DepthB2R

日期

Validations

15 Compromissions 26%

Note  Notation

1
2
3
4
5
0 vote

Description

Many times while conducting a pentest, I need to script something up to make my life easier or to quickly test an attack idea or vector. Recently I came across an interesting command injection vector on a web application sitting on a client’s internet-facing estate. There was a page, running in Java, that allowed me to type arbitrary commands into a form, and have it execute them. While developer-provided webshells are always nice, there were a few caveats. The page was expecting directory listing style output, which was then parsed and reformatted. If the output didn’t match this parsing, no output to me. Additionally, there was no egress. ICMP, and all TCP/UDP ports including DNS were blocked outbound.

I was still able to leverage the command injection to compromise not just the server, but the entire infrastructure it was running on. After the dust settled, the critical report was made, and the vulnerability was closed, I thought the entire attack path was kind of fun, and decided to share how I went about it.

Temps de compromission

4 heures

Système d'exploitation

 linux

démarrer cet environnement virtuel

Résultats du CTF alltheday Résultats du CTF alltheday pour DepthB2R

Pseudonyme Environnement Virtuel Nombre d'attaquant Date de début Environnement compromis en
- DepthB2R 0 2018年11月29日 to 21:10 -
- DepthB2R 0 2018年11月29日 to 20:53 -

 176 Environnements Virtuels

Résultats 名字 Validations Difficulté  Difficulté 作者 Note  Notation
pas_valide Challenge SecuriTech 1% 13
pas_valide Windows XP pro 01 5% 496 g0uZ
pas_valide Exploit KB Vulnerable Web App 12% 306
pas_valide Holynix v1 24% 292
pas_valide Kioptrix level 2 25% 972
pas_valide Kioptrix level 3 32% 575
pas_valide Kioptrix level 4 35% 462
pas_valide LAMP security CTF4 35% 2723
pas_valide LAMP security CTF5 25% 3888
pas_valide LAMP security CTF6 18% 606
pas_valide Metasploitable 12% 1730
pas_valide Metasploitable 2 40% 8607
pas_valide Moth 20% 107
pas_valide pWnOS 32% 401
pas_valide Ubuntu 8.04 weak 5% 206 g0uZ
pas_valide Ultimate LAMP 18% 148
pas_valide VulnVoIP 17% 852
pas_valide VulnVPN 12% 60
pas_valide LAMP security CTF8 14% 291
pas_valide LAMP security CTF7 39% 891
pas_valide Hackademic RTB1 19% 364
pas_valide No Exploiting Me 14% 54
pas_valide SamBox v1 7% 723 sambecks
pas_valide SamBox v2 13% 985 sambecks
pas_valide RA1NXing Bots 7% 16
pas_valide Murdering Dexter 16% 49
pas_valide LoBOTomy 4% 9
pas_valide Vulnix 2% 13
pas_valide Xerxes 3% 18
pas_valide Infernal Hades 6% 15
pas_valide SkyTower 24% 213
pas_valide Bluebox - Microsoft Pentest 4% 419
pas_valide Acid: Reloaded 18% 176
pas_valide Acid: Server 12% 219
pas_valide CsharpVulnJson 6% 14 notfound404
pas_valide CsharpVulnSoap 9% 8
pas_valide /dev/random : Pipe 5% 236
pas_valide /dev/random : Relativity 7% 97
pas_valide /dev/random : Sleepy 4% 44
pas_valide brainpan1 4% 82
pas_valide LordoftheRoot 25% 230
pas_valide Flick 1 8% 64
pas_valide Flick 2 10% 10
pas_valide FristiLeaks 1.3 28% 215
pas_valide The Purge 5% 14
pas_valide SickOs: 1.1 13% 91
pas_valide Xerxes: 2.0.1 13% 20
pas_valide brainpan2 9% 22
pas_valide brainpan3 6% 6
pas_valide SAP Pentest 7% 293 iggy