DepthB2R

date

Validierung

15 Compromissions 26%

Bewertung  Bewertung

0 Bewerten

Beschreibung

Many times while conducting a pentest, I need to script something up to make my life easier or to quickly test an attack idea or vector. Recently I came across an interesting command injection vector on a web application sitting on a client’s internet-facing estate. There was a page, running in Java, that allowed me to type arbitrary commands into a form, and have it execute them. While developer-provided webshells are always nice, there were a few caveats. The page was expecting directory listing style output, which was then parsed and reformatted. If the output didn’t match this parsing, no output to me. Additionally, there was no egress. ICMP, and all TCP/UDP ports including DNS were blocked outbound.

I was still able to leverage the command injection to compromise not just the server, but the entire infrastructure it was running on. After the dust settled, the critical report was made, and the vulnerability was closed, I thought the entire attack path was kind of fun, and decided to share how I went about it.

Zeit der Kompromittierung

4 Stunden

Betriebssystem

 linux

diese virtuelle Umgebung starten

Ergebnisse des CTF alltheday Ergebnisse des CTF alltheday für DepthB2R

Nickname Virtual Machine Anzahl der Angreifer Begonnen am Maschine kompromittiert in
- DepthB2R 0 29. November 2018 zu  21:10 -
- DepthB2R 0 29. November 2018 zu  20:53 -