Learning Objective 9

Task

In the Attack Lab:

Find and exploit the File Upload vulnerability and execute OS Level command on the contact application (https://contactpharmacorp.azurewebsites.net/)
Extract the information from the Application settings

Applies to: Attack Lab

Topic Covered: Insecure File Upload Vulnerability Exploitation and Information Extraction

https://contactpharmacorp.azurewebsites.net/

After investiganting the source code is possible to verify the folder were all uploads are sended.

https://contactpharmacorp.azurewebsites.net/upload

Open BurpSuite and bypass the Upload filter using a / in the extension.

We can now use our webshell and execute cmd commands. testing with the command whoami is possible to verigy that our webshell is running has:

iis apppool\contactpharmcorp

Since we can execute commands let's extract the best friends - Environ variables.

cmd.exe /c set

URL encoded:

%63%6d%64%2e%65%78%65%20%2f%63%20%73%65%74%20

After extracting the evironment variables we have found a new resource on the sub-domain: https://analytics.pharmacorphq.com/

PUBLIC=C:\Users\Public
AnalyticsAppServiceEndpoint=https://analytics.pharmacorphq.com/
APPSETTING_AnalyticsAppServiceEndpoint=https://analytics.pharmacorphq.com/

Lessons Learn

Extract Environment Variables and get a OS Command injection.

PreviousLearning Objective 4 NextLearning Objective 10

Last updated 9 months ago

Was this helpful?