From file upload to email:pass
Hi everybody, today I want to show you a cool experience that I had, doing a Pentest in a private program. First of all, I overshadowed all the sensitive information of the company. Let’s go...
First, there was a form that a non-authenticated user could send information about errors or suggestions of the application and in this form it was also possible to upload files like the image bellow:
Through the request response headers I knew it was a Microsoft server, so I uploaded a reverse shell in .asp (more info how to create web shells here) and put the .png at the end of the .asp file, as illustrated below:
however, the application did not let me upload, so I put the Content-type header as png, deleted the .png that I had placed before and it worked, as illustrated below:
Through the application response I was able to get the location where my reverse shell was placed, so I copied the path, put the password and we got a reverse shell, as follows:
The next step was to check which were the users with administrative privileges in the environment so I used the (net group “Domain Admins” / domain) command. And as a result all domain administrators are shown. The image below demonstrates the fact:
After searching for sensitive files like passwords, backup files and other things, I came across the database connection string:
By opening the database connection string file, it was possible to obtain the database password and login, as shown below:
Finally, after obtaining the credentials of access to the database, in the reverse shell I put the information collected previously and I made a query in the database mentioned, and as a result I was able to obtain the password of the administrator of the application and the other users:
So that’s it folks. This was simple I hope to have contributed a bit with you xD.
Sharing is Caring
best regards, fr0stNuLL