I hacked the military.
A system containing the information of military personnel.
Yet, the hack was done legally.
Here's how I did it and how it was done legally:
A system containing the information of military personnel.
Yet, the hack was done legally.
Here's how I did it and how it was done legally:
1. I came across an Army server running ASP .NET
The application was a Learning Management System (LMS).
If you’ve been in school in the past 10-15 years, you’ve likely used one: Moodle, Canvas, D2L, Blackboard, etc.
This LMS allowed anonymous registration.
So I registered!
The application was a Learning Management System (LMS).
If you’ve been in school in the past 10-15 years, you’ve likely used one: Moodle, Canvas, D2L, Blackboard, etc.
This LMS allowed anonymous registration.
So I registered!
2. I proxied my HTTP traffic through Burp Suite and started using the application.
I clicked every button, filled out forms, and even took a test.
Enumerating the site’s functionality.
The more you know about how an application works, the easier it is to find vulnerabilities.
I clicked every button, filled out forms, and even took a test.
Enumerating the site’s functionality.
The more you know about how an application works, the easier it is to find vulnerabilities.
3. After reading through javascript & directory brute-forcing, I came across the endpoint:
“/base/courseware/scorm/management/scorm2004uploadcourse.aspx”
It allowed an administrator to create a new course by uploading a SCORM course package.
What the heck is SCORM?
“/base/courseware/scorm/management/scorm2004uploadcourse.aspx”
It allowed an administrator to create a new course by uploading a SCORM course package.
What the heck is SCORM?
4. SCORM stands for “Sharable Content Object Reference Model”.
It’s a standard format for courses that any learning management system will understand.
To break it down to its simplest, they’re just zip files:
It’s a standard format for courses that any learning management system will understand.
To break it down to its simplest, they’re just zip files:
5. They contain an XML file named “imsmanifest.xml” which:
a) Describes the course
b) Specifies files for each learning activity.
The zip also contains all of the resources that make up the course material.
Typically HTML, JS, and CSS files, occasionally .swf files
a) Describes the course
b) Specifies files for each learning activity.
The zip also contains all of the resources that make up the course material.
Typically HTML, JS, and CSS files, occasionally .swf files
6. You create your course in HTML & JS, etc.
a) List file names in the XML
b) Zip the entire folder
c) Upload the zip to your LMS.
While I could hit this endpoint, I wasn't sure if the creation would be successful.
As a non-privileged user, I shouldn’t be able to create one.
a) List file names in the XML
b) Zip the entire folder
c) Upload the zip to your LMS.
While I could hit this endpoint, I wasn't sure if the creation would be successful.
As a non-privileged user, I shouldn’t be able to create one.
7. So what should I try to upload?
Arbitrary HTML/JS would lead to stored cross-site scripting.
But that's really not interesting to me.
Remember, this was running ASP.NET
What about an .aspx file?
That would likely result in code execution!
Arbitrary HTML/JS would lead to stored cross-site scripting.
But that's really not interesting to me.
Remember, this was running ASP.NET
What about an .aspx file?
That would likely result in code execution!
8. I found an example SCORM2004 course online and downloaded it.
I created an ASPX shell that took the parameter ?c= and executed the command.
I named it `cdlcdlcdl.aspx`, then specified the file name in `imsmanifest.xml`
I re-zipped the folder, so that it was valid SCORM2004.
I created an ASPX shell that took the parameter ?c= and executed the command.
I named it `cdlcdlcdl.aspx`, then specified the file name in `imsmanifest.xml`
I re-zipped the folder, so that it was valid SCORM2004.
9. I tried uploading the package.
Would it actually create a course?
Even if it did, would I be able to find WHERE it was uploaded to?
If I could find where it uploaded, would the ASPX even execute?
Would it actually create a course?
Even if it did, would I be able to find WHERE it was uploaded to?
If I could find where it uploaded, would the ASPX even execute?
10. It worked.
In the response, the application listed a URL for the base directory of the course:
/shared/F6BAC72B45D64B34ACB662BB001D8523/
I named my shell cdlcdlcdl.aspx, so I tried:
/shared/F6BAC72B45D64B34ACB662BB001D8523/cdlcdlcdl.aspx?c=whoami
The command executed:
In the response, the application listed a URL for the base directory of the course:
/shared/F6BAC72B45D64B34ACB662BB001D8523/
I named my shell cdlcdlcdl.aspx, so I tried:
/shared/F6BAC72B45D64B34ACB662BB001D8523/cdlcdlcdl.aspx?c=whoami
The command executed:
11. How could this be legal?
A small number of ethical hackers are invited to find vulnerabilities & report them during joint bug bounty challenges between @Hacker0x01 & @DeptofDefense
I've won the challenges:
• Hack the Proxy
• Hack the Army 2.0
• Hack the Army 3.0
So,
A small number of ethical hackers are invited to find vulnerabilities & report them during joint bug bounty challenges between @Hacker0x01 & @DeptofDefense
I've won the challenges:
• Hack the Proxy
• Hack the Army 2.0
• Hack the Army 3.0
So,
12. I reported it & was awarded a bounty. One of many!
Want to hear more about securing US Defense assets?
On Jan 31st, I'll be chatting w/ @Hacker0x01's CTO @senorarroz
about securing US Defense assets!
Register here in advance:
ow.ly/Ngx050MqvmM
Want to hear more about securing US Defense assets?
On Jan 31st, I'll be chatting w/ @Hacker0x01's CTO @senorarroz
about securing US Defense assets!
Register here in advance:
ow.ly/Ngx050MqvmM
PS: Do your employees struggle to catch phishing emails?
I need your help – I want to have conversations about how you're currently tackling it.
Why? I'm trying to build a better solution.
If willing, please:
• Join the @BreachlessAI waitlist
• Shoot me a message
I need your help – I want to have conversations about how you're currently tackling it.
Why? I'm trying to build a better solution.
If willing, please:
• Join the @BreachlessAI waitlist
• Shoot me a message
Lessons:
1. Be curious
2. Take your curiosity and learn something new.
3. Target ASP .NET apps ;)
1. Be curious
2. Take your curiosity and learn something new.
3. Target ASP .NET apps ;)
https://twitter.com/hacker_/status/1618987654233866246
• • •
Missing some Tweet in this thread? You can try to
force a refresh
