From file upload to email:pass

fr0stNuLL
fr0stNuLL
May 24, 2019 · 3 min read

Hi everybody, today I want to show you a cool experience that I had, doing a Pentest in a private program. First of all, I overshadowed all the sensitive information of the company. Let’s go...

First, there was a form that a non-authenticated user could send information about errors or suggestions of the application and in this form it was also possible to upload files like the image bellow:

Image for post
Image for post

Through the request response headers I knew it was a Microsoft server, so I uploaded a reverse shell in .asp (more info how to create web shells here) and put the .png at the end of the .asp file, as illustrated below:

Image for post
Image for post

however, the application did not let me upload, so I put the Content-type header as png, deleted the .png that I had placed before and it worked, as illustrated below:

Image for post
Image for post

Through the application response I was able to get the location where my reverse shell was placed, so I copied the path, put the password and we got a reverse shell, as follows:

Image for post
Image for post
Image for post
Image for post

The next step was to check which were the users with administrative privileges in the environment so I used the (net group “Domain Admins” / domain) command. And as a result all domain administrators are shown. The image below demonstrates the fact:

Image for post
Image for post

After searching for sensitive files like passwords, backup files and other things, I came across the database connection string:

Image for post
Image for post

By opening the database connection string file, it was possible to obtain the database password and login, as shown below:

Image for post
Image for post

Finally, after obtaining the credentials of access to the database, in the reverse shell I put the information collected previously and I made a query in the database mentioned, and as a result I was able to obtain the password of the administrator of the application and the other users:

Image for post
Image for post

So that’s it folks. This was simple I hope to have contributed a bit with you xD.

Sharing is Caring

best regards, fr0stNuLL

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store