Exploiting Timed Based RCE

Checking the timeIn a recent penetration testing project we encountered a situation where in order to prove exploitability and possible damage we had to exfiltrate data from an isolated server using an OS command injection time based attack.

The scope of the project was an API. During the testing process we identified an interesting GET request that received 2 parameters: the first  a string and the other one ID number.

By fuzzing the string parameter, at first, it looked like we had a potential SQL injection, based on the way it handled single quotes. Trying this attack vector didn’t seem successful, but when we sent the ` sleep  10` command and the HTTP response returned 10 seconds later, we knew we had something.  Our first thought was that this was game over for the application, we managed to get a Remote Code Execution on the API server.

Continue reading

Scripting Metasploit for a Real-Life Pentest

During a recent internal penetration test, we got to the point where we had to search a lot of Windows machines for Domain Admin tokens. Of course, our objective was to impersonate such a  (delegation) token with Metasploit and create our own Domain Admin user.

Since the search space was quite large, we had to automate this task by creating a custom Metasploit script. In this post we describe the process of creating and running such a script.

A bit of context

During our penetration test we’ve managed to obtain the credentials of a privileged user. This user, let’s call him Robert, had local administrative rights on multiple workstations in the Windows domain.

Using Robert’s credentials, we managed to create a low privileged domain user, which we’ll further denote by OurUser, but we were not able to add it to the Domain Admins group.

Continue reading