DepthB2R

date

Validierung

15 Compromissions 26%

Bewertung  Bewertung

1
2
3
4
5
0 Bewerten

Beschreibung

Many times while conducting a pentest, I need to script something up to make my life easier or to quickly test an attack idea or vector. Recently I came across an interesting command injection vector on a web application sitting on a client’s internet-facing estate. There was a page, running in Java, that allowed me to type arbitrary commands into a form, and have it execute them. While developer-provided webshells are always nice, there were a few caveats. The page was expecting directory listing style output, which was then parsed and reformatted. If the output didn’t match this parsing, no output to me. Additionally, there was no egress. ICMP, and all TCP/UDP ports including DNS were blocked outbound.

I was still able to leverage the command injection to compromise not just the server, but the entire infrastructure it was running on. After the dust settled, the critical report was made, and the vulnerability was closed, I thought the entire attack path was kind of fun, and decided to share how I went about it.

Zeit der Kompromittierung

4 Stunden

Betriebssystem

 linux

diese virtuelle Umgebung starten

Ergebnisse des CTF alltheday Ergebnisse des CTF alltheday für DepthB2R

Nickname Virtual Machine Anzahl der Angreifer Begonnen am Maschine kompromittiert in
- DepthB2R 0 29. November 2018 zu  21:10 -
- DepthB2R 0 29. November 2018 zu  20:53 -

 176 Virtuals Environnements

Ergebnis Name Validierung Schwierigkeitsgrad  Schwierigkeitsgrad Autor Bewertung  Bewertung
pas_valide Metasploitable 2 40% 8607
pas_valide Basic pentesting 1 32% 4704
pas_valide LAMP security CTF5 25% 3888
pas_valide Docker - I am groot 51% 3072 Ech0
pas_valide LAMP security CTF4 35% 2723
pas_valide SSH Agent Hijacking 26% 2379 mayfly
pas_valide SSRF Box 18% 1803 sambecks
pas_valide Metasploitable 12% 1730
pas_valide Mr. Robot 1 21% 1639
pas_valide End Droid 35% 1294
pas_valide Imagick 22% 1045 sambecks
pas_valide SamBox v2 13% 985 sambecks
pas_valide Kioptrix level 2 25% 972
pas_valide Docker - Sys-Admin’s Docker 40% 958 Ech0
pas_valide LAMP security CTF7 39% 891
pas_valide VulnVoIP 17% 852
pas_valide SamBox v1 7% 723 sambecks
pas_valide Docker - Talk through me 42% 649 Ech0
pas_valide Well-Known 10% 623 sm0k
pas_valide Django unchained 22% 618 TiWim
pas_valide LAMP security CTF6 18% 606
pas_valide Windows - Group Policy Preferences Passwords 25% 592
pas_valide Kioptrix level 3 32% 575
pas_valide Shared Objects Hijacking 13% 566 das
pas_valide BreakingRootme2020 15% 518 Laluka
pas_valide Awky 8% 497 sbrk
pas_valide Windows XP pro 01 5% 496 g0uZ
pas_valide Rootkit Cold Case 16% 467 franb
pas_valide Kioptrix level 4 35% 462
pas_valide Windows - KerbeRoast 18% 459
pas_valide Websocket - 0 protection 6% 442 Worty
pas_valide Bluebox - Microsoft Pentest 4% 419
pas_valide Windows - ASRepRoast 35% 419
pas_valide pWnOS 32% 401
pas_valide Hackademic RTB1 19% 364
pas_valide DC-1 15% 348
pas_valide SamBox v3 5% 334 sambecks
pas_valide Bluebox 2 - Pentest 3% 308 sambecks
pas_valide Exploit KB Vulnerable Web App 12% 306
pas_valide SAP Pentest 7% 293 iggy
pas_valide Holynix v1 24% 292
pas_valide LAMP security CTF8 14% 291
pas_valide /dev/random : Pipe 5% 236
pas_valide A bittersweet shellfony 12% 233 mayfly
pas_valide LordoftheRoot 25% 230
pas_valide Hopital Bozobe 8% 228 sambecks
pas_valide Acid: Server 12% 219
pas_valide FristiLeaks 1.3 28% 215
pas_valide SkyTower 24% 213
pas_valide Ubuntu 8.04 weak 5% 206 g0uZ