HackTheBox - JSON


00:52 - Start of recon, NMAP
04:35 - Using SMBClient to look for OpenShares
04:50 - Examining the HTTP Redirect on the page
06:56 - Attemping default credentials
08:25 - Running GoBuster with PHP Extensions
12:45 - Examining the /api/ Requests made in BurpSuite
13:35 - Comparing Requests to notice one has a "BEARER" Header. Researching exactly what it is.
14:45 - Examining the contents of BEARER/OAUTH2 by base64 decoding it.
15:50 - Inducing an error message by placing invalid base64, then trying to get a different error message by putting valid but unexpected bas64
16:50 - See a serialization error, pointing towards JSON.NET, then switching to Windows to install ysoSerial
22:54 - Creating a .net Deserialization exploit that will ping us
27:50 - Base64 encoding the exploit, starting tcpdump, and checking for code execution. Then editing our exploit use a PowerShell webcradle with Nishang to get a reverse shell
32:51 - Reverse Shell Returned, Running WinPEAS from my SMBShare so we don't touch disk
37:00 - Going over WinPEAS.bat, which doesn't have color (we will do EXE later in the video to get colors!)
42:00 - PrivEsc #1: Reversing Sync2Ftp to decrypt a password
50:15 - Decompile SyncLocation.exe via DNSPY, then edit the executable to display the decrypted password.
56:15 - Couldn't use PSEXEC with the decrypted creds. Lets use Powershell Invoke-Command to switch users
1:05:25 - PrivEsc #2: FileZilla Server - This will require us to pop the box from Windows!
1:10:50 - Using Chisel to forward to us
1:15:15 - Running the FileZilla Server and connecting to the box through our tunnel to create new users
1:21:53 - PrivEsc #3: JuicyPotato
1:24:53 - Running JuicyPotato to get a system shell

HackTheBox - JSON HackTheBox - JSON Reviewed by Anonymous on February 15, 2020 Rating: 5