Sales Order Client
ps c:\Users\admin\Desktop\Sales Order Client> cp \\10.1.1.2\smb\* .
ps c:\Users\admin\Desktop\Sales Order Client> ls
directory: C:\Users\admin\Desktop\Sales Order Client
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 11/20/2023 6:34 PM 86528 ScrambleClient.exe
-a---- 11/20/2023 6:34 PM 19456 ScrambleLib.dllPorting out the executables to a Windows environment over SMB
Executing the ScrambleClient.exe file prompts a familiar authentication window
This is the client-side program for the Sales Order application that I initially saw during the web enumeration phase
I will set the server to the FQDN of the target system and also enable the debug logging
However, the app returned an error that the credential is invalid
I tried different credentials, yet the result is the same
Another interesting thing to note is that a log file is generated; ScrambleDebugLog.txt
config.ini file is also generated alongside
The file appears to represent the server setting
I will load up the program into dnSpy and try decompiling it
Decompile
Opening them up in dnSpy
The ScrambleClient.exe file largely consists of 5 classes
On the other hand, there are 6 classes within the DLL file
Hidden Authentication Bypass
I found a very interesting conditional statement within the ScrambleNetClient.Logon function
It would appear that there is a hidden developer logon option
The Authentication is bypassed if scrmdev is supplied to the Username field
I will test it out
Attempting to bypass the authentication with scrmdev in the Username field
I will be capturing the network traffic with Wireshark
Upon inspecting, I came to a conclusion that the authentication bypass itself does not create any outbound traffic as it is baked into the client-side application
Outstanding Orders
It worked as the authentication is bypassed.
A new GUI window is presented, outlining the order status in the Outstanding Orders tab
2 users can be found within the status; jhall and sjenkins
Wireshark was running in the background. I will check the captured packets to dig deeper
Network Traffic Analysis (Outstanding Orders)
There’s been a total of 13 packet exchanges
those that are in the ignored state are tcp 3 way handshakes
The rest are packet 4-9
packet 4 (Outstanding Orders)
The packet 4 seems to be the header string sent by the server-side application; SCRAMBLECORP_ORDER S_V1.0.3
I remember the header string when I attempted to interact with the server-side application on the target port 4411 via Netcat earlier
packet 5 (Outstanding Orders)
The packet 5 contains LIST_ORDER in the data field
looking back at the source code, list_orders is a string associated with the scramblenetrequest.requesttype.listorders enumeration
It’s likely there for the server-side application to identify the incoming data
packet 6 (Outstanding Orders)
In response to the packet 5 above, the server-side application sent back a hefty amount of 1338 bytes long data
The data appears to be in the base64 format
SUCCESS is likely the header string much like those in the previous packets
I will grab the base64 string portion
Looking further into the base64 string, it seems to contain 2 sections separated by the ’|’ character.
┌──(kali㉿kali)-[~/…/smb/IT/Apps/Sales Order Client]
└─$ cat base64 | base64 -d
����
BScrambleLib, Version=1.0.3.0, Culture=neutral, PublicKeyToken=nullScrambleLib.SalesOrder
_IsComplete_ReferenceNumber_QuoteReference _SalesRep
_OrderItem_DueDate
_TotalCostSystem.Collections.Generic.List`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]
SCRMSO3601
SCRMQU91872J Hall @��i r@System.Collections.Generic.List`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]_items_siz_version
����
BScrambleLib, Version=1.0.3.0, Culture=neutral, PublicKeyToken=nullScrambleLib.SalesOrder
_IsComplete_ReferenceNumber_QuoteReference _SalesRep
_OrderItem_DueDate
_TotalCostSystem.Collections.Generic.List`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]
SCRMSO3749
SCRMQU92210 base64: invalid inputI have separated those 2 sections and decoded them.
The result appears to contain serialized binary data, possibly representing objects or types in the .NET framework
Interestingly, jhall can be seen among the data.
- This suggest that this serialized binary data is representation of the order status in the Outstanding Orders tab above
packet 7 (Outstanding Orders)
The packet 7 does not contain any data
packet 8 (Outstanding Orders)
The packet 8 appears to be part of the same stream of data that the packet 6 carried as their ack attributes are set to 14
On the contrast, the data is 293-byte long, contains a base64 string
I will append that to the base64 string from the packet 6
Combining both base64 strings from packet 6 and packet 8, it becomes this.
┌──(kali㉿kali)-[~/…/smb/IT/Apps/Sales Order Client]
└─$ cat base64 | base64 -d
BScrambleLib, Version=1.0.3.0, Culture=neutral, PublicKeyToken=nullScrambleLib.SalesOrder
_IsComplete_ReferenceNumber_QuoteReference _SalesRep
_OrderItem_DueDate
_TotalCostSystem.Collections.Generic.List`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]
SCRMSO3601
SCRMQU91872J Hall @��i r@System.Collections.Generic.List`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]_items_siz_version
BScrambleLib, Version=1.0.3.0, Culture=neutral, PublicKeyToken=nullScrambleLib.SalesOrder
_IsComplete_ReferenceNumber_QuoteReference _SalesRep
_OrderItem_DueDate
_TotalCostSystem.Collections.Generic.List`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]
SCRMSO3749
SCRMQU92210 S Jenkins �;��P�@System.Collections.Generic.List`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]_items_siz_versionIt’s still the same serialized binary data that doesn’t appear to give out any critical information
Additionally, sjenkins can be found in the data, indicating that this serialized binary data is representation of the order status in the Outstanding Orders tab above
packet 9 (Outstanding Orders)
The packet 9 carries the data containing the string following;QUIT
It appears to terminate the communication
New Order
The New Order tab contains what appears to be a submission form for creating an order
I will try uploading some arbitrary data while Wireshark is running in the background
Network Traffic Analysis (New Order)
There’s been a total of 11 packets
Packet 4 (New Order)
The packet 4 seems to be the same header string sent by the server-side application; SCRAMBLECORP_ORDER S_V1.0.3
Packet 5 (New Order)
The packet 5 is sent from the client-side application to the server-side application
It contains 802 bytes of base64 string and is likely the uploaded data
It starts with UPLOAD_ORDER
the string, upload_order, is part of the scramblenetclient.uploadorder function and is associated with the scramblenetrequest.requesttype.uploadorder enumeration
I will grab the base64 string and attempt to decode it
It would need some cleaning
┌──(kali㉿kali)-[~/…/smb/IT/Apps/Sales Order Client]
└─$ cat base64
AQAAAAAAAAAMAgAAAEJTY3JhbWJsZUxpYiwgVmVyc2lvbj0xLjAuMy4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPW51bGwFAQAAABZTY3JhbWJsZUxpYi5TYWxlc09yZGVyBwAAAAtfSXNDb21wbGV0ZRBfUmVmZXJlbmNlTnVtYmVyD19RdW90ZVJlZmVyZW5jZQlfU2FsZXNSZXALX09yZGVySXRlbXMIX0R1ZURhdGUKX1RvdGFsQ29zdAABAQEDAAABf1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkxpc3RgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0NBgIAAAAABgMAAAADMTIzBgQAAAADMTIzBgUAAAAGSiBIYWxsCQYAAAAAQKejW+nbCAAAAAAAwF5ABAYAAAB/U3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuTGlzdGAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQMAAAAGX2l0ZW1zBV9zaXplCF92ZXJzaW9uBgAACAgJBwAAAAAAAAAAAAAAEQcAAAAAAAAACw==
┌──(kali㉿kali)-[~/…/smb/IT/Apps/Sales Order Client]
└─$ cat base64 | base64 -d
BScrambleLib, Version=1.0.3.0, Culture=neutral, PublicKeyToken=nullScrambleLib.SalesOrder
_IsComplete_ReferenceNumber_QuoteReference _SalesRep
_OrderItem_DueDate
_TotalCostSystem.Collections.Generic.List`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neu123123J HallKeyT@��[��^@System.Collections.Generic.List`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]_items_siz_versionThe decoded text is the serialized binary data that was seen earlier in both packet 6 and packet 8
Packet 6 (New Order)
The packet 6 is the response from the server-side application
It contains the string; SUCCESS
Packet 7 (New Order)
The packet 7 is sent from the client-side application to the server-side application, likely to terminate the communication. Much like in the packet 9 earlier
Log
The log file is populated with all the information enumerated from Wireshark
Interesting thing is that it uses Binary Formatter for both serialization and deserialization
Binary Formatter
checking back at the source code, i can confirm the use of binary formatter in the Sales Order app. Precisely, it’s loaded on to the SalesOrder class of the ScrambleLib.dll file
according to the official microsoft documentation, the [Binary Formatter](Binary Formatter) in .NET is a serialization mechanism that is notorious for being exploited by attackers for remote code execution in deserialization attacks. Adversaries may manipulate serialized objects to execute arbitrary code during the deserialization process, leading to potential security vulnerabilities. These attacks can be severe, allowing unauthorized code execution in applications using [Binary Formatter]([Binary Formatter](Binary Formatter)). Security best practices include validating and restricting deserialization input, avoiding the use of Binary Formatter in untrusted environments, and implementing proper code review and monitoring for potential vulnerabilities.
Moving on to the Privilege Escalation phase