIS httpd 8.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: Json HTB
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 3h44m48s, deviation: 0s, median: 3h44m47s
|_nbstat: NetBIOS name: JSON, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:a4:ac:26 (VMware)
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
  • FTP (21/TCP)*Anonymous login was not allowed
  • HTTP (80/TCP) — A login page
  • SMB (445/TCP)*No null session allowed
  • WinRM (5985/TCP)*A default port for Windows Remote Management (WinRM). If we have a user who is part of a “Remote Management Users” group and her credentials, we can gain a remote shell leveraging this service. However, this was not no need to gain an initial shell on this box.

Web Server (HTTP — 80/TCP)

So from the initial scan, it looks like we need to focus on the web server first.

--

--

bigb0ss

OSWE | OSCE | OSCP | CREST | Lead Offensive Security Engineer — All about Penetration Test, Red Team, Cloud Security, Web Application Security