Web
Nmap discovered a Web server on the target port 80
The running service is Microsoft IIS httpd 10.0
┌──(kali㉿kali)-[~/archive/htb/labs/blazorized]
└─$ curl -i http://$IP/
HTTP/1.1 302 Redirect
Content-Type: text/html; charset=UTF-8
Location: http://blazorized.htb
Server: Microsoft-IIS/10.0
Date: Mon, 01 Jul 2024 14:37:35 GMT
Content-Length: 144
<head><title>Document Moved</title></head>
<body><h1>Object Moved</h1>This document may be found <a HREF="http://blazorized.htb">here</a></body> Webroot redirects to http://blazorized.htb
The domain information has been updated
Webroot
It’s a digital garden of a person, Mozhar Alhosni
Wappalyzer identified technologies involved
It’s built with Blazor
Blazor
Blazor is a free and open-source web framework that enables developers to create web user interfaces (UI) based on components, using C# and HTML. It is being developed by Microsoft, as part of the ASP.NET Core web app framework. Blazor can be used to develop single-page, mobile, or server-rendered applications using .NET technologies.
Check for updates
The Check for Updates page outlines an existing API endpoint that can only be accessed from the super admin
Clicking into the button
api.blazorized.htb/posts
Clicking the button makes an OPTIONS requests to a URL endpoint; api.blazorized.htb/posts
The /etc/hosts file on Kali has been updated to include the URL for the API
There is an authorization header with a bearer token
Which appears to be a JSON web token
It contains the username, superadmin@blazorized.htb
HTTP/1.1 200 OK
Content-Type: application/json
Server: Microsoft-IIS/10.0
Access-Control-Allow-Origin: *
Date: Mon, 01 Jul 2024 15:41:01 GMT
Connection: close
Content-Length: 12160
{
"Posts": [
{
"ID": "1c391f9c-fd3e-4d86-b966-9a3e5d7e3d28",
"Title": "Active Directory",
"MarkdownContent": "Below are links to projects and posts relating AD red-teaming:\r\n\r\n- https://github.com/Group3r/Group3r\r\n- https://github.com/Leo4j/Amnesiac\r\n- https://github.com/JPG0mez/ADCSync\r\n- https://github.com/Processus-Thief/HEKATOMB\r\n- https://github.com/Mazars-Tech/AD_Miner\r\n- https://github.com/AlmondOffSec/PassTheCert\r\n- https://github.com/synacktiv/ntdissector\r\n- https://github.com/Hackndo/pyGPOAbuse\r\n- https://exploit.ph/external-trusts-are-evil.html\r\n- https://github.com/SecuraBV/Timeroast\r\n- https://github.com/SadProcessor/CypherDog\r\n- https://mayfly277.github.io/",
"CategoryID": "9a445790-f7e8-4351-8cf4-46fcae383eec"
},
{
"ID": "07e6eeae-7e59-40ff-a4fa-b1ea98b1b5d4",
"Title": "Active Directory",
"MarkdownContent": "Below are links to projects and posts relating AD blue-teaming:\r\n\r\n- https://github.com/lkarlslund/Adalanche\r\n- https://github.com/FalconForceTeam/FalconHound\r\n- https://github.com/csababarta/ntdsxtract\r\n- https://github.com/adrecon/ADRecon",
"CategoryID": "d8f945f9-2d12-4691-acfb-a9cef2f9b23c"
},
{
"ID": "efd307ef-cbeb-4b38-8ccb-4a2dfc4d09a9",
"Title": "arXiv",
"MarkdownContent": "[arXiv](https://arxiv.org/) is among the best websites (**usenix.org** tops it) to stay up to date with the latest research papers from all around the globe. They have a range of research subjects, including those belonging to:\r\n\r\n- [Mathematics](https://arxiv.org/archive/math)\r\n- [Computer Science](https://info.arxiv.org/help/cs/index.html)\r\n- [Electrical Engineering and Systems Science](https://arxiv.org/archive/eess)",
"CategoryID": "9bd1d7a7-53c9-4e76-9aa5-bd93d60c4579"
},
{
"ID": "9d9f8a1c-bd0e-4ec6-8b87-4ad7662d2fc3",
"Title": "Concepts of Programming Languages",
"MarkdownContent": "**Concepts of Programming Languages** by **Robert W. Sebesta** is one of the _best_ programming languages books: it combines strong theoretical knowledge and practical examples. However, the language used in the book is not for the beginner; instead, it suits a CS student in their second or last year.",
"CategoryID": "6c9f2b96-6f80-4e48-8169-ac2cc2d06260"
},
{
"ID": "51f96e88-da50-453d-9a37-2bb847c868ab",
"Title": "Cryptography and Security",
"MarkdownContent": "The [Cryptography and Security](https://arxiv.org/list/cs.CR/recent) section of `arXiv` is top-notch to stay educated about state of the art cryptography and computer security research papers. \r\n\r\nHowever, sometimes the papers published there are of poor quality (and even some seem to be generated by a GPT model). Therefore, the reader should take precautions and not trust everything stated in these research papers blindly.",
"CategoryID": "9bd1d7a7-53c9-4e76-9aa5-bd93d60c4579"
},
{
"ID": "171d6389-4fec-48f8-b571-2d6ca372bf8c",
"Title": "IEEE Symposium on Security and Privacy",
"MarkdownContent": "[IEEE Computer Society's Technical Community on Security and Privacy](https://www.ieee-security.org/) stands as a prominent hub for cutting-edge security research. Annually, it orchestrates the [IEEE Symposium on Security and Privacy](https://sp2023.ieee-security.org/past.html), a pinnacle event in the realm of security research. The most recent one, the [44th IEEE Symposium on Security and Privacy](https://sp2023.ieee-security.org/past.html), showcased the latest advancements in the field. While direct access to the [accepted research papers](https://sp2023.ieee-security.org/program-papers.html) is not provided, one can explore presentations by the researchers on the [IEEE Symposium on Security and Privacy](https://www.youtube.com/@ieeesymposiumonsecurityand3919) YouTube channel. Additionally, one can search for specific research paper titles online to read them.",
"CategoryID": "2a35aa74-87f0-4a22-8c9a-8a10f4856f43"
},
{
"ID": "09ebf3a0-2cd4-4677-b746-033113ec2009",
"Title": "Interesting Digital Gardens",
"MarkdownContent": "There are various interesting digital gardens on the web, including:\r\n\r\n- https://gwern.net/\r\n- https://100r.co/site/home.html\r\n- https://okmij.org/ftp/\r\n- https://notes.eatonphil.com/\r\n\r\nThere are many others found at https://wiki.nikiv.dev/other/wiki-workflow#similar-wikis-i-liked",
"CategoryID": null
},
{
"ID": "baac3b95-c972-4b8b-a158-88c483267b5d",
"Title": "Misc. Links",
"MarkdownContent": "Due to the nature of my job, I must constantly stay up to date with the latest trends and topics in Computer Science and Cyber Security. Below are miscellaneous links that I will have to organize and categorize in the future:\r\n\r\n- https://zod.dev\r\n- https://github.com/fkasler/cuddlephish\r\n- https://github.com/stacklok/minder\r\n- https://docs.stacklok.com/trusty\r\n- https://gotenberg.dev/\r\n- https://github.com/megeeky/SharpWebServer\r\n- https://github.com/SpecterOps/Nemesis\r\n- https://github.com/werdhaihai/AtlasReaper\r\n- https://www.first.org/cvss/v4-0/index.html\r\n- https://github.com/hktalent/scan4all\r\n- https://github.com/sAjibuu/Upload_Bypass\r\n- https://github.com/0xKayala/NucleiFuzzer\r\n- https://gittuf.github.io/\r\n- https://github.com/Shopify/toxiproxy\r\n- https://github.com/Hackndo/pyGPOAbuse\r\n- https://github.com/neondatabase/neon\r\n- https://thegreycorner.com/offsecfeed/\r\n- https://github.com/canix1/ADACLScanner\r\n- https://www.learndmarc.com/\r\n- https://itnext.io/\r\n- https://cisecurity.org/cis-benchmarks\r\n- https://hertzbleed.com/gpu.zip/\r\n- htttps://github.com/cure53/HTTPLeaks\r\n- https://kakoune.org\r\n- https://cure53.de/\r\n- https://www.subdomain.center/\r\n- https://whonix.org/\r\n- https://www.qubes-os.org/\r\n- https://jsdoc.app/\r\n- https://orbstack.dev/\r\n- http://www.textfiles.com/100/hack_ths.txt\r\n- https://github.com/liveblocks/liveblocks\r\n- https://github.com/tsl0922/ttyd\r\n- https://github.com/supabase/supabase\r\n- https://www.hahwul.com/\r\n- https://asgi.readthedocs.io/en/latest/\r\n- https://yew.rs/\r\n- https://pentest-standard.readthedocs.io/en/latest/tree.thml\r\n- https://huggingface.co/\r\n- https://stellar.org\r\n- https://secret.club/\r\n- https://github.com/praetorian-inc/Matryoshka\r\n- https://about.sourcegraph.com/cody\r\n- https://github.com/exogee-technology/graphweaver\r\n- https://decentraleyes.org/\r\n- https://htmx.org/\r\n- https://gohugo.io\r\n- https://chat.lmsys.org/\r\n- https://www.perplexity.ai/\r\n- https://caido.io/\r\n- https://infocondb.org/\r\n- https://comsec.ethz.ch/publications/\r\n- https://github.com/Sq00ky/LeetLinked\r\n- https://downfall.page/\r\n- https://ironpython.net/\r\n- https://github.com/Nariod/RustPacker\r\n- https://github.com/RedTeamPentesting/resocks\r\n- https://github.com/Significant-Gravitas/Auto-GPT\r\n- https://github.com/bee-san/pyWhat\r\n- https://github.com/login-securite/DonPAPI\r\n- https://kaitai.io/\r\n- https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team\r\n- https://github.com/mxrch/GHunt\r\n- https://github.com/mxrch/GitFive\r\n- https://github.com/klezVirus/SysWhispers3\r\n- https://github.com/giuliano108/SeBackupPrivilege\r\n- https://github.com/Krypteria/Ant\r\n- https://github.com/SadProcessor/CypherDog",
"CategoryID": null
},
{
"ID": "6208bb94-c96d-4181-8464-17fdbcd31f0c",
"Title": "Platforms",
"MarkdownContent": "[HackTheBox](https://www.hackthebox.com/) is one of the most realistic platforms to learn about red-teaming and hacking. Their [Academy](https://academy.hackthebox.com/) has top-notch red-teaming modules, with the prime examples being [DACL Attacks I](https://academy.hackthebox.com/course/preview/dacl-attacks-i) and [NTLM Relay Attacks](https://academy.hackthebox.com/course/preview/ntlm-relay-attacks).",
"CategoryID": "9a445790-f7e8-4351-8cf4-46fcae383eec"
},
{
"ID": "e4113cc1-f461-4303-9428-1aad0341e8e8",
"Title": "Theory",
"MarkdownContent": "Cybersecurity is the art of abusing CS knowledge to achieve various end-goals, most importantly, offensive security engagements objectives.",
"CategoryID": "c5ea5494-d606-4d8d-8979-1065dc67971d"
},
{
"ID": "8f0007a4-00de-486e-9a5e-e92048c280bf",
"Title": "Uncategorized",
"MarkdownContent": "The below research papers are uncategorized, and are to be investigated later:\r\n\r\n- https://thume.ca/2023/12/02/tracing-methods/\r\n- https://zakird.com/papers/tangled_web.pdf\r\n- https://jhalderm.com/pub/papers/censys-ccs15.pdf\r\n- https://jhalderm.com/pub/papers/zmap10gig-woot14.pdf\r\n- https://zakird.com/papers/lzr.pdf\r\n- https://zakird.com/papers/zlint.pdf\r\n- https://zakird.com/papers/zdns.pdf",
"CategoryID": "916d0f55-43da-4f66-9ce0-48cdb3f956d6"
},
{
"ID": "ca8b2dda-a164-4ea0-a29a-cf64b5ad01e5",
"Title": "usenix.org",
"MarkdownContent": "The [USENIX](https://www.usenix.org/) Association is nonprofit organization, dedicated to supporting the advanced computing systems communities and furthering the reach of innovative research. They hold a large number of [conferences](https://www.usenix.org/conferences), with the [32nd USENIX Security Symposium](https://www.usenix.org/conference/usenixsecurity23) being the latest USENIX Security one. The research paper accepted in this year's symposium, which are very educational and of extremely _high academic standards_, can be found at:\r\n\r\n- [USENIX Security '23 Summer Accepted Papers](https://www.usenix.org/conference/usenixsecurity23/summer-accepted-papers)\r\n- [USENIX Security '23 Fall Accepted Papers](https://www.usenix.org/conference/usenixsecurity23/fall-accepted-papers)",
"CategoryID": "92824cd1-4c94-46e6-a982-96c9c8e0b20c"
},
{
"ID": "f78c5361-440a-4b68-b8ef-ae47e066222b",
"Title": "ZMap Project",
"MarkdownContent": "The [ZMap Project](https://zmap.io/research) has several important research papers to read:\r\n\r\n- https://zakird.com/papers/mirai.pdf\r\n- [Global Measurement of DNS Manipulation](https://faculty.cc.gatech.edu/~pearce/papers/dns_usenix_2017.pdf)\r\n- [Augur: Internet-Wide Detection of Connectivity Disruptions](https://faculty.cc.gatech.edu/~pearce/papers/augur_oakland_2017.pdf)\r\n- [To Catch a Ratter: Monitoring the Behavior of Amateur DarkComet RAT Operators in the Wild](https://faculty.cc.gatech.edu/~pearce/papers/rats_oakland_2017.pdf)\r\n- [An Internet-Wide View of ICS Devices](https://zakird.com/papers/scada.pdf)\r\n- [DROWN: Breaking TLS using SSLv2](https://drownattack.com/drown-attack-paper.pdf)\r\n- [You’ve Got Vulnerability: Exploring Effective Vulnerability Notifications](https://zakird.com/papers/sec16-vuln-notifications.pdf)\r\n- [FTP: The Forgotten Cloud](https://zakird.com/papers/dsn-ftp.pdf)\r\n- [Neither Snow Nor Rain Nor MITM . . . An Empirical Analysis of Email Delivery Security](https://jhalderm.com/pub/papers/mail-imc15.pdf)\r\n- [Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice](https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf)\r\n- [A Messy State of the Union: Taming the Composite State Machines of TLS](https://inria.hal.science/hal-01114250/document)\r\n- [The Matter of Heartbleed](https://jhalderm.com/pub/papers/heartbleed-imc14.pdf)\r\n- [When Governments Hack Opponents: A Look at Actors and Technology](https://www.icir.org/vern/papers/govhack.usesec14.pdf)\r\n- [An Internet-Wide View of Internet-Wide Scanning](https://jhalderm.com/pub/papers/scanning-sec14.pdf)\r\n- [TapDance: End-to-Middle Anticensorship without Flow Blocking](https://jhalderm.com/pub/papers/tapdance-sec14.pdf)\r\n- [Zippier ZMap: Internet-Wide Scanning at 10 Gbps](https://jhalderm.com/pub/papers/zmap10gig-woot14.pdf)\r\n- [Analysis of the HTTPS Certificate Ecosystem∗](https://jhalderm.com/pub/papers/https-imc13.pdf)\r\n- [Illuminating the Security Issues Surrounding Lights-Out Server Management](https://jhalderm.com/pub/papers/ipmi-woot13.pdf)\r\n- [CAge: Taming Certificate Authorities by Inferring Restricted Scopes](https://jhalderm.com/pub/papers/cage-fc13.pdf)\r\n- [Elliptic Curve Cryptography in Practice](https://cryptome.org/2013/11/ecc-practice.pdf)\r\n- [Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices](https://factorable.net/paper.html)\r\n- [Hacking Team and the Targeting of Ethiopian Journalists](https://citizenlab.ca/2014/02/hacking-team-targeting-ethiopian-journalists/)",
"CategoryID": "916d0f55-43da-4f66-9ce0-48cdb3f956d6"
}
]
}I got this response from the API endpoint; api.blazorized.htb/posts
superadmin
┌──(kali㉿kali)-[~/archive/htb/labs/blazorized]
└─$ kerbrute userenum --dc dc1.blazorized.htb -d BLAZORIZED.HTB ./users.txt -t 200 -v
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 07/01/24 - Ronnie Flathers @ropnop
2024/07/01 17:35:19 > Using KDC(s):
2024/07/01 17:35:19 > dc1.blazorized.htb:88
2024/07/01 17:35:19 > [!] superadmin@BLAZORIZED.HTB - User does not exist
2024/07/01 17:35:19 > Done! Tested 1 usernames (0 valid) in 0.117 secondsThe superadmin user doesn’t appear to be a valid domain account
api.blazorized.htb/categories
It also invoked making a OPTIONS request to api.blazorized.htb/categories
with the same JWT
HTTP/1.1 200 OK
Content-Type: application/json
Server: Microsoft-IIS/10.0
Access-Control-Allow-Origin: *
Date: Mon, 01 Jul 2024 15:39:32 GMT
Connection: close
Content-Length: 1296
{
"Categories": [
{
"ID": "9bd1d7a7-53c9-4e76-9aa5-bd93d60c4579",
"Name": "Arxiv.org",
"ParentCategoryID": "916d0f55-43da-4f66-9ce0-48cdb3f956d6"
},
{
"ID": "d8f945f9-2d12-4691-acfb-a9cef2f9b23c",
"Name": "Blue Teaming",
"ParentCategoryID": "c5ea5494-d606-4d8d-8979-1065dc67971d"
},
{
"ID": "6c9f2b96-6f80-4e48-8169-ac2cc2d06260",
"Name": "Books",
"ParentCategoryID": "3f6d48d8-0944-4317-84a0-d2a2a5dca6e1"
},
{
"ID": "49bcc54a-e29f-4fcb-84d2-5dddcd2068a9",
"Name": "Computer Science",
"ParentCategoryID": "49bcc54a-e29f-4fcb-84d2-5dddcd2068a9"
},
{
"ID": "c5ea5494-d606-4d8d-8979-1065dc67971d",
"Name": "Cybersecurity",
"ParentCategoryID": "c5ea5494-d606-4d8d-8979-1065dc67971d"
},
{
"ID": "2a35aa74-87f0-4a22-8c9a-8a10f4856f43",
"Name": "IEEE Symposium on Security and Privacy",
"ParentCategoryID": "916d0f55-43da-4f66-9ce0-48cdb3f956d6"
},
{
"ID": "3f6d48d8-0944-4317-84a0-d2a2a5dca6e1",
"Name": "Programming",
"ParentCategoryID": "49bcc54a-e29f-4fcb-84d2-5dddcd2068a9"
},
{
"ID": "9a445790-f7e8-4351-8cf4-46fcae383eec",
"Name": "Red Teaming",
"ParentCategoryID": "c5ea5494-d606-4d8d-8979-1065dc67971d"
},
{
"ID": "916d0f55-43da-4f66-9ce0-48cdb3f956d6",
"Name": "Research Papers",
"ParentCategoryID": "916d0f55-43da-4f66-9ce0-48cdb3f956d6"
},
{
"ID": "92824cd1-4c94-46e6-a982-96c9c8e0b20c",
"Name": "usenix.org",
"ParentCategoryID": "916d0f55-43da-4f66-9ce0-48cdb3f956d6"
}
]
}I got the following response from the API endpoint; api.blazorized.htb/categories
Markdown Playground
The /markdown endpoint contains a Markdown Playground that renders user input into the markdown format.
Posts
The bottom two corresponds with the posts in the API endpoints;
/post/09ebf3a0-2cd4-4677-b746-033113ec2009/post/baac3b95-c972-4b8b-a158-88c483267b5d
Nothing special about them
Burp Suite
Checking back the site mapping from Burp Suite’s passive crawler, I see an interesting JSON file that appears to be a configuration file for initializing the blazor instance
blazor.boot.json
┌──(kali㉿kali)-[~/archive/htb/labs/blazorized]
└─$ curl -i http://blazorized.htb/_framework/blazor.boot.json
HTTP/1.1 200 OK
Content-Type: application/json
Last-Modified: Sun, 25 Feb 2024 13:26:14 GMT
Accept-Ranges: bytes
ETag: "5a7d9e34ee67da1:0"
Server: Microsoft-IIS/10.0
Date: Mon, 01 Jul 2024 18:23:36 GMT
Content-Length: 7984
{
"cacheBootResources": true,
"config": [ ],
"debugBuild": false,
"entryAssembly": "Blazorized.DigitalGarden",
"icuDataMode": 0,
"linkerEnabled": true,
"resources": {
"assembly": {
"Blazored.LocalStorage.dll": "sha256-5V8ovY1srbIIz7lzzMhLd3nNJ9LJ6bHoBOnLJahv8Go=",
"Blazorized.DigitalGarden.dll": "sha256-YH2BGBuuUllYRVTLRSM+TxZtmhmNitErmBqq1Xb1fdI=",
"Blazorized.Shared.dll": "sha256-Bz\/iaIKjbUZ4pzYB1LxrExKonhSlVdPH63LsehtJDqY=",
"Markdig.dll": "sha256-\/zBLNTAFSwzmj9Qq3hOzX4jN+IzlZOPHCL3qEU4t8BQ=",
"Microsoft.AspNetCore.Components.dll": "sha256-q\/vMB0OEwpfgaAe0kahnXQUPQ5ux0ryaY2BXkF22E8Y=",
"Microsoft.AspNetCore.Components.Forms.dll": "sha256-ilsozHMhNmrU5XRQkeYzpGDYHyLUQXPUW4Hh4D7ueZ4=",
"Microsoft.AspNetCore.Components.Web.dll": "sha256-KWEr4EaQSjbTnpfqEN\/6Nl330iwzKzUAkJlJ1BpK\/MU=",
"Microsoft.AspNetCore.Components.WebAssembly.dll": "sha256-Ej9bH2qZK\/yyvACie45LB5PgSAlH0sPfZjnHKyBY1MA=",
"Microsoft.Extensions.Configuration.Abstractions.dll": "sha256-X\/f4fDl2cuIRXeWHhK\/f2UqQbFioD+RU4a4CEh0zrrQ=",
"Microsoft.Extensions.Configuration.dll": "sha256-DBOKSPriP2JDxVbbWrLXyD3K4\/x3RBifNBWk\/q1I39M=",
"Microsoft.Extensions.Configuration.Json.dll": "sha256-Q5AqJneA2TZnzC0IYzBx6j\/tHRhWAeMbpH3BsV7KgWg=",
"Microsoft.Extensions.DependencyInjection.Abstractions.dll": "sha256-3dT6SSIGGrs8Me0BhM7OKQNnZgPiMpzxJxbKZg9+PPk=",
"Microsoft.Extensions.DependencyInjection.dll": "sha256-qi0kE7rp0kdsNqdL6DyPZEeimjUGvcLT4iWQX0YnRus=",
"Microsoft.Extensions.Http.dll": "sha256-rZWnWVD6nK+nRjxDQYWLF5GE9vGvT14HtIoM\/0PlVd0=",
"Microsoft.Extensions.Localization.Abstractions.dll": "sha256-HmuAsUnHX2mxnAL703FjrEbwGneVw5Q96ZGBg3m7xEw=",
"Microsoft.Extensions.Localization.dll": "sha256-oL+8vEgiohIU\/VOsIukfsaS53JGMyOPV5Grr6Zd6TSk=",
"Microsoft.Extensions.Logging.Abstractions.dll": "sha256-+5dUbJ9ffsgK5RahPCQeMw5x76+LlE6F9dqvF2FoBHg=",
"Microsoft.Extensions.Logging.dll": "sha256-Sezvu1SpB+vPfYWMQ+LQtRpFvN9Ym3AvPDnKYCKxL14=",
"Microsoft.Extensions.Options.dll": "sha256-k9XISCK5fk9IUDDKqLl\/+QFebprK5dgTjSKpE\/Zpz8Q=",
"Microsoft.Extensions.Primitives.dll": "sha256-eXvGx2jcjpTPEJoAHBsW\/VuMPbNyyU+AsuhPmkzSSRY=",
"Microsoft.IdentityModel.Abstractions.dll": "sha256-a1daKYknMuF16uFadrwL8fjYxiN83JCr285kxf6l1SI=",
"Microsoft.IdentityModel.JsonWebTokens.dll": "sha256-ZceT+VyXrVMCCQx7ghNz4BXbpCkOZwHTSkPikk1tYfg=",
"Microsoft.IdentityModel.Logging.dll": "sha256-yUKJ+ALshaP1bgyC3HBJYhvWi8ZO89OQq1D6xzUcsjA=",
"Microsoft.IdentityModel.Tokens.dll": "sha256-kci9vmm4cxzxjfLH7gBsdkuSD95idJws2K27ijmaMqg=",
"Microsoft.JSInterop.dll": "sha256-3OzHtLOp\/ABrxbs+cwoO9uxU3d1YqRrcP6MgKAWKCOQ=",
"Microsoft.JSInterop.WebAssembly.dll": "sha256-4cMfifCYL\/bv5qiC8T6HyABhOewZlTXovRc+E\/CrUbc=",
"MudBlazor.dll": "sha256-BCkPqJ+DM7hJKpuUnFQY98YKaIwoRWyqzw8JkUBKQf0=",
"MudBlazor.Markdown.dll": "sha256-6eL9fPi7IlrwF4XROmZgloTtnqKEqzak7Aew1tykYPI=",
"System.Collections.Concurrent.dll": "sha256-VJZ+9mtVjI3oFnHaOcs7QQWwE1tpcmsn\/Fbf1ss51EE=",
"System.Collections.dll": "sha256-PcqW0HOMhSsdhOuo97PP73z311WvAUQjMNlDxO0YNvg=",
"System.ComponentModel.Annotations.dll": "sha256-p3FeLGazqadK+YWA5aMJEwKQP4\/CX0gumrfPLmaMmss=",
"System.ComponentModel.dll": "sha256-Fk2YdbIh1S9I3Jn+elQpV9RdU2OqJiVenl74EbfuW34=",
"System.ComponentModel.Primitives.dll": "sha256-f2JppNaTVR3r2YAWy4aA5vx0Ouy5xoW17tkOh8su2Wc=",
"System.ComponentModel.TypeConverter.dll": "sha256-z8NaAg44tOD7RGtFlQNGs6GywkgWXfQxiH9IJyUJaBs=",
"System.Console.dll": "sha256-Z0qITFiDb6P2gyaZV9Ku42+3y\/8YwgfrxLnEDp5E15s=",
"System.dll": "sha256-GXYaTkUWqIcsGI6VKD2SIHDrRwOD2xQU1UA9nONh8PU=",
"System.Formats.Asn1.dll": "sha256-V5AtfHy4i4TRClZ4wQZ7hPz5VgLdBCZQYasU5aJR9D0=",
"System.IdentityModel.Tokens.Jwt.dll": "sha256-6UnGv5ruxREG0Pk32MuWFOFjcqcvYNuinJcJaBXPnRA=",
"System.IO.Compression.dll": "sha256-6oQKWB3LN6lvKLNpYiIalauJCy2YonpZ7QBLAmoMCao=",
"System.Linq.dll": "sha256-YuUMLuHQ4VWrIe8ecXrKp6f8BFkPKwTInHAFtRspY3A=",
"System.Linq.Expressions.dll": "sha256-krU0mE+qHN23mrVgI0s\/99oAYEHtztkgJ59u0Uy+x6c=",
"System.Memory.dll": "sha256-+MXdUexgKsH1w9XI5G8BWxuEY0tKIAD+xuE1kO1lYbA=",
"System.Net.Http.dll": "sha256-5YDY3emMx3szDVfae1lDDlTPXH3VB1apmM8hECmSQR4=",
"System.Net.Http.Json.dll": "sha256-CG\/PL04ZZqfHAYQdh\/5IJKbcNSUSDUXbz6ZYqyJ5cPM=",
"System.Net.Primitives.dll": "sha256-eNUKNz+XLN5pHDhz0TRrSWVzwD7sT8fHO\/iPmRMMcmw=",
"System.ObjectModel.dll": "sha256-rCCEEgfTj3ifxigXAW8vpXI2xDFjBeDcFTeEeQRCxGs=",
"System.Private.CoreLib.dll": "sha256-duCS2lpNXrvF\/sII\/ROPczy30vEs54dkJG+WagUjwU8=",
"System.Private.Uri.dll": "sha256-QUp9pgVKRli5\/xLQf5zWfHAD1KRUEi3RgO1D6HY2SHk=",
"System.Private.Xml.dll": "sha256-ApyqBjTVBbNCyZJP0aNRxd1cJdyLNpElRVs622uuJ54=",
"System.Runtime.CompilerServices.Unsafe.dll": "sha256-ioMG7tdGMQuJXQaFEifb58Wo9nhzQ138YPF3FjXFKso=",
"System.Runtime.dll": "sha256-2oCgFx36GBC0xZjd1hl5ZQXxw8zwZ00R\/SxrGu6Qy\/4=",
"System.Runtime.InteropServices.dll": "sha256-ZnOr3qdZamAmXJoClwtU11aePkDpbPGGRXGGVZq+qss=",
"System.Runtime.InteropServices.JavaScript.dll": "sha256-K56cee2Wp0fFNOLSZjwAZWsvsexfPJ8Fc\/rP97RFSG0=",
"System.Runtime.Intrinsics.dll": "sha256-RNcogVfdvH7r++k9\/Sbs9aGp2Tsky8bIOWUFHl+j4jo=",
"System.Runtime.Numerics.dll": "sha256-+oHtVeVcUysD56UQYTTLJ3BnD9766uThPNHg700sxu0=",
"System.Security.Claims.dll": "sha256-i6iOwZtEGi1jKX5BS7V4Kk8mECmyZ8l49ewkm9Ik64E=",
"System.Security.Cryptography.Algorithms.dll": "sha256-RLpI4SG0X+BmJMzdnl6YDepqNNnezyDys3pyTGWlEkI=",
"System.Security.Cryptography.Cng.dll": "sha256-\/p2zCahEBOv3gbqd9XHRwVrL\/fUq8tH43+kjm7i1J\/I=",
"System.Security.Cryptography.Csp.dll": "sha256-5kZPZt\/Q7PijslxzV+248xs\/IheEIclYiOI+4XMCbLM=",
"System.Security.Cryptography.dll": "sha256-A0EGy+fyvbI6PCM1gzdpr\/jNhfYS5deVqnMdth3sLWA=",
"System.Security.Cryptography.Encoding.dll": "sha256-TLpkd3NtthEaWBqHHShAVwYUIf26TiT4fO86Hig94Js=",
"System.Security.Cryptography.Primitives.dll": "sha256-JILevD8ua6+qLJj8fU9Xymuzm2vr701AQnCKSlCKLjE=",
"System.Security.Cryptography.X509Certificates.dll": "sha256-Tt6t3gSGKhS6w1kcDylF6h1UA+FrRey75wv1Dr88Ctc=",
"System.Text.Encodings.Web.dll": "sha256-lwzvCAdo+KGRqRiuotyXVHSbpe7fuNSGMM0OMK0VbPk=",
"System.Text.Json.dll": "sha256-ZgCOtGviIgH5dm9k+o2H8tL+gga3BjBCdmpl16zI2Xs=",
"System.Text.RegularExpressions.dll": "sha256-A0Xkv8sUH8DOBuAI5Jwc9XCl\/F4IeSM57\/tzPba6HEU=",
"System.Threading.dll": "sha256-J1ieNAafmr6H5LOMxJMuRKh3LGKtmT2upEU\/c5tnt68=",
"System.Threading.Thread.dll": "sha256-pLV9qpTnD4J45AaN\/Z3QTnTPFGQwMI4mFEJaij83X3Q=",
"System.Xml.ReaderWriter.dll": "sha256-9yumv+5QaTSARQB46DStO9vcXQyA3cPvv74jAta3lQA="
},
"extensions": null,
"lazyAssembly": {
"Blazorized.Helpers.dll": "sha256-ekLzpGbbVEn95uwSU2BGWpjosCK\/fqqQRjGFUW0jAQQ="
},
"libraryInitializers": null,
"pdb": null,
"runtime": {
"dotnet.7.0.15.x46e81vra7.js": "sha256-MHuxwxeVFybuBBTAWeZrvoStZpW+H4ThSaRcFvrfqXM=",
"dotnet.timezones.blat": "sha256-aHk3Pm2JXopn6UPLJtovAqIdIk8GyIMzGm450cli9UE=",
"dotnet.wasm": "sha256-fMuaMGy\/7q8rXL+GyH9Gu04mJDwQ\/OSYXD9ezf+Fz4k=",
"icudt_CJK.dat": "sha256-SZLtQnRc0JkwqHab0VUVP7T3uBPSeYzxzDnpxPpUnHk=",
"icudt_EFIGS.dat": "sha256-8fItetYY8kQ0ww6oxwTLiT3oXlBwHKumbeP2pRF4yTc=",
"icudt_no_CJK.dat": "sha256-L7sV7NEYP37\/Qr2FPCePo5cJqRgTXRwGHuwF5Q+0Nfs=",
"icudt.dat": "sha256-tO5O5YzMTVSaKBboxAqezOQL9ewmupzV2JrB5Rkc8a4="
},
"runtimeAssets": {
"dotnet.wasm": {
"behavior": "dotnetwasm",
"hash": "sha256-fMuaMGy\/7q8rXL+GyH9Gu04mJDwQ\/OSYXD9ezf+Fz4k="
}
},
"satelliteResources": null
}
} Making a request via cURL reveals interesting information about the target blazor instance
Looking further, the blazor.boot.json file is indeed the initialization file for the instance
Fuzzing
┌──(kali㉿kali)-[~/archive/htb/labs/blazorized]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -t 200 -u 'http://blazorized.htb/FUZZ' -ic -fs 1542
________________________________________________
:: Method : GET
:: URL : http://blazorized.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 200
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response size: 1542
________________________________________________
:: Progress: [1273820/1273820] :: Job [1/1] :: 861 req/sec :: Duration: [0:19:33] :: Errors: 0 ::ffuf found nothing
Virtual Hosts / Sub-domain Discovery
┌──(kali㉿kali)-[~/archive/htb/labs/blazorized]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 200 -u http://$IP/ -H 'Host: FUZZ.blazorized.htb' -ic -mc all -fc 302
________________________________________________
:: Method : GET
:: URL : http://10.10.11.22/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
:: Header : Host: FUZZ.blazorized.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 200
:: Matcher : Response status: all
:: Filter : Response status: 302
________________________________________________
admin [Status: 200, Size: 2012, Words: 149, Lines: 28, Duration: 133ms]
api [Status: 404, Size: 0, Words: 1, Lines: 1, Duration: 156ms]
:: Progress: [114437/114437] :: Job [1/1] :: 193 req/sec :: Duration: [0:01:31] :: Errors: 0 ::ffuf found an additional virtual host / sub-domain; admin.blazorized.htb
The /etc/hosts file on Kali has been updated
admin.blazorized.htb
