From file upload to email:pass

Hi everybody, today I want to show you a cool experience that I had, doing a Pentest in a private program. First of all, I overshadowed all the sensitive information of the company. Let’s go...

First, there was a form that a non-authenticated user could send information about errors or suggestions of the application and in this form it was also possible to upload files like the image bellow:

Through the request response headers I knew it was a Microsoft server, so I uploaded a reverse shell in .asp (more info how to create web shells here) and put the .png at the end of the .asp file, as illustrated below:

however, the application did not let me upload, so I put the Content-type header as png, deleted the .png that I had placed before and it worked, as illustrated below:

Through the application response I was able to get the location where my reverse shell was placed, so I copied the path, put the password and we got a reverse shell, as follows:

The next step was to check which were the users with administrative privileges in the environment so I used the (net group “Domain Admins” / domain) command. And as a result all domain administrators are shown. The image below demonstrates the fact:

After searching for sensitive files like passwords, backup files and other things, I came across the database connection string:

By opening the database connection string file, it was possible to obtain the database password and login, as shown below:

Finally, after obtaining the credentials of access to the database, in the reverse shell I put the information collected previously and I made a query in the database mentioned, and as a result I was able to obtain the password of the administrator of the application and the other users:

So that’s it folks. This was simple I hope to have contributed a bit with you xD.

Sharing is Caring

best regards, fr0stNuLL