HackTheBox - JSON

00:52 - Start of recon, NMAP 04:35 - Using SMBClient to look for OpenShares 04:50 - Examining the HTTP Redirect on the page 06:56 - Attemping default credentials 08:25 - Running GoBuster with PHP Extensions 12:45 - Examining the /api/ Requests made in BurpSuite 13:35 - Comparing Requests to notice one has a “BEARER“ Header. Researching exactly what it is. 14:45 - Examining the contents of BEARER/OAUTH2 by base64 decoding it. 15:50 - Inducing an error message by placing invalid base64, then trying to get a different error message by putting valid but unexpected bas64 16:50 - See a serialization error, pointing towards , then switching to Windows to install ysoSerial 22:54 - Creating a .net Deserialization exploit that will ping us 27:50 - Base64 encoding the exploit, starting tcpdump, and checking for code execution. Then editing our exploit use a PowerShell webcradle with Nishang to get a reverse shell 32:51 - Reverse Shell Returned, Running WinPEAS from
Back to Top